Changeset 751 for trunk/server/source3/winbindd
- Timestamp:
- Nov 29, 2012, 1:59:04 PM (13 years ago)
- Location:
- trunk/server/source3/winbindd
- Files:
-
- 17 edited
-
idmap_autorid.c (modified) (15 diffs)
-
idmap_hash/idmap_hash.c (modified) (1 diff)
-
idmap_tdb2.c (modified) (1 diff)
-
wb_group_members.c (modified) (1 diff)
-
wb_lookupsids.c (modified) (2 diffs)
-
wb_next_pwent.c (modified) (3 diffs)
-
winbindd.c (modified) (5 diffs)
-
winbindd_ads.c (modified) (4 diffs)
-
winbindd_cache.c (modified) (5 diffs)
-
winbindd_cm.c (modified) (3 diffs)
-
winbindd_cred_cache.c (modified) (3 diffs)
-
winbindd_dual.c (modified) (5 diffs)
-
winbindd_group.c (modified) (3 diffs)
-
winbindd_pam.c (modified) (10 diffs)
-
winbindd_proto.h (modified) (1 diff)
-
winbindd_sids_to_xids.c (modified) (3 diffs)
-
winbindd_util.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/source3/winbindd/idmap_autorid.c
r745 r751 35 35 36 36 #define HWM "NEXT RANGE" 37 #define ALLOC_HWM_UID "NEXT ALLOC UID" 38 #define ALLOC_HWM_GID "NEXT ALLOC GID" 39 #define ALLOC_RANGE "ALLOC" 37 40 #define CONFIGKEY "CONFIG" 38 41 … … 44 47 45 48 struct autorid_domain_config { 46 struct dom_sidsid;49 fstring sid; 47 50 uint32_t domainnum; 48 51 struct autorid_global_config *globalcfg; … … 57 60 NTSTATUS ret; 58 61 uint32_t domainnum, hwm; 59 fstring sidstr;60 62 char *numstr; 61 63 struct autorid_domain_config *cfg; 62 64 63 65 cfg = (struct autorid_domain_config *)private_data; 64 dom_sid_string_buf(&(cfg->sid), sidstr, sizeof(sidstr)); 65 66 if (!dbwrap_fetch_uint32(db, sidstr, &domainnum)) { 67 DEBUG(10, ("Acquiring new range for domain %s\n", sidstr)); 66 67 if (!dbwrap_fetch_uint32(db, cfg->sid, &domainnum)) { 68 DEBUG(10, ("Acquiring new range for domain %s\n", cfg->sid)); 68 69 69 70 /* fetch the current HWM */ … … 91 92 92 93 /* store away the new mapping in both directions */ 93 ret = dbwrap_trans_store_uint32(db, sidstr, domainnum);94 ret = dbwrap_trans_store_uint32(db, cfg->sid, domainnum); 94 95 if (!NT_STATUS_IS_OK(ret)) { 95 96 DEBUG(1, ("Fatal error while storing new " … … 105 106 106 107 ret = dbwrap_trans_store_bystring(db, numstr, 107 string_term_tdb_data(sidstr),108 TDB_INSERT); 108 string_term_tdb_data(cfg->sid), TDB_INSERT); 109 109 110 talloc_free(numstr); 110 111 if (!NT_STATUS_IS_OK(ret)) { … … 114 115 } 115 116 DEBUG(5, ("Acquired new range #%d for domain %s\n", 116 domainnum, sidstr));117 } 118 119 DEBUG(10, ("Using range #%d for domain %s\n", domainnum, sidstr));117 domainnum, cfg->sid)); 118 } 119 120 DEBUG(10, ("Using range #%d for domain %s\n", domainnum, cfg->sid)); 120 121 cfg->domainnum = domainnum; 121 122 … … 165 166 "domain mapping, ignoring mapping request\n", 166 167 map->xid.id, range)); 168 TALLOC_FREE(data.dptr); 169 map->status = ID_UNKNOWN; 170 return NT_STATUS_OK; 171 } 172 173 if (strncmp((const char *)data.dptr, 174 ALLOC_RANGE, 175 strlen(ALLOC_RANGE)) == 0) { 176 /* this is from the alloc range, there is no mapping back */ 177 DEBUG(5, ("id %d belongs to alloc range, cannot map back\n", 178 map->xid.id)); 179 TALLOC_FREE(data.dptr); 167 180 map->status = ID_UNKNOWN; 168 181 return NT_STATUS_OK; … … 275 288 struct autorid_domain_config domaincfg; 276 289 uint32_t rid; 290 struct dom_sid domainsid; 277 291 278 292 ZERO_STRUCT(domaincfg); 279 293 280 sid_copy(&domain cfg.sid, ids[i]->sid);281 if (!sid_split_rid(&domain cfg.sid, &rid)) {294 sid_copy(&domainsid, ids[i]->sid); 295 if (!sid_split_rid(&domainsid, &rid)) { 282 296 DEBUG(4, ("Could not determine domain SID from %s, " 283 297 "ignoring mapping request\n", … … 290 304 */ 291 305 domain = wcache_tdc_fetch_domainbysid(talloc_tos(), 292 &domain cfg.sid);306 &domainsid); 293 307 if (domain == NULL) { 294 308 DEBUG(10, ("Ignoring unknown domain sid %s\n", 295 sid_string_dbg(&domain cfg.sid)));309 sid_string_dbg(&domainsid))); 296 310 continue; 297 311 } … … 299 313 300 314 domaincfg.globalcfg = global; 315 sid_to_fstring(domaincfg.sid, &domainsid); 301 316 302 317 ret = dbwrap_trans_do(autorid_db, … … 327 342 } 328 343 344 /* initialize the given HWM to 0 if it does not exist yet */ 345 static NTSTATUS idmap_autorid_init_hwm(const char *hwm) { 346 347 NTSTATUS status; 348 int32_t hwmval; 349 350 hwmval = dbwrap_fetch_int32(autorid_db, hwm); 351 if ((hwmval < 0)) { 352 status = dbwrap_trans_store_int32(autorid_db, hwm, 0); 353 if (!NT_STATUS_IS_OK(status)) { 354 DEBUG(0, 355 ("Unable to initialise HWM (%s) in autorid " 356 "database: %s\n", hwm, nt_errstr(status))); 357 return NT_STATUS_INTERNAL_DB_ERROR; 358 } 359 } 360 361 return NT_STATUS_OK; 362 } 363 329 364 /* 330 365 * open and initialize the database which stores the ranges for the domains … … 332 367 static NTSTATUS idmap_autorid_db_init(void) 333 368 { 334 int32_t hwm;369 NTSTATUS status; 335 370 336 371 if (autorid_db) { … … 350 385 351 386 /* Initialize high water mark for the currently used range to 0 */ 352 hwm = dbwrap_fetch_int32(autorid_db, HWM); 353 if ((hwm < 0)) { 354 if (!NT_STATUS_IS_OK 355 (dbwrap_trans_store_int32(autorid_db, HWM, 0))) { 356 DEBUG(0, 357 ("Unable to initialise HWM in autorid " 358 "database\n")); 359 return NT_STATUS_INTERNAL_DB_ERROR; 360 } 361 } 362 363 return NT_STATUS_OK; 387 388 status = idmap_autorid_init_hwm(HWM); 389 NT_STATUS_NOT_OK_RETURN(status); 390 391 status = idmap_autorid_init_hwm(ALLOC_HWM_UID); 392 NT_STATUS_NOT_OK_RETURN(status); 393 394 status = idmap_autorid_init_hwm(ALLOC_HWM_GID); 395 396 return status; 364 397 } 365 398 … … 542 575 } 543 576 577 static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom, 578 struct unixid *xid) { 579 580 NTSTATUS ret; 581 struct autorid_global_config *globalcfg; 582 struct autorid_domain_config domaincfg; 583 uint32_t hwm; 584 const char *hwmkey; 585 586 if (!strequal(dom->name, "*")) { 587 DEBUG(3, ("idmap_autorid_allocate_id: " 588 "Refusing creation of mapping for domain'%s'. " 589 "Currently only supported for the default " 590 "domain \"*\".\n", 591 dom->name)); 592 return NT_STATUS_NOT_IMPLEMENTED; 593 } 594 595 if ((xid->type != ID_TYPE_UID) && (xid->type != ID_TYPE_GID)) { 596 return NT_STATUS_INVALID_PARAMETER; 597 } 598 599 600 globalcfg = talloc_get_type(dom->private_data, 601 struct autorid_global_config); 602 603 /* fetch the range for the allocation pool */ 604 605 ZERO_STRUCT(domaincfg); 606 607 domaincfg.globalcfg = globalcfg; 608 fstrcpy(domaincfg.sid, ALLOC_RANGE); 609 610 ret = dbwrap_trans_do(autorid_db, 611 idmap_autorid_get_domainrange, 612 &domaincfg); 613 if (!NT_STATUS_IS_OK(ret)) { 614 DEBUG(3, ("Could not determine range for allocation pool, " 615 "check previous messages for reason\n")); 616 return ret; 617 } 618 619 /* fetch the current HWM */ 620 hwmkey = (xid->type==ID_TYPE_UID)?ALLOC_HWM_UID:ALLOC_HWM_GID; 621 622 if (!dbwrap_fetch_uint32(autorid_db, hwmkey, &hwm)) { 623 DEBUG(1, ("Failed to fetch current allocation HWM value: %s\n", 624 nt_errstr(ret))); 625 return NT_STATUS_INTERNAL_ERROR; 626 } 627 628 if (hwm >= globalcfg->rangesize) { 629 DEBUG(1, ("allocation range is depleted!\n")); 630 return NT_STATUS_NO_MEMORY; 631 } 632 633 ret = dbwrap_change_uint32_atomic(autorid_db, hwmkey, &(xid->id), 1); 634 if (!NT_STATUS_IS_OK(ret)) { 635 DEBUG(1, ("Fatal error while allocating new ID!\n")); 636 return ret; 637 } 638 639 xid->id = globalcfg->minvalue + 640 globalcfg->rangesize * domaincfg.domainnum + 641 xid->id; 642 643 DEBUG(10, ("Returned new %s %d from allocation range\n", 644 (xid->type==ID_TYPE_UID)?"uid":"gid", xid->id)); 645 646 return ret; 647 } 648 544 649 /* 545 650 Close the idmap tdb instance … … 549 654 .unixids_to_sids = idmap_autorid_unixids_to_sids, 550 655 .sids_to_unixids = idmap_autorid_sids_to_unixids, 656 .allocate_id = idmap_autorid_allocate_id 551 657 }; 552 658 -
