summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-01-08 02:15:46 +0000
committerAndrew Bartlett <abartlet@samba.org>2004-01-08 02:15:46 +0000
commit88d8644ef7f588f585530cbefc1dc5a2133c1114 (patch)
treec61289d92abfd995012ebfd550d23bf33817e599
parent0e12b8827402155095b1d8d5be23aa26d26b200a (diff)
downloadsamba-88d8644ef7f588f585530cbefc1dc5a2133c1114.tar.gz
samba-88d8644ef7f588f585530cbefc1dc5a2133c1114.tar.bz2
samba-88d8644ef7f588f585530cbefc1dc5a2133c1114.zip
Move more of winbind to use 'find_our_domain()' rather than the dangerous
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
-rw-r--r--source3/nsswitch/winbindd_cache.c2
-rw-r--r--source3/nsswitch/winbindd_group.c49
-rw-r--r--source3/nsswitch/winbindd_misc.c13
-rw-r--r--source3/nsswitch/winbindd_sid.c8
-rw-r--r--source3/nsswitch/winbindd_user.c14
5 files changed, 38 insertions, 48 deletions
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index a3c1706b75..2df2ea6374 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -107,7 +107,7 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
case SEC_ADS: {
extern struct winbindd_methods ads_methods;
/* always obey the lp_security parameter for our domain */
- if ( strequal(lp_realm(), domain->alt_name) || strequal(lp_workgroup(), domain->name) ) {
+ if (domain->primary) {
domain->backend = &ads_methods;
break;
}
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 5352411a6a..602c2f55bb 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -106,7 +106,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
*num_gr_mem = 0;
if ( !((group_name_type==SID_NAME_DOM_GRP) ||
- ((group_name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+ ((group_name_type==SID_NAME_ALIAS) && domain->primary)) )
{
DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n",
sid_to_string(sid_string, group_sid), domain->name,
@@ -260,22 +260,20 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
return WINBINDD_OK;
}
- /* should we deal with users for our domain? */
-
- if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) {
- DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n",
- name_domain, name_group));
- return WINBINDD_ERROR;
- }
-
-
/* Get info for the domain */
if ((domain = find_domain_from_name(name_domain)) == NULL) {
- DEBUG(0, ("could not get domain sid for domain %s\n",
+ DEBUG(3, ("could not get domain sid for domain %s\n",
name_domain));
return WINBINDD_ERROR;
}
+ /* should we deal with users for our domain? */
+
+ if ( lp_winbind_trusted_domains_only() && domain->primary) {
+ DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n",
+ name_domain, name_group));
+ return WINBINDD_ERROR;
+ }
/* Get rid and name type from name */
@@ -287,7 +285,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
}
if ( !((name_type==SID_NAME_DOM_GRP) ||
- ((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+ ((name_type==SID_NAME_ALIAS) && domain->primary)) )
{
DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
name_group, name_type));
@@ -378,7 +376,7 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
}
if ( !((name_type==SID_NAME_DOM_GRP) ||
- ((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+ ((name_type==SID_NAME_ALIAS) && domain->primary) ))
{
DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
group_name, name_type));
@@ -436,7 +434,7 @@ enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
are a member of a Samba domain */
if ( (IS_DC || lp_winbind_trusted_domains_only())
- && strequal(domain->name, lp_workgroup()) )
+ && domain->primary )
{
continue;
}
@@ -542,7 +540,7 @@ static BOOL get_sam_group_entries(struct getent_state *ent)
and are not using LDAP to get the groups */
if ( lp_security() != SEC_ADS && domain->native_mode
- && strequal(lp_workgroup(), domain->name) )
+ && domain->primary )
{
DEBUG(4,("get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well\n"));
@@ -933,21 +931,22 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
/* Parse domain and username */
parse_domain_user(state->request.data.username,
- name_domain, name_user);
+ name_domain, name_user);
- /* bail if there is no domain */
-
- if ( !*name_domain )
- goto done;
-
/* Get info for the domain */
if ((domain = find_domain_from_name(name_domain)) == NULL) {
- DEBUG(0, ("could not find domain entry for domain %s\n",
+ DEBUG(7, ("could not find domain entry for domain %s\n",
name_domain));
goto done;
}
+ if ( domain->primary && lp_winbind_trusted_domains_only()) {
+ DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getgroups() for %s\\%s.\n",
+ name_domain, name_user));
