diff options
author | Gerald Carter <jerry@samba.org> | 2007-05-06 20:16:12 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:21:49 -0500 |
commit | 391a72f3dfc061d6d97752c7e8691f80b4990ba8 (patch) | |
tree | f9d596fb1fe072365f192fdf20751fd277731c1d /source3/nsswitch/winbindd_rpc.c | |
parent | 044f1b4a993cd7711fd9721a73cf9e2f9c90f5a5 (diff) | |
download | samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.tar.gz samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.tar.bz2 samba-391a72f3dfc061d6d97752c7e8691f80b4990ba8.zip |
r22710: Support one-way trusts.
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
Diffstat (limited to 'source3/nsswitch/winbindd_rpc.c')
-rw-r--r-- | source3/nsswitch/winbindd_rpc.c | 83 |
1 files changed, 77 insertions, 6 deletions
diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index a66b05b791..0fafff196b 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -48,6 +48,12 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, *num_entries = 0; *info = NULL; + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user_list: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -140,6 +146,12 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, DEBUG(3,("rpc: enum_dom_groups\n")); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_domain_groups: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + status = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(status)) return status; @@ -196,6 +208,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, DEBUG(3,("rpc: enum_local_groups\n")); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_local_groups: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -305,13 +323,20 @@ NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, domain->name )); result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { + DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n", + nt_errstr(result))); return result; + } + result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, 1, sid, &domains, &names, &types); - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { + DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n", + nt_errstr(result))); return result; + } *type = (enum lsa_SidType)types[0]; *domain_name = domains[0]; @@ -401,6 +426,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain, if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid)) return NT_STATUS_UNSUCCESSFUL; + user_info->homedir = NULL; + user_info->shell = NULL; + user_info->primary_gid = (gid_t)-1; + /* try netsamlogon cache first */ if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) @@ -418,12 +447,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain, user_info->full_name = unistr2_tdup(mem_ctx, &user->uni_full_name); - user_info->homedir = NULL; - user_info->shell = NULL; - user_info->primary_gid = (gid_t)-1; - TALLOC_FREE(user); + + return NT_STATUS_OK; + } + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user: No incoming trust for domain %s\n", + domain->name)); return NT_STATUS_OK; } @@ -496,6 +527,15 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, return NT_STATUS_OK; } + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups: No incoming trust for domain %s\n", + domain->name)); + + /* Tell the cache manager not to remember this one */ + + return NT_STATUS_SYNCHRONIZATION_REQUIRED; + } + /* no cache; hit the wire */ result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); @@ -552,6 +592,12 @@ NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain, DEBUG(3,("rpc: lookup_useraliases\n")); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("msrpc_lookup_useraliases: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -638,6 +684,12 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(10,("rpc: lookup_groupmem %s sid=%s\n", domain->name, sid_to_string(sid_string, group_sid))); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_groupmem: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + if (!sid_peek_check_rid(&domain->sid, group_sid, &group_rid)) return NT_STATUS_UNSUCCESSFUL; @@ -822,6 +874,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name)); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("sequence_number: No incoming trust for domain %s\n", + domain->name)); + *seq = time(NULL); + return NT_STATUS_OK; + } + *seq = DOM_SEQUENCE_NONE; if (!(mem_ctx = talloc_init("sequence_number[rpc]"))) @@ -967,6 +1026,12 @@ NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain, DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name)); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("msrpc_lockout_policy: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_NOT_SUPPORTED; + } + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) { goto done; @@ -999,6 +1064,12 @@ NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, DEBUG(10,("rpc: fetch password policy for %s\n", domain->name)); + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("msrpc_password_policy: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_NOT_SUPPORTED; + } + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) { goto done; |