summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-10-12 13:29:01 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:15:26 -0500
commit7399ab779d7100059475ed196e6e4435b2b33bbd (patch)
tree94eaff54327d75fdc6cfbb0c62710533c049528e
parent96869053a5abe37efee679f524beb83da0191caa (diff)
downloadsamba-7399ab779d7100059475ed196e6e4435b2b33bbd.tar.gz
samba-7399ab779d7100059475ed196e6e4435b2b33bbd.tar.bz2
samba-7399ab779d7100059475ed196e6e4435b2b33bbd.zip
r19255: Add blacklist of accounts when NSS initgroups calls are coming in and
"winbind use default domain" is set. Defaults to "root, nobody, lp" currently. Guenther (This used to be commit b5b42196a6f2869deefc700dc98060f5ab832e40)
-rw-r--r--source3/nsswitch/winbindd_group.c24
-rw-r--r--source3/param/loadparm.c4
2 files changed, 28 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index de19ee02b5..676bf918b4 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -1018,6 +1018,30 @@ void winbindd_getgroups(struct winbindd_cli_state *state)
DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
state->request.data.username));
+ /* when using "winbind use default domain" we need to avoid that
+ * initgroups() requests from NSS hit our DC too badly for accounts
+ * that will never be on the remote DC */
+
+ if (lp_winbind_use_default_domain()) {
+
+ const char **list = lp_winbind_initgroups_blacklist();
+ int i;
+
+ if (!list || !list[0]) {
+ goto parse;
+ }
+
+ for (i=0; list[i] != NULL; i++) {
+
+ if (strequal(state->request.data.username, list[i])) {
+ DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n",
+ state->request.data.username));
+ request_ok(state);
+ return;
+ }
+ }
+ }
+ parse:
/* Parse domain and username */
s = TALLOC_P(state->mem_ctx, struct getgroups_state);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 8f2258bb72..0dff2e36c7 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -181,6 +181,7 @@ typedef struct {
BOOL bWinbindRefreshTickets;
BOOL bWinbindOfflineLogon;
char **szIdmapBackend;
+ char **szWinbindInitgroupsBlacklist;
char *szAddShareCommand;
char *szChangeShareCommand;
char *szDeleteShareCommand;
@@ -1278,6 +1279,7 @@ static struct parm_struct parm_table[] = {
{"winbind nss info", P_LIST, P_GLOBAL, &Globals.szWinbindNssInfo, NULL, NULL, FLAG_ADVANCED},
{"winbind refresh tickets", P_BOOL, P_GLOBAL, &Globals.bWinbindRefreshTickets, NULL, NULL, FLAG_ADVANCED},
{"winbind offline logon", P_BOOL, P_GLOBAL, &Globals.bWinbindOfflineLogon, NULL, NULL, FLAG_ADVANCED},
+ {"winbind initgroups blacklist", P_LIST, P_GLOBAL, &Globals.szWinbindInitgroupsBlacklist, NULL, NULL, FLAG_ADVANCED},
{NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0}
};
@@ -1624,6 +1626,7 @@ static void init_globals(BOOL first_time_only)
Globals.szWinbindNssInfo = str_list_make("template", NULL);
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
+ Globals.szWinbindInitgroupsBlacklist = str_list_make("root nobody lp", NULL);
Globals.bPassdbExpandExplicit = False;
@@ -1839,6 +1842,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
FN_GLOBAL_LIST(lp_idmap_backend, &Globals.szIdmapBackend)
+FN_GLOBAL_LIST(lp_winbind_initgroups_blacklist, &Globals.szWinbindInitgroupsBlacklist)
FN_GLOBAL_BOOL(lp_passdb_expand_explicit, &Globals.bPassdbExpandExplicit)
FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)