diff options
| author | Günther Deschner <gd@samba.org> | 2006-10-12 13:29:01 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:15:26 -0500 |
| commit | 7399ab779d7100059475ed196e6e4435b2b33bbd (patch) | |
| tree | 94eaff54327d75fdc6cfbb0c62710533c049528e | |
| parent | 96869053a5abe37efee679f524beb83da0191caa (diff) | |
| download | samba-7399ab779d7100059475ed196e6e4435b2b33bbd.tar.gz samba-7399ab779d7100059475ed196e6e4435b2b33bbd.tar.bz2 samba-7399ab779d7100059475ed196e6e4435b2b33bbd.zip | |
r19255: Add blacklist of accounts when NSS initgroups calls are coming in and
"winbind use default domain" is set. Defaults to "root, nobody, lp"
currently.
Guenther
(This used to be commit b5b42196a6f2869deefc700dc98060f5ab832e40)
| -rw-r--r-- | source3/nsswitch/winbindd_group.c | 24 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 4 |
2 files changed, 28 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index de19ee02b5..676bf918b4 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -1018,6 +1018,30 @@ void winbindd_getgroups(struct winbindd_cli_state *state) DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid, state->request.data.username)); + /* when using "winbind use default domain" we need to avoid that + * initgroups() requests from NSS hit our DC too badly for accounts + * that will never be on the remote DC */ + + if (lp_winbind_use_default_domain()) { + + const char **list = lp_winbind_initgroups_blacklist(); + int i; + + if (!list || !list[0]) { + goto parse; + } + + for (i=0; list[i] != NULL; i++) { + + if (strequal(state->request.data.username, list[i])) { + DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n", + state->request.data.username)); + request_ok(state); + return; + } + } + } + parse: /* Parse domain and username */ s = TALLOC_P(state->mem_ctx, struct getgroups_state); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 8f2258bb72..0dff2e36c7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -181,6 +181,7 @@ typedef struct { BOOL bWinbindRefreshTickets; BOOL bWinbindOfflineLogon; char **szIdmapBackend; + char **szWinbindInitgroupsBlacklist; char *szAddShareCommand; char *szChangeShareCommand; char *szDeleteShareCommand; @@ -1278,6 +1279,7 @@ static struct parm_struct parm_table[] = { {"winbind nss info", P_LIST, P_GLOBAL, &Globals.szWinbindNssInfo, NULL, NULL, FLAG_ADVANCED}, {"winbind refresh tickets", P_BOOL, P_GLOBAL, &Globals.bWinbindRefreshTickets, NULL, NULL, FLAG_ADVANCED}, {"winbind offline logon", P_BOOL, P_GLOBAL, &Globals.bWinbindOfflineLogon, NULL, NULL, FLAG_ADVANCED}, + {"winbind initgroups blacklist", P_LIST, P_GLOBAL, &Globals.szWinbindInitgroupsBlacklist, NULL, NULL, FLAG_ADVANCED}, {NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0} }; @@ -1624,6 +1626,7 @@ static void init_globals(BOOL first_time_only) Globals.szWinbindNssInfo = str_list_make("template", NULL); Globals.bWinbindRefreshTickets = False; Globals.bWinbindOfflineLogon = False; + Globals.szWinbindInitgroupsBlacklist = str_list_make("root nobody lp", NULL); Globals.bPassdbExpandExplicit = False; @@ -1839,6 +1842,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) FN_GLOBAL_LIST(lp_idmap_backend, &Globals.szIdmapBackend) +FN_GLOBAL_LIST(lp_winbind_initgroups_blacklist, &Globals.szWinbindInitgroupsBlacklist) FN_GLOBAL_BOOL(lp_passdb_expand_explicit, &Globals.bPassdbExpandExplicit) FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) |