Use a configure-specified directory for the winbind priv pipe

This makes it easier for RPMs to specify an group for access to that
directory.

Andrew Bartlett
(This used to be commit fa361354433fb9a5c09c84997a7c51f3052c294e)

5 files changed, 65 insertions, 17 deletions

diff --git a/source4/build/m4/check_path.m4 b/source4/build/m4/check_path.m4
index c0b81f1a8d..a209a4b85a 100644
--- a/source4/build/m4/check_path.m4
+++ b/source4/build/m4/check_path.m4
@@ -19,7 +19,8 @@ lockdir="${localstatedir}/locks"
 piddir="${localstatedir}/run"
 privatedir="\${prefix}/private"
 modulesdir="\${prefix}/modules"
-winbindd_socket_dir="${localstatedir}/run/winbind_pipe"
+winbindd_socket_dir="${localstatedir}/run/winbindd"
+winbindd_privileged_socket_dir="${localstatedir}/lib/winbindd_privileged"
 ntp_signd_socket_dir="${localstatedir}/run/ntp_signd"
 
 AC_ARG_WITH(fhs, 
@@ -33,7 +34,8 @@ AC_ARG_WITH(fhs,
     datadir="${datadir}/samba"
     includedir="${includedir}/samba-4.0"
     ntp_signd_socket_dir="${localstatedir}/run/samba/ntp_signd"
-    winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe"
+    winbindd_socket_dir="${localstatedir}/run/samba/winbindd"
+    winbindd_privileged_socket_dir="${localstatedir}/lib/samba/winbindd_privileged"
 )
 
 #################################################
@@ -55,6 +57,38 @@ AC_ARG_WITH(privatedir,
 #################################################
 # set where the winbindd socket should be put
 AC_ARG_WITH(winbindd-socket-dir,
+[  --with-winbindd-socket-dir=DIR   Where to put the winbindd socket ($winbindd_socket_dir)],
+[ case "$withval" in
+  yes|no)
+  #
+  # Just in case anybody calls it without argument
+  #
+    AC_MSG_WARN([--with-winbind-socketdir called without argument - will use default])
+  ;;
+  * )
+    winbindd_socket_dir="$withval"
+    ;;
+  esac])
+
+#################################################
+# set where the winbindd privilaged socket should be put
+AC_ARG_WITH(winbindd-privileged-socket-dir,
+[  --with-winbindd-privileged-socket-dir=DIR   Where to put the winbindd socket ($winbindd_privileged_socket_dir)],
+[ case "$withval" in
+  yes|no)
+  #
+  # Just in case anybody calls it without argument
+  #
+    AC_MSG_WARN([--with-winbind-privileged-socketdir called without argument - will use default])
+  ;;
+  * )
+    winbindd_privileged_socket_dir="$withval"
+    ;;
+  esac])
+
+#################################################
+# set where the winbindd privilaged socket should be put
+AC_ARG_WITH(winbindd-socket-dir,
 [  --with-winbindd-socket-dir=DIR   Where to put the winbindd socket ($ac_default_prefix/run/winbind_pipe)],
 [ case "$withval" in
   yes|no)
@@ -140,6 +174,7 @@ AC_SUBST(privatedir)
 AC_SUBST(bindir)
 AC_SUBST(sbindir)
 AC_SUBST(winbindd_socket_dir)
+AC_SUBST(winbindd_privileged_socket_dir)
 AC_SUBST(ntp_signd_socket_dir)
 AC_SUBST(modulesdir)
 