trunk/server/source3/winbindd/idmap_hash/idmap_hash.c
r745 r751 260 260 static NTSTATUS nss_hash_init(struct nss_domain_entry *e ) 261 261 { 262 return be_init(NULL);262 return NT_STATUS_OK; 263 263 } 264 264 -
trunk/server/source3/winbindd/idmap_tdb2.c
r745 r751 290 290 goto failed; 291 291 } 292 ctx->script = lp_parm_const_string(-1, config_option, "script", "NULL");292 ctx->script = lp_parm_const_string(-1, config_option, "script", NULL); 293 293 talloc_free(config_option); 294 294 -
trunk/server/source3/winbindd/wb_group_members.c
r745 r751 210 210 */ 211 211 212 if (tevent_req_nterror(req, status)) { 213 return; 212 if (!NT_STATUS_IS_OK(status)) { 213 if (!NT_STATUS_EQUAL( 214 status, NT_STATUS_TRUSTED_DOMAIN_FAILURE)) { 215 tevent_req_nterror(req, status); 216 return; 217 } 218 num_members = 0; 214 219 } 215 220 -
trunk/server/source3/winbindd/wb_lookupsids.c
r745 r751 124 124 state->num_sids = num_sids; 125 125 126 if (num_sids == 0) {127 tevent_req_done(req);128 return tevent_req_post(req, ev);129 }130 131 126 state->single_sids = TALLOC_ARRAY(state, uint32_t, num_sids); 132 127 if (tevent_req_nomem(state->single_sids, req)) { … … 151 146 state->res_names, struct lsa_TranslatedName, num_sids); 152 147 if (tevent_req_nomem(state->res_names->names, req)) { 148 return tevent_req_post(req, ev); 149 } 150 151 if (num_sids == 0) { 152 tevent_req_done(req); 153 153 return tevent_req_post(req, ev); 154 154 } -
trunk/server/source3/winbindd/wb_next_pwent.c
r745 r751 32 32 static void wb_next_pwent_fill_done(struct tevent_req *subreq); 33 33 34 static struct winbindd_domain *wb_next_find_domain(struct winbindd_domain *domain) 35 { 36 if (domain == NULL) { 37 domain = domain_list(); 38 } else { 39 domain = domain->next; 40 } 41 42 if ((domain != NULL) 43 && sid_check_is_domain(&domain->sid)) { 44 domain = domain->next; 45 } 46 47 if (domain == NULL) { 48 return NULL; 49 } 50 51 return domain; 52 } 53 34 54 struct tevent_req *wb_next_pwent_send(TALLOC_CTX *mem_ctx, 35 55 struct tevent_context *ev, … … 51 71 TALLOC_FREE(state->gstate->users); 52 72 53 if (state->gstate->domain == NULL) { 54 state->gstate->domain = domain_list(); 55 } else { 56 state->gstate->domain = state->gstate->domain->next; 57 } 58 59 if ((state->gstate->domain != NULL) 60 && sid_check_is_domain(&state->gstate->domain->sid)) { 61 state->gstate->domain = state->gstate->domain->next; 62 } 63 73 state->gstate->domain = wb_next_find_domain(state->gstate->domain); 64 74 if (state->gstate->domain == NULL) { 65 75 tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES); … … 149 159 status = wb_fill_pwent_recv(subreq); 150 160 TALLOC_FREE(subreq); 151 if (tevent_req_nterror(req, status)) { 161 /* 162 * When you try to enumerate users with 'getent passwd' and the user 163 * doesn't have a uid set we should just move on. 164 */ 165 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) { 166 state->gstate->next_user += 1; 167 168 if (state->gstate->next_user >= state->gstate->num_users) { 169 TALLOC_FREE(state->gstate->users); 170 171 state->gstate->domain = wb_next_find_domain(state->gstate->domain); 172 if (state->gstate->domain == NULL) { 173 tevent_req_nterror(req, NT_STATUS_NO_MORE_ENTRIES); 174 return; 175 } 176 177 subreq = wb_query_user_list_send(state, state->ev, 178 state->gstate->domain); 179 if (tevent_req_nomem(subreq, req)) { 180 return; 181 } 182 tevent_req_set_callback(subreq, wb_next_pwent_fetch_done, req); 183 return; 184 } 185 186 subreq = wb_fill_pwent_send(state, 187 state->ev, 188 &state->gstate->users[state->gstate->next_user], 189 state->pw); 190 if (tevent_req_nomem(subreq, req)) { 191 return; 192 } 193 tevent_req_set_callback(subreq, wb_next_pwent_fill_done, req); 194 195 return; 196 } else if (tevent_req_nterror(req, status)) { 152 197 return; 153 198 } -
