Changeset 989 for vendor/current/source3/winbindd

Timestamp:

Nov 25, 2016, 8:04:54 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.7

Location:

vendor/current/source3/winbindd

Files:

• idmap_rfc2307.c (modified) (1 diff)
• idmap_util.c (modified) (1 diff)
• wb_lookupsids.c (modified) (4 diffs)
• winbindd_cache.c (modified) (19 diffs)
• winbindd_dual.c (modified) (2 diffs)
• winbindd_dual_srv.c (modified) (1 diff)
• winbindd_pam.c (modified) (2 diffs)
• winbindd_proto.h (modified) (1 diff)
• winbindd_util.c (modified) (1 diff)

vendor/current/source3/winbindd/idmap_rfc2307.c

@@ -671 +671 @@
 
                 default:
-                        DEBUG(10, ("Nothing to do for SID %s, "
-                                   "previous name lookup failed\n",
-                                   sid_string_dbg(map->map->sid)));
+                        break;
                 }
 

vendor/current/source3/winbindd/idmap_util.c

@@ -161 +161 @@
 bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
 {
-        if (id == 0) {
-                /* 0 is not an allowed unix id for id mapping */
-                return false;
-        }
-
         if ((dom->low_id && (id < dom->low_id)) ||
             (dom->high_id && (id > dom->high_id)))

vendor/current/source3/winbindd/wb_lookupsids.c

@@ -73 +73 @@
          */
         uint32_t *single_sids;
+        /* Pointer into the "domains" array above*/
+        struct wb_lookupsids_domain **single_domains;
         uint32_t num_single_sids;
         uint32_t single_sids_done;
@@ -126 +128 @@
         state->single_sids = talloc_array(state, uint32_t, num_sids);
         if (tevent_req_nomem(state->single_sids, req)) {
+                return tevent_req_post(req, ev);
+        }
+        state->single_domains = talloc_zero_array(state,
+                                                  struct wb_lookupsids_domain *,
+                                                  num_sids);
+        if (tevent_req_nomem(state->single_domains, req)) {
                 return tevent_req_post(req, ev);
         }
@@ -456 +464 @@
                         state->single_sids[state->num_single_sids] =
                                 res_sid_index;
+                        state->single_domains[state->num_single_sids] = d;
                         state->num_single_sids += 1;
                 }
@@ -515 +524 @@
         TALLOC_FREE(subreq);
         if (!NT_STATUS_IS_OK(status)) {
+                struct wb_lookupsids_domain *wb_domain;
+                const char *tmpname;
+
                 type = SID_NAME_UNKNOWN;
 
-                domain_name = talloc_strdup(talloc_tos(), "");
+                wb_domain = state->single_domains[state->single_sids_done];
+                if (wb_domain != NULL) {
+                        /*
+                         * If the lookupsid failed because the rid not
+                         * found in a domain and we have a reference
+                         * to the lookup domain, use the name from
+                         * there.
+                         *
+                         * Callers like sid2xid will use the domain
+                         * name in the idmap backend to figure out
+                         * which domain to use in processing.
+                         */
+                        tmpname = wb_domain->domain->name;
+                } else {
+                        tmpname = "";
+                }
+                domain_name = talloc_strdup(talloc_tos(), tmpname);
                 if (tevent_req_nomem(domain_name, req)) {
                         return;

vendor/current/source3/winbindd/winbindd_cache.c

@@ -510 +510 @@
 
 /*
-  refresh the domain sequence number. If force is true
-  then always refresh it, no matter how recently we fetched it
+  refresh the domain sequence number on timeout.
 */
 
-static void refresh_sequence_number(struct winbindd_domain *domain, bool force)
+static void refresh_sequence_number(struct winbindd_domain *domain)
 {
         NTSTATUS status;
@@ -537 +536 @@
 
         /* see if we have to refetch the domain sequence number */
-        if (!force && (time_diff < cache_time) &&
+        if ((time_diff < cache_time) &&
                         (domain->sequence_number != DOM_SEQUENCE_NONE) &&
                         NT_STATUS_IS_OK(domain->last_status)) {
@@ -711 +710 @@
         }
 
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
 
         va_start(ap, format);
@@ -1559 +1558 @@
 
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -1671 +1670 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -1776 +1775 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -1891 +1890 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
 
         if (domain->online &&
@@ -2005 +2004 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -2230 +2229 @@
         }
 
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
 
         for (i=0; i<num_rids; i++) {
@@ -2391 +2390 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -2509 +2508 @@
 
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -2662 +2661 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -2798 +2797 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -2821 +2820 @@
 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
 {
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
 
         *seq = domain->sequence_number;
@@ -2999 +2998 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -3071 +3070 @@
         }
         /* and save it */
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -3332 +3331 @@
 }
 
