Ignore:
Timestamp:
Jul 3, 2008, 11:23:12 AM (17 years ago)
Author:
Paul Smedley
Message:

Update source to 3.2.0 GA level

Location:
trunk/samba/source/auth
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/samba/source/auth/auth_sam.c

    r133 r138  
    167167                time_t last_set_time = pdb_get_pass_last_set_time(sampass);
    168168
    169                 /* check for immediate expiry "must change at next logon" */
    170                 if (last_set_time == 0) {
     169                /* check for immediate expiry "must change at next logon"
     170                 * for a user account. */
     171                if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) {
    171172                        DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
    172173                        return NT_STATUS_PASSWORD_MUST_CHANGE;

  • trunk/samba/source/auth/auth_util.c

    r133 r138  
    487487
    488488/***************************************************************************
     489 Is the incoming username our own machine account ?
     490 If so, the connection is almost certainly from winbindd.
     491***************************************************************************/
     492
     493static bool is_our_machine_account(const char *username)
     494{
     495        bool ret;
     496        char *truncname = NULL;
     497        size_t ulen = strlen(username);
     498
     499        if (ulen == 0 || username[ulen-1] != '$') {
     500                return false;
     501        }
     502        truncname = SMB_STRDUP(username);
     503        if (!truncname) {
     504                return false;
     505        }
     506        truncname[ulen-1] = '\0';
     507        ret = strequal(truncname, global_myname());
     508        SAFE_FREE(truncname);
     509        return ret;
     510}
     511
     512/***************************************************************************
    489513 Make (and fill) a user_info struct from a struct samu
    490514***************************************************************************/
    491515
    492 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
     516NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
    493517                              struct samu *sampass)
    494518{
    495         NTSTATUS status;
    496519        struct passwd *pwd;
    497520        gid_t *gids;
     
    500523        size_t num_gids;
    501524        DOM_SID unix_group_sid;
    502        
     525        const char *username = pdb_get_username(sampass);
     526        NTSTATUS status;
    503527
    504528        if ( !(result = make_server_info(NULL)) ) {
     
    506530        }
    507531
    508         if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
     532        if ( !(pwd = getpwnam_alloc(result, username)) ) {
    509533                DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
    510534                          pdb_get_username(sampass)));
     
    521545        result->gid = pwd->pw_gid;
    522546        result->uid = pwd->pw_uid;
    523        
     547
    524548        TALLOC_FREE(pwd);
    525549
    526         status = pdb_enum_group_memberships(result, sampass,
     550        if (IS_DC && is_our_machine_account(username)) {
     551                /*
     552                 * Ensure for a connection from our own
     553                 * machine account (from winbindd on a DC)
     554                 * there are no supplementary groups.
     555                 * Prevents loops in calling gid_to_sid().
     556                 */
     557                result->sids = NULL;
     558                gids = NULL;
     559                result->num_sids = 0;
     560
     561                /*
     562                 * This is a hack of monstrous proportions.
     563                 * If we know it's winbindd talking to us,
     564                 * we know we must never recurse into it,
     565                 * so turn off contacting winbindd for this
     566                 * entire process. This will get fixed when
     567                 * winbindd doesn't need to talk to smbd on
     568                 * a PDC. JRA.
     569                 */
     570
     571                (void)winbind_off();
     572
     573                DEBUG(10, ("make_server_info_sam: our machine account %s "
     574                        "setting supplementary group list empty and "
     575                        "turning off winbindd requests.\n",
     576                        username));
     577        } else {
     578                status = pdb_enum_group_memberships(result, sampass,
    527579                                            &result->sids, &gids,
    528580                                            &result->num_sids);
    529581
    530         if (!NT_STATUS_IS_OK(status)) {
    531                 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
    532                            nt_errstr(status)));
    533                 result->sam_account = NULL; /* Don't free on error exit. */
    534                 TALLOC_FREE(result);
    535                 return status;
    536         }
    537        
     582                if (!NT_STATUS_IS_OK(status)) {
     583                        DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
     584                                   nt_errstr(status)));
     585                        result->sam_account = NULL; /* Don't free on error exit. */
     586                        TALLOC_FREE(result);
     587                        return status;
     588                }
     589        }
     590
    538591        /* Add the "Unix Group" SID for each gid to catch mapped groups
    539592           and their Unix equivalent.  This is to solve the backwards
Note: See TracChangeset for help on using the changeset viewer.