trunk/server/source3/winbindd/winbindd.c
r745 r751 66 66 67 67 if (lp_loaded()) { 68 c onst char *fname = lp_configfile();68 char *fname = lp_configfile(); 69 69 70 70 if (file_exist(fname) && !strcsequal(fname,get_dyn_CONFIGFILE())) { 71 71 set_dyn_CONFIGFILE(fname); 72 72 } 73 TALLOC_FREE(fname); 73 74 } 74 75 … … 588 589 state->cmd_name = "unknown request"; 589 590 state->recv_fn = NULL; 591 state->last_access = time(NULL); 590 592 591 593 /* Process command */ … … 889 891 890 892 static bool client_is_idle(struct winbindd_cli_state *state) { 891 return (state->response == NULL && 893 return (state->request == NULL && 894 state->response == NULL && 892 895 !state->pwent_state && !state->grent_state); 893 896 } … … 1303 1306 } 1304 1307 1308 /* We call dump_core_setup one more time because the command line can 1309 * set the log file or the log-basename and this will influence where 1310 * cores are stored. Without this call get_dyn_LOGFILEBASE will be 1311 * the default value derived from build's prefix. For EOM this value 1312 * is often not related to the path where winbindd is actually run 1313 * in production. 1314 */ 1315 dump_core_setup("winbindd"); 1316 1305 1317 if (is_daemon && interactive) { 1306 1318 d_fprintf(stderr,"\nERROR: " … … 1341 1353 exit(1); 1342 1354 } 1355 /* After parsing the configuration file we setup the core path one more time 1356 * as the log file might have been set in the configuration and cores's 1357 * path is by default basename(lp_logfile()). 1358 */ 1359 dump_core_setup("winbindd"); 1343 1360 1344 1361 /* Initialise messaging system */ -
trunk/server/source3/winbindd/winbindd_ads.c
r745 r751 189 189 190 190 rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs); 191 if (!ADS_ERR_OK(rc) || !res) {191 if (!ADS_ERR_OK(rc)) { 192 192 DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc))); 193 status = ads_ntstatus(rc); 194 } else if (!res) { 195 DEBUG(1,("query_user_list ads_search returned NULL res\n")); 196 193 197 goto done; 194 198 } … … 341 345 342 346 rc = ads_search_retry(ads, &res, filter, attrs); 343 if (!ADS_ERR_OK(rc) || !res) { 347 if (!ADS_ERR_OK(rc)) { 348 status = ads_ntstatus(rc); 344 349 DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc))); 350 goto done; 351 } else if (!res) { 352 DEBUG(1,("enum_dom_groups ads_search returned NULL res\n")); 345 353 goto done; 346 354 } … … 551 559 rc = ads_search_retry(ads, &msg, ldap_exp, attrs); 552 560 SAFE_FREE(ldap_exp); 553 if (!ADS_ERR_OK(rc) || !msg) {561 if (!ADS_ERR_OK(rc)) { 554 562 DEBUG(1,("query_user(sid=%s) ads_search: %s\n", 555 563 sid_string_dbg(sid), ads_errstr(rc))); 556 564 return ads_ntstatus(rc); 565 } else if (!msg) { 566 DEBUG(1,("query_user(sid=%s) ads_search returned NULL res\n", 567 sid_string_dbg(sid))); 568 return NT_STATUS_INTERNAL_ERROR; 557 569 } 558 570 … … 663 675 rc = ads_search_retry(ads, &res, ldap_exp, group_attrs); 664 676 665 if (!ADS_ERR_OK(rc) || !res) {677 if (!ADS_ERR_OK(rc)) { 666 678 DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc))); 667 679 return ads_ntstatus(rc); 668 } 680 } else if (!res) { 681 DEBUG(1,("lookup_usergroups ads_search returned NULL res\n")); 682 return NT_STATUS_INTERNAL_ERROR; 683 } 684 669 685 670 686 count = ads_count_replies(ads, res); -
trunk/server/source3/winbindd/winbindd_cache.c