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index 0a7aec1985..e63a7aa8a1 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -116,6 +116,7 @@ struct loadparm_global
 	const char **server_services;
 	char *ntptr_providor;
 	char *szWinbindSeparator;
+	char *szWinbinddPrivilegedSocketDirectory;
 	char *szWinbinddSocketDirectory;
 	char *szTemplateShell;
 	char *szTemplateHomedir;
@@ -485,6 +486,7 @@ static struct parm_struct parm_table[] = {
 	{"host msdfs", P_BOOL, P_GLOBAL, GLOBAL_VAR(bHostMSDfs), NULL, NULL},
 	{"winbind separator", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbindSeparator), NULL, NULL },
 	{"winbindd socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbinddSocketDirectory), NULL, NULL },
+	{"winbindd privileged socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szWinbinddPrivilegedSocketDirectory), NULL, NULL },
 	{"winbind sealed pipes", P_BOOL, P_GLOBAL, GLOBAL_VAR(bWinbindSealedPipes), NULL, NULL },
 	{"template shell", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateShell), NULL, NULL },
 	{"template homedir", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateHomedir), NULL, NULL },
@@ -631,6 +633,7 @@ _PUBLIC_ FN_GLOBAL_STRING(lp_wins_config_url, szWINS_CONFIG_URL)
 _PUBLIC_ FN_GLOBAL_STRING(lp_wins_url, szWINS_URL)
 _PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbind_separator, szWinbindSeparator)
 _PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbindd_socket_directory, szWinbinddSocketDirectory)
+_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_winbindd_privileged_socket_directory, szWinbinddPrivilegedSocketDirectory)
 _PUBLIC_ FN_GLOBAL_CONST_STRING(lp_template_shell, szTemplateShell)
 _PUBLIC_ FN_GLOBAL_CONST_STRING(lp_template_homedir, szTemplateHomedir)
 _PUBLIC_ FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, bWinbindSealedPipes)
@@ -2382,6 +2385,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lp_do_global_parameter(lp_ctx, "winbind separator", "\\");
 	lp_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
 	lp_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
+	lp_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
 	lp_do_global_parameter(lp_ctx, "template shell", "/bin/false");
 	lp_do_global_parameter(lp_ctx, "template homedir", "/home/%WORKGROUP%/%ACCOUNTNAME%");
 	lp_do_global_parameter(lp_ctx, "idmap trusted only", "False");
diff --git a/source4/param/param.h b/source4/param/param.h
index 06a42575ad..4ed2654692 100644
--- a/source4/param/param.h
+++ b/source4/param/param.h
@@ -91,6 +91,7 @@ const char *lp_wins_config_url(struct loadparm_context *);
 const char *lp_wins_url(struct loadparm_context *);
 const char *lp_winbind_separator(struct loadparm_context *);
 const char *lp_winbindd_socket_directory(struct loadparm_context *);
+const char *lp_winbindd_privileged_socket_directory(struct loadparm_context *);
 const char *lp_template_shell(struct loadparm_context *);
 const char *lp_template_homedir(struct loadparm_context *);
 bool lp_winbind_sealed_pipes(struct loadparm_context *);
diff --git a/source4/param/param_wrap.c b/source4/param/param_wrap.c
index aff239312d..48fd752f0e 100644
--- a/source4/param/param_wrap.c
+++ b/source4/param/param_wrap.c
@@ -2479,7 +2479,7 @@ SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags)
 #define SWIGTYPE_p_int swig_types[2]
 #define SWIGTYPE_p_loadparm_context swig_types[3]
 #define SWIGTYPE_p_loadparm_service swig_types[4]
-#define SWIGTYPE_p_long_long swig_types[5]
+#define SWIGTYPE_p_long swig_types[5]
 #define SWIGTYPE_p_param_context swig_types[6]
 #define SWIGTYPE_p_param_opt swig_types[7]
 #define SWIGTYPE_p_param_section swig_types[8]
@@ -2487,7 +2487,7 @@ SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags)
 #define SWIGTYPE_p_signed_char swig_types[10]
 #define SWIGTYPE_p_unsigned_char swig_types[11]
 #define SWIGTYPE_p_unsigned_int swig_types[12]
-#define SWIGTYPE_p_unsigned_long_long swig_types[13]
+#define SWIGTYPE_p_unsigned_long swig_types[13]
 #define SWIGTYPE_p_unsigned_short swig_types[14]
 static swig_type_info *swig_types[16];
 static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0};
@@ -4250,18 +4250,18 @@ static PyMethodDef SwigMethods[] = {
 
 static swig_type_info _swigt__p_TALLOC_CTX = {"_p_TALLOC_CTX", "TALLOC_CTX *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_int = {"_p_int", "intptr_t *|int *|int_least32_t *|int_fast32_t *|int32_t *|int_fast16_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_int = {"_p_int", "int *|int_least32_t *|int32_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_loadparm_context = {"_p_loadparm_context", "struct loadparm_context *|loadparm_context *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_loadparm_service = {"_p_loadparm_service", "struct loadparm_service *|loadparm_service *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_long_long = {"_p_long_long", "int_least64_t *|int_fast64_t *|int64_t *|long long *|intmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_long = {"_p_long", "intptr_t *|int_least64_t *|int_fast32_t *|int_fast64_t *|int64_t *|long *|int_fast16_t *|intmax_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_param_context = {"_p_param_context", "struct param_context *|param *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_param_opt = {"_p_param_opt", "struct param_opt *|param_opt *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_param_section = {"_p_param_section", "struct param_section *|param_section *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_short = {"_p_short", "short *|int_least16_t *|int16_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_signed_char = {"_p_signed_char", "signed char *|int_least8_t *|int_fast8_t *|int8_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_unsigned_char = {"_p_unsigned_char", "unsigned char *|uint_least8_t *|uint_fast8_t *|uint8_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "uintptr_t *|uint_least32_t *|uint_fast32_t *|uint32_t *|unsigned int *|uint_fast16_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_long_long = {"_p_unsigned_long_long", "uint_least64_t *|uint_fast64_t *|uint64_t *|unsigned long long *|uintmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "uint_least32_t *|uint32_t *|unsigned int *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_long = {"_p_unsigned_long", "uintptr_t *|uint_least64_t *|uint_fast32_t *|uint_fast64_t *|uint64_t *|unsigned long *|uint_fast16_t *|uintmax_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|uint_least16_t *|uint16_t *", 0, 0, (void*)0, 0};
 
 static swig_type_info *swig_type_initial[] = {
@@ -4270,7 +4270,7 @@ static swig_type_info *swig_type_initial[] = {
   &_swigt__p_int,
   &_swigt__p_loadparm_context,
   &_swigt__p_loadparm_service,
-  &_swigt__p_long_long,
+  &_swigt__p_long,
   &_swigt__p_param_context,
   &_swigt__p_param_opt,
   &_swigt__p_param_section,
@@ -4278,7 +4278,7 @@ static swig_type_info *swig_type_initial[] = {
   &_swigt__p_signed_char,
   &_swigt__p_unsigned_char,
   &_swigt__p_unsigned_int,
-  &_swigt__p_unsigned_long_long,
+  &_swigt__p_unsigned_long,
   &_swigt__p_unsigned_short,
 };
 
@@ -4287,7 +4287,7 @@ static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0,
 static swig_cast_info _swigc__p_int[] = {  {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_loadparm_context[] = {  {&_swigt__p_loadparm_context, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_loadparm_service[] = {  {&_swigt__p_loadparm_service, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_long_long[] = {  {&_swigt__p_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_long[] = {  {&_swigt__p_long, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_param_context[] = {  {&_