r19255: Add blacklist of accounts when NSS initgroups calls are coming in and

"winbind use default domain" is set. Defaults to "root, nobody, lp"
currently.

Guenther
(This used to be commit b5b42196a6f2869deefc700dc98060f5ab832e40)

1 files changed, 24 insertions, 0 deletions

diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index de19ee02b5..676bf918b4 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -1018,6 +1018,30 @@ void winbindd_getgroups(struct winbindd_cli_state *state)
 	DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
 		  state->request.data.username));
 
+	/* when using "winbind use default domain" we need to avoid that
+	 * initgroups() requests from NSS hit our DC too badly for accounts
+	 * that will never be on the remote DC */
+
+	if (lp_winbind_use_default_domain()) {
+		
+		const char **list = lp_winbind_initgroups_blacklist();
+		int i;
+
+		if (!list || !list[0]) {
+			goto parse;
+		}
+
+		for (i=0; list[i] != NULL; i++) {
+	
+			if (strequal(state->request.data.username, list[i])) {
+				DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n", 
+					state->request.data.username));
+				request_ok(state);
+				return;
+			}
+		}
+	}
+ parse:
 	/* Parse domain and username */
 
 	s = TALLOC_P(state->mem_ctx, struct getgroups_state);