r745 r751 39 39 #define DBGC_CLASS DBGC_WINBIND 40 40 41 #define WINBINDD_CACHE_VERSION 2 41 #define WINBINDD_CACHE_VER1 1 /* initial db version */ 42 #define WINBINDD_CACHE_VER2 2 /* second version with timeouts for NDR entries */ 43 44 #define WINBINDD_CACHE_VERSION WINBINDD_CACHE_VER2 42 45 #define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION" 43 46 … … 4082 4085 } 4083 4086 4087 static int wbcache_update_centry_fn(TDB_CONTEXT *tdb, 4088 TDB_DATA key, 4089 TDB_DATA data, 4090 void *state) 4091 { 4092 uint64_t ctimeout; 4093 TDB_DATA blob; 4094 4095 if (is_non_centry_key(key)) { 4096 return 0; 4097 } 4098 4099 if (data.dptr == NULL || data.dsize == 0) { 4100 if (tdb_delete(tdb, key) < 0) { 4101 DEBUG(0, ("tdb_delete for [%s] failed!\n", 4102 key.dptr)); 4103 return 1; 4104 } 4105 } 4106 4107 /* add timeout to blob (uint64_t) */ 4108 blob.dsize = data.dsize + 8; 4109 4110 blob.dptr = SMB_XMALLOC_ARRAY(uint8_t, blob.dsize); 4111 if (blob.dptr == NULL) { 4112 return 1; 4113 } 4114 memset(blob.dptr, 0, blob.dsize); 4115 4116 /* copy status and seqnum */ 4117 memcpy(blob.dptr, data.dptr, 8); 4118 4119 /* add timeout */ 4120 ctimeout = lp_winbind_cache_time() + time(NULL); 4121 SBVAL(blob.dptr, 8, ctimeout); 4122 4123 /* copy the rest */ 4124 memcpy(blob.dptr + 16, data.dptr + 8, data.dsize - 8); 4125 4126 if (tdb_store(tdb, key, blob, TDB_REPLACE) < 0) { 4127 DEBUG(0, ("tdb_store to update [%s] failed!\n", 4128 key.dptr)); 4129 SAFE_FREE(blob.dptr); 4130 return 1; 4131 } 4132 4133 SAFE_FREE(blob.dptr); 4134 return 0; 4135 } 4136 4137 static bool wbcache_upgrade_v1_to_v2(TDB_CONTEXT *tdb) 4138 { 4139 int rc; 4140 4141 DEBUG(1, ("Upgrade to version 2 of the winbindd_cache.tdb\n")); 4142 4143 rc = tdb_traverse(tdb, wbcache_update_centry_fn, NULL); 4144 if (rc < 0) { 4145 return false; 4146 } 4147 4148 return true; 4149 } 4150 4084 4151 /*********************************************************************** 4085 4152 Try and validate every entry in the winbindd cache. If we fail here, … … 4092 4159 const char *tdb_path = cache_path("winbindd_cache.tdb"); 4093 4160 TDB_CONTEXT *tdb = NULL; 4161 uint32_t vers_id; 4162 bool ok; 4094 4163 4095 4164 DEBUG(10, ("winbindd_validate_cache: replacing panic function\n")); 4096 4165 smb_panic_fn = validate_panic; 4097 4098 4166 4099 4167 tdb = tdb_open_log(tdb_path, … … 4110 4178 goto done; 4111 4179 } 4180 4181 /* Version check and upgrade code. */ 4182 if (!tdb_fetch_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers_id)) { 4183 DEBUG(10, ("Fresh database\n")); 4184 tdb_store_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION); 4185 vers_id = WINBINDD_CACHE_VERSION; 4186 } 4187 4188 if (vers_id != WINBINDD_CACHE_VERSION) { 4189 if (vers_id == WINBINDD_CACHE_VER1) { 4190 ok = wbcache_upgrade_v1_to_v2(tdb); 4191 if (!ok) { 4192 DEBUG(10, ("winbindd_validate_cache: upgrade to version 2 failed.\n")); 4193 unlink(tdb_path); 4194 goto done; 4195 } 4196 4197 tdb_store_uint32(tdb, 4198 WINBINDD_CACHE_VERSION_KEYSTR, 4199 WINBINDD_CACHE_VERSION); 4200 vers_id = WINBINDD_CACHE_VER2; 4201 } 4202 } 4203 4112 4204 tdb_close(tdb); 4113 4205 … … 4804 4896 } 4805 4897 entry_timeout = BVAL(data.dptr, 4); 4806 if ( entry_timeout > time(NULL)) {4898 if (time(NULL) > entry_timeout) { 4807 4899 DEBUG(10, ("Entry has timed out\n")); 4808 4900 goto fail; -
trunk/server/source3/winbindd/winbindd_cm.c
r745 r751 1186 1186 1187 1187 ads_destroy( &ads ); 1188 return false; 1188 1189 } 1189 1190 #endif 1190 1191 1191 status = nbt_getdc(winbind_messaging_context(), pss, domain->name,1192 status = nbt_getdc(winbind_messaging_context(), 10, pss, domain->name, 1192 1193 &domain->sid, nt_version, mem_ctx, &nt_version, 1193 1194 &dc_name, NULL); … … 1769 1770 } 1770 1771 1771 if (!winbindd_can_contact_domain(domain)) {1772 invalidate_cm_connection(&domain->conn);1773 domain->initialized = True;1774 return NT_STATUS_OK;1775 }1776 1777 1772 if (connection_ok(domain)) { 1778 1773 if (!domain->initialized) { … … 1927 1922 domain->active_directory ? "" : "NOT ")); 1928 1923 1924 domain->can_do_ncacn_ip_tcp = domain->active_directory; 1925 domain->can_do_validation6 = domain->active_directory; 1929 1926 1930 1927 domain->initialized = True; -
