summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-06-24 18:01:59 -0700
committerJeremy Allison <jra@samba.org>2008-06-24 18:01:59 -0700
commitda70f8ab1ec840bbdcc73c22c4d4c54705c83980 (patch)
tree19202ffb01222c28a5a9cb43dfccd121600f8491 /source3/auth
parentee6b168e6ea7ef0d7b498b5c881ac28d48e07c6f (diff)
downloadsamba-da70f8ab1ec840bbdcc73c22c4d4c54705c83980.tar.gz
samba-da70f8ab1ec840bbdcc73c22c4d4c54705c83980.tar.bz2
samba-da70f8ab1ec840bbdcc73c22c4d4c54705c83980.zip
Fix for bug #5551, smbd recursing back into winbindd from a winbindd call.
Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_util.c79
1 files changed, 66 insertions, 13 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f3fccb0a88..b1558bceac 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -494,26 +494,50 @@ static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username)
}
/***************************************************************************
+ Is the incoming username our own machine account ?
+ If so, the connection is almost certainly from winbindd.
+***************************************************************************/
+
+static bool is_our_machine_account(const char *username)
+{
+ bool ret;
+ char *truncname = NULL;
+ size_t ulen = strlen(username);
+
+ if (ulen == 0 || username[ulen-1] != '$') {
+ return false;
+ }
+ truncname = SMB_STRDUP(username);
+ if (!truncname) {
+ return false;
+ }
+ truncname[ulen-1] = '\0';
+ ret = strequal(truncname, global_myname());
+ SAFE_FREE(truncname);
+ return ret;
+}
+
+/***************************************************************************
Make (and fill) a user_info struct from a struct samu
***************************************************************************/
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
struct samu *sampass)
{
- NTSTATUS status;
struct passwd *pwd;
gid_t *gids;
auth_serversupplied_info *result;
int i;
size_t num_gids;
DOM_SID unix_group_sid;
-
+ const char *username = pdb_get_username(sampass);
+ NTSTATUS status;
if ( !(result = make_server_info(NULL)) ) {
return NT_STATUS_NO_MEMORY;
}
- if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
+ if ( !(pwd = getpwnam_alloc(result, username)) ) {
DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
pdb_get_username(sampass)));
TALLOC_FREE(result);
@@ -528,7 +552,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
talloc_steal(result, pwd->pw_name);
result->utok.gid = pwd->pw_gid;
result->utok.uid = pwd->pw_uid;
-
+
TALLOC_FREE(pwd);
result->sanitized_username = sanitize_username(result,
@@ -538,18 +562,47 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
return NT_STATUS_NO_MEMORY;
}
- status = pdb_enum_group_memberships(result, sampass,
+ if (IS_DC && is_our_machine_account(username)) {
+ /*
+ * Ensure for a connection from our own
+ * machine account (from winbindd on a DC)
+ * there are no supplementary groups.
+ * Prevents loops in calling gid_to_sid().
+ */
+ result->sids = NULL;
+ gids = NULL;
+ result->num_sids = 0;
+
+ /*
+ * This is a hack of monstrous proportions.
+ * If we know it's winbindd talking to us,
+ * we know we must never recurse into it,
+ * so turn off contacting winbindd for this
+ * entire process. This will get fixed when
+ * winbindd doesn't need to talk to smbd on
+ * a PDC. JRA.
+ */
+
+ winbind_off();
+
+ DEBUG(10, ("make_server_info_sam: our machine account %s "
+ "setting supplementary group list empty and "
+ "turning off winbindd requests.\n",
+ username));
+ } else {
+ status = pdb_enum_group_memberships(result, sampass,
&result->sids, &gids,
&result->num_sids);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
- nt_errstr(status)));
- result->sam_account = NULL; /* Don't free on error exit. */
- TALLOC_FREE(result);
- return status;
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
+ nt_errstr(status)));
+ result->sam_account = NULL; /* Don't free on error exit. */
+ TALLOC_FREE(result);
+ return status;
+ }
}
-
+
/* Add the "Unix Group" SID for each gid to catch mapped groups
and their Unix equivalent. This is to solve the backwards
compatibility problem of 'valid users = +ntadmin' where