diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-07-10 14:48:18 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2013-07-10 23:18:06 +0200 |
commit | 596b51c666e549fb518d92931d8837922154a2fe (patch) | |
tree | bfd22b1a428c46e99a4306ca3a3498e31d60430c | |
parent | 1573638212a9733a44939a4d38a226f38dca36f1 (diff) | |
download | samba-596b51c666e549fb518d92931d8837922154a2fe.tar.gz samba-596b51c666e549fb518d92931d8837922154a2fe.tar.bz2 samba-596b51c666e549fb518d92931d8837922154a2fe.zip |
s4:server: avoid calling into nss_winbind from within 'samba'
The most important part is that the 'winbind_server' doesn't
recurse into itself. This could happen if the krb5 libraries
call getlogin().
As we may run in single process mode, we need to set
_NO_WINBINDD=1 everywhere, the only exception is the forked
'smbd'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 10 23:18:06 CEST 2013 on sn-devel-104
-rw-r--r-- | file_server/file_server.c | 9 | ||||
-rw-r--r-- | source4/smbd/server.c | 7 |
2 files changed, 16 insertions, 0 deletions
diff --git a/file_server/file_server.c b/file_server/file_server.c index 5d44d5a85c..aab5f39ac7 100644 --- a/file_server/file_server.c +++ b/file_server/file_server.c @@ -28,6 +28,7 @@ #include "source4/smbd/process_model.h" #include "file_server/file_server.h" #include "dynconfig.h" +#include "nsswitch/winbind_client.h" /* called if smbd exits @@ -64,6 +65,8 @@ static void s3fs_task_init(struct task_server *task) smbd_path = talloc_asprintf(task, "%s/smbd", dyn_SBINDIR); smbd_cmd[0] = smbd_path; + /* the child should be able to call through nss_winbind */ + (void)winbind_on(); /* start it as a child process */ subreq = samba_runcmd_send(task, task->event_ctx, timeval_zero(), 1, 0, smbd_cmd, @@ -72,6 +75,12 @@ static void s3fs_task_init(struct task_server *task) "--foreground", debug_get_output_is_stdout()?"--log-stdout":NULL, NULL); + /* the parent should not be able to call through nss_winbind */ + if (!winbind_off()) { + DEBUG(0,("Failed to re-disable recursive winbindd calls after forking smbd\n")); + task_server_terminate(task, "Failed to re-disable recursive winbindd calls", true); + return; + } if (subreq == NULL) { DEBUG(0, ("Failed to start smbd as child daemon\n")); task_server_terminate(task, "Failed to startup s3fs smb task", true); diff --git a/source4/smbd/server.c b/source4/smbd/server.c index 0ad3e6ba41..37aac625b6 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -43,6 +43,7 @@ #include "cluster/cluster.h" #include "dynconfig/dynconfig.h" #include "lib/util/samba_modules.h" +#include "nsswitch/winbind_client.h" /* recursively delete a directory tree @@ -402,6 +403,12 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ } } + /* make sure we won't go through nss_winbind */ + if (!winbind_off()) { + DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n")); + exit(1); + } + gensec_init(); /* FIXME: */ ntptr_init(); /* FIXME: maybe run this in the initialization function |