trunk/server/source3/winbindd/winbindd_cred_cache.c
r745 r751 491 491 const char *service, 492 492 const char *username, 493 const char *pass, 493 494 const char *realm, 494 495 uid_t uid, … … 592 593 593 594 DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); 594 } 595 596 } 597 598 /* 599 * If we're set up to renew our krb5 tickets, we must 600 * cache the credentials in memory for the ticket 601 * renew function (or increase the reference count 602 * if we're logging in more than once). Fix inspired 603 * by patch from Ian Gordon <ian.gordon@strath.ac.uk> 604 * for bugid #9098. 605 */ 606 607 ntret = winbindd_add_memory_creds(username, uid, pass); 608 DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", 609 nt_errstr(ntret))); 595 610 596 611 return NT_STATUS_OK; … … 675 690 "added ccache [%s] for user [%s] to the list\n", 676 691 ccname, username)); 692 693 if (entry->event) { 694 /* 695 * If we're set up to renew our krb5 tickets, we must 696 * cache the credentials in memory for the ticket 697 * renew function. Fix inspired by patch from 698 * Ian Gordon <ian.gordon@strath.ac.uk> for 699 * bugid #9098. 700 */ 701 702 ntret = winbindd_add_memory_creds(username, uid, pass); 703 DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", 704 nt_errstr(ntret))); 705 } 677 706 678 707 return NT_STATUS_OK; -
trunk/server/source3/winbindd/winbindd_dual.c
r745 r751 44 44 extern struct winbindd_methods cache_methods; 45 45 46 static struct winbindd_child *winbindd_children = NULL; 47 46 48 /* Read some data from a client connection */ 47 49 … … 172 174 close(state->child->sock); 173 175 state->child->sock = -1; 176 DLIST_REMOVE(winbindd_children, state->child); 174 177 tevent_req_error(req, err); 175 178 return; … … 489 492 SMB_ASSERT(child->binding_handle != NULL); 490 493 } 491 492 static struct winbindd_child *winbindd_children = NULL;493 494 494 495 void winbind_child_died(pid_t pid) … … 1330 1331 close(fdpair[0]); 1331 1332 1332 nread = read(fdpair[1], &status, sizeof(status));1333 nread = sys_read(fdpair[1], &status, sizeof(status)); 1333 1334 if (nread != sizeof(status)) { 1334 1335 DEBUG(1, ("fork_domain_child: Could not read child status: " … … 1361 1362 status = winbindd_reinit_after_fork(child, child->logfilename); 1362 1363 1363 nwritten = write(state.sock, &status, sizeof(status));1364 nwritten = sys_write(state.sock, &status, sizeof(status)); 1364 1365 if (nwritten != sizeof(status)) { 1365 1366 DEBUG(1, ("fork_domain_child: Could not write status: " -
trunk/server/source3/winbindd/winbindd_group.c
r414 r751 36 36 fstring full_group_name; 37 37 char *mapped_name = NULL; 38 struct winbindd_domain *domain = find_domain_from_name_noinit(dom_name);38 struct winbindd_domain *domain; 39 39 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; 40 41 domain = find_domain_from_name_noinit(dom_name); 42 if (domain == NULL) { 43 DEBUG(0, ("Failed to find domain '%s'. " 44 "Check connection to trusted domains!\n", 45 dom_name)); 46 return false; 47 } 40 48 41 49 nt_status = normalize_name_map(mem_ctx, domain, gr_name, … … 116 124 117 125 res = talloc_dict_traverse(members, getgr_calc_memberlen, &c); 118 if (res != 0) {126 if (res == -1) { 119 127 DEBUG(5, ("talloc_dict_traverse failed\n")); 120 128 return NT_STATUS_INTERNAL_ERROR; … … 129 137 130 138 res = talloc_dict_traverse(members, getgr_unparse_members, &m); 131 if (res != 0) {139 if (res == -1) { 132 140 DEBUG(5, ("talloc_dict_traverse failed\n")); 133 141 TALLOC_FREE(m.buf); -
trunk/server/source3/winbindd/winbindd_pam.c