+/*
+ * Cache a name to sid without checking the sequence number.
+ * Used when caching from a trusted PAC.
+ */
+
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+                        const char *domain_name,
+                        const char *name,
+                        enum lsa_SidType type,
+                        const struct dom_sid *sid)
+{
+        /*
+         * Ensure we store the mapping with the
+         * existing sequence number from the cache.
+         */
+        get_cache(domain);
+        (void)fetch_cache_seqnum(domain, time(NULL));
+        wcache_save_name_to_sid(domain,
+                                NT_STATUS_OK,
+                                domain_name,
+                                name,
+                                sid,
+                                type);
+}
+
 void cache_name2sid(struct winbindd_domain *domain, 
                     const char *domain_name, const char *name,
                     enum lsa_SidType type, const struct dom_sid *sid)
 {
-        refresh_sequence_number(domain, false);
+        refresh_sequence_number(domain);
         wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
                                 sid, type);
@@ -3472 +3496 @@
         NTSTATUS status;
         int ret;
-        struct cred_list *cred, *oldest = NULL;
+        struct cred_list *cred, *next, *oldest = NULL;
 
         if (!cache->tdb) {
@@ -3541 +3565 @@
         }
 done:
-        SAFE_FREE(wcache_cred_list);
+        for (cred = wcache_cred_list; cred; cred = next) {
+                next = cred->next;
+                DLIST_REMOVE(wcache_cred_list, cred);
+                SAFE_FREE(cred);
+        }
         SAFE_FREE(oldest);
 

vendor/current/source3/winbindd/winbindd_dual.c

@@ -836 +836 @@
         DEBUG(10,("winbind_msg_dump_event_list received\n"));
 
-        dump_event_list(winbind_event_context());
+        DBG_WARNING("dump event list no longer implemented\n");
 
         for (child = winbindd_children; child != NULL; child = child->next) {
@@ -1241 +1241 @@
 {
         DEBUG(5,("child_msg_dump_event_list received\n"));
-
-        dump_event_list(winbind_event_context());
+        DBG_WARNING("dump_event_list no longer implemented\n");
 }
 

vendor/current/source3/winbindd/winbindd_dual_srv.c

@@ -203 +203 @@
                 for (j=0; j<num_ids; j++) {
                         struct wbint_TransID *id = &r->in.ids->ids[id_idx[j]];
+
+                        if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) {
+                                ids[j].status = ID_UNMAPPED;
+                        }
 
                         if (ids[j].status != ID_MAPPED) {

vendor/current/source3/winbindd/winbindd_pam.c

@@ -2560 +2560 @@
 
         if (logon_info) {
-                /* Signature verification succeeded, trust the PAC */
+                /*
+                 * Signature verification succeeded, we can
+                 * trust the PAC and prime the netsamlogon
+                 * and name2sid caches. DO NOT DO THIS
+                 * in the signature verification failed
+                 * code path.
+                 */
+                struct winbindd_domain *domain = NULL;
+
                 result = create_info3_from_pac_logon_info(state->mem_ctx,
                                                         logon_info,
@@ -2568 +2576 @@
                 }
                 netsamlogon_cache_store(NULL, info3_copy);
+
+                /*
+                 * We're in the parent here, so find the child
+                 * pointer from the PAC domain name.
+                 */
+                domain = find_domain_from_name_noinit(
+                                info3_copy->base.logon_domain.string);
+                if (domain && domain->primary ) {
+                        struct dom_sid user_sid;
+
+                        sid_compose(&user_sid,
+                                info3_copy->base.domain_sid,
+                                info3_copy->base.rid);
+
+                        cache_name2sid_trusted(domain,
+                                info3_copy->base.logon_domain.string,
+                                info3_copy->base.account_name.string,
+                                SID_NAME_USER,
+                                &user_sid);
+
+                        DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+                                info3_copy->base.logon_domain.string,
+                                info3_copy->base.account_name.string,
+                                sid_string_dbg(&user_sid));
+                }
 
         } else {

vendor/current/source3/winbindd/winbindd_proto.h

@@ -87 +87 @@
                         struct dom_sid *sid,
                         enum lsa_SidType *type);
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+                        const char *domain_name,
+                        const char *name,
+                        enum lsa_SidType type,
+                        const struct dom_sid *sid);
 void cache_name2sid(struct winbindd_domain *domain, 
                     const char *domain_name, const char *name,

vendor/current/source3/winbindd/winbindd_util.c

@@ -1103 +1103 @@
         if ( !p ) {
                 fstrcpy(user, domuser);
-
-                if ( assume_domain(lp_workgroup())) {
+                p = strchr(domuser, '@');
+
+                if ( assume_domain(lp_workgroup()) && p == NULL) {
                         fstrcpy(domain, lp_workgroup());
-                } else if ((p = strchr(domuser, '@')) != NULL) {
+                } else if (p != NULL) {
                         fstrcpy(domain, p + 1);
                         user[PTR_DIFF(p, domuser)] = 0;