+ return WINBINDD_ERROR;
+ }
+
/* Get rid and name type from name. The following costs 1 packet */
if (!winbindd_lookup_sid_by_name(domain, name_user, &user_sid,
@@ -956,7 +955,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
goto done;
}
- if (name_type != SID_NAME_USER) {
+ if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
DEBUG(1, ("name '%s' is not a user name: %d\n",
name_user, name_type));
goto done;
@@ -995,7 +994,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
in a win2k native mode domain. */
if ( !((sid_type==SID_NAME_DOM_GRP) ||
- ((sid_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+ ((sid_type==SID_NAME_ALIAS) && domain->primary)) )
{
DEBUG(10, ("winbindd_getgroups: sid type %d "
"for %s is not a domain group\n",
@@ -1122,7 +1121,7 @@ enum winbindd_result winbindd_getusersids(struct winbindd_cli_state *state)
sid_string_static(&user_sid)));
goto done;
}
-
+
status = domain->methods->lookup_usergroups(domain, mem_ctx,
&user_sid, &num_groups,
&user_grpsids);
diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c
index d1e5c8cb49..95ca57a5e3 100644
--- a/source3/nsswitch/winbindd_misc.c
+++ b/source3/nsswitch/winbindd_misc.c
@@ -36,7 +36,6 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
int num_retries = 0;
struct cli_state *cli;
uint32 sec_channel_type;
- const char *contact_domain_name = NULL;
struct winbindd_domain *contact_domain;
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
@@ -51,18 +50,10 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat
}
- /* use the realm name if appropriate and possible */
-
- if ( lp_security() == SEC_ADS )
- contact_domain_name = lp_realm();
-
- if ( !contact_domain_name || !*contact_domain_name )
- contact_domain_name = lp_workgroup();
-
- contact_domain = find_domain_from_name(contact_domain_name);
+ contact_domain = find_our_domain();
if (!contact_domain) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- DEBUG(1, ("%s is not a trusted domain\n", contact_domain_name));
+ DEBUG(1, ("Cannot find our own domain!\n"));
goto done;
}
diff --git a/source3/nsswitch/winbindd_sid.c b/source3/nsswitch/winbindd_sid.c
index 7c4c8d804a..9fbf47046d 100644
--- a/source3/nsswitch/winbindd_sid.c
+++ b/source3/nsswitch/winbindd_sid.c
@@ -152,7 +152,7 @@ enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
DOM_SID sid2;
uint32 rid;
- domain = find_domain_from_name( lp_workgroup() );
+ domain = find_our_domain();
if ( !domain ) {
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
return WINBINDD_ERROR;
@@ -244,7 +244,7 @@ enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
uint32 rid;
unid_t id;
- domain = find_domain_from_name( lp_workgroup() );
+ domain = find_our_domain();
if ( !domain ) {
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
return WINBINDD_ERROR;
@@ -341,7 +341,7 @@ enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
if ( !(pw = getpwuid(state->request.data.uid)) )
return WINBINDD_ERROR;
- if ( !(domain = find_domain_from_name(lp_workgroup())) ) {
+ if ( !(domain = find_our_domain()) ) {
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
@@ -411,7 +411,7 @@ enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
if ( !(grp = getgrgid(state->request.data.gid)) )
return WINBINDD_ERROR;
- if ( !(domain = find_domain_from_name(lp_workgroup())) ) {
+ if ( !(domain = find_our_domain()) ) {
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index 29d4ba4c75..d08377c888 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -124,7 +124,7 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
/* Parse domain and username */
parse_domain_user(state->request.data.username,
- name_domain, name_user);
+ name_domain, name_user);
/* if this is our local domain (or no domain), the do a local tdb search */
@@ -140,17 +140,17 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
/* should we deal with users for our domain? */
- if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) {
- DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getpwnam() for %s\\%s.\n",
- name_domain, name_user));
- return WINBINDD_ERROR;
- }
-
if ((domain = find_domain_from_name(name_domain)) == NULL) {
DEBUG(5, ("no such domain: %s\n", name_domain));
return WINBINDD_ERROR;
}
+ if ( domain->primary && lp_winbind_trusted_domains_only()) {
+ DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getpwnam() for %s\\%s.\n",
+ name_domain, name_user));
+ return WINBINDD_ERROR;
+ }
+
/* Get rid and name type from name */
if (!winbindd_lookup_sid_by_name(domain, name_user, &user_sid, &name_type)) {