r745 r751 307 307 &token->sids, 308 308 &token->num_sids, 309 true , false);309 true); 310 310 if (!NT_STATUS_IS_OK(status)) { 311 311 TALLOC_FREE(frame); … … 641 641 service, 642 642 user, 643 pass, 643 644 realm, 644 645 uid, … … 958 959 service, 959 960 state->request->data.auth.user, 961 state->request->data.auth.pass, 960 962 domain->alt_name, 961 963 uid, … … 1079 1081 state->request->data.auth.user, name_domain, name_user, name_domain)); 1080 1082 1081 contact_domain = find_our_domain(); 1083 result = NT_STATUS_NO_SUCH_USER; 1084 goto done; 1082 1085 } 1083 1086 } … … 1166 1169 DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n", 1167 1170 nt_errstr(result))); 1171 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { 1172 if (attempts > 0) { 1173 DEBUG(3, ("This is the second problem for this " 1174 "particular call, forcing the close of " 1175 "this connection\n")); 1176 invalidate_cm_connection(&domain->conn); 1177 } else { 1178 DEBUG(3, ("First call to cm_connect_netlogon " 1179 "has timed out, retrying\n")); 1180 continue; 1181 } 1182 } 1168 1183 return result; 1169 1184 } … … 1221 1236 } 1222 1237 1223 if (domain->can_do_samlogon_ex ) {1238 if (domain->can_do_samlogon_ex && domain->can_do_validation6) { 1224 1239 result = rpccli_netlogon_sam_network_logon_ex( 1225 1240 netlogon_pipe, 1226 1241 mem_ctx, 1227 0, 1242 logon_parameters, 1243 server, /* server name */ 1244 username, /* user name */ 1245 domainname, /* target domain */ 1246 workstation, /* workstation */ 1247 chal, 1248 6, 1249 lm_response, 1250 nt_response, 1251 info3); 1252 } else { 1253 result = rpccli_netlogon_sam_network_logon( 1254 netlogon_pipe, 1255 mem_ctx, 1256 logon_parameters, 1228 1257 server, /* server name */ 1229 1258 username, /* user name */ … … 1235 1264 nt_response, 1236 1265 info3); 1237 } else {1238 result = rpccli_netlogon_sam_network_logon(1239 netlogon_pipe,1240 mem_ctx,1241 0,1242 server, /* server name */1243 username, /* user name */1244 domainname, /* target domain */1245 workstation, /* workstation */1246 chal,1247 domain->can_do_validation6 ? 6 : 3,1248 lm_response,1249 nt_response,1250 info3);1251 1266 } 1252 1267 … … 1309 1324 1310 1325 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { 1311 DEBUG(3,("winbind d_pam_auth: sam_logon returned "1326 DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned " 1312 1327 "ACCESS_DENIED. Maybe the trust account " 1313 1328 "password was changed and we didn't know it. " … … 1320 1335 } while ( (attempts < 2) && retry ); 1321 1336 1337 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { 1338 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) " 1339 "returned NT_STATUS_IO_TIMEOUT after the retry." 1340 "Killing connections to domain %s\n", 1341 domainname)); 1342 invalidate_cm_connection(&domain->conn); 1343 } 1322 1344 return result; 1323 1345 } … … 2086 2108 } 2087 2109 2110 /* 2111 * Remove any mlock'ed memory creds in the child 2112 * we might be using for krb5 ticket renewal. 2113 */ 2114 2115 winbindd_delete_memory_creds(state->request->data.logoff.user); 2116 2088 2117 #else 2089 2118 result = NT_STATUS_NOT_SUPPORTED; -
trunk/server/source3/winbindd/winbindd_proto.h
r745 r751 189 189 const char *service, 190 190 const char *username, 191 const char *password, 191 192 const char *realm, 192 193 uid_t uid, -
trunk/server/source3/winbindd/winbindd_sids_to_xids.c
r745 r751 124 124 struct id_map *map) 125 125 { 126 uid_t uid; 127 gid_t gid; 128 bool expired; 126 bool is_online = is_domain_online(find_our_domain()); 127 gid_t gid = (gid_t)-1; 128 bool gid_expired = false; 129 bool gid_cached = false; 130 bool gid_negative = false; 131 uid_t uid = (uid_t)-1; 132 bool uid_expired = false; 133 bool uid_cached = false; 134 bool uid_negative = false; 129 135 130 136 if (!winbindd_use_idmap_cache()) { 131 137 return false; 132 138 } 139 133 140 /* 134 141 * SIDS_TO_XIDS is primarily used to resolve the user's group 135 142 * sids. So we check groups before users. 136 143 */ 137 if (idmap_cache_find_sid2gid(sid, &gid, &expired)) { 138 if (expired && is_domain_offline(find_our_domain())) { 139 return false; 140 } 144 gid_cached = idmap_cache_find_sid2gid(sid, &gid, &gid_expired); 145 if (!is_online) { 146 gid_expired = false; 147 } 148 if (gid_cached && !gid_expired) { 149 if (gid != (gid_t)-1) { 150 map->sid = sid; 151 map->xid.id = gid; 152 map->xid.type = ID_TYPE_GID; 153 map->status = ID_MAPPED; 154 return true; 155 } 156 gid_negative = true; 157 } 158 uid_cached = idmap_cache_find_sid2uid(sid, &uid, &uid_expired); 159 if (!is_online) { 160 uid_expired = false; 161 } 162 if (uid_cached && !uid_expired) { 163 if (uid != (uid_t)-1) { 164 map->sid = sid; 165 map->xid.id = uid; 166 map->xid.type = ID_TYPE_UID; 167 map->status = ID_MAPPED; 168 return true; 169 } 170 uid_negative = true; 171 } 172 173 /* 174 * Here we know that we only have negative 175 * or no entries. 176 * 177 * All valid cases already returned to the caller. 178 */ 179 180 if (gid_negative && uid_negative) { 141 181 map->sid = sid; 142 map->xid.id = gid; 182 map->xid.id = UINT32_MAX; 183 map->xid.type = ID_TYPE_NOT_SPECIFIED; 184 map->status = ID_MAPPED; 185 return true; 186 } 187 188 if (gid_negative) { 189 map->sid = sid; 190 map->xid.id = gid; /* this is (gid_t)-1 */ 143 191 map->xid.type = ID_TYPE_GID; 144 192 map->status = ID_MAPPED; 145 193 return true; 146 194 } 147 if (idmap_cache_find_sid2uid(sid, &uid, &expired)) { 148 if (expired && is_domain_online(find_our_domain())) { 149 return false; 150 } 195 196 if (uid_negative) { 151 197 map->sid = sid; 152 map->xid.id = uid; 198 map->xid.id = uid; /* this is (uid_t)-1 */ 153 199 map->xid.type = ID_TYPE_UID; 154 200 map->status = ID_MAPPED; 155 201 return true; 156 202 } 203 157 204 return false; 158 205 } 159 160 206 161 207 static void winbindd_sids_to_xids_lookupsids_done(struct tevent_req *subreq) … … 257 303 for (i=0; i<state->num_sids; i++) { 258 304 char type; 259 uint 64_t unix_id = (uint64_t)-1;305 uint32_t unix_id = UINT32_MAX; 260 306 bool found = true; 261 307 262 308 if (state->cached[i].sid != NULL) { 263 309 unix_id = state->cached[i].xid.id; 264 if (state->cached[i].xid.type == ID_TYPE_UID) { 310 311 switch (state->cached[i].xid.type) { 312 case ID_TYPE_UID: 265 313 type = 'U'; 266 } else { 314 break; 315 case ID_TYPE_GID: 267 316 type = 'G'; 317 break; 318 default: 319 found = false; 320 break; 268 321 } 269 322 } else { 270 323 unix_id = state->ids.ids[num_non_cached].unix_id; 271 if (unix_id == -1) { 272 found = false; 273 } 324 274 325 switch(state->ids.ids[num_non_cached].type) { 275 326 case WBC_ID_TYPE_UID: … … 287 338 default: 288 339 found = false; 340 break; 289 341 } 290 342 num_non_cached += 1; 343 } 344 345 if (unix_id == UINT32_MAX) { 346 found = false; 291 347 } 292 348 -
trunk/server/source3/winbindd/winbindd_util.c
r745 r751 1034 1034 } 1035 1035 1036 /* Skip Domain local groups outside our domain. 1037 We'll get these from the getsidaliases() RPC call. */ 1036 /* 1037 * Before bug #7843 the "Domain Local" groups were added with a 1038 * lookupuseraliases call, but this isn't done anymore for our domain 1039 * so we need to resolve resource groups here. 1040 * 1041 * When to use Resource Groups: 1042 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx 1043 */ 1038 1044 status = sid_array_from_info3(mem_ctx, info3, 1039 1045 user_sids, 1040 1046 &num_groups, 1041 false , true);1047 false); 1042 1048 1043 1049 if (!NT_STATUS_IS_OK(status)) {
Note:
See TracChangeset
for help on using the changeset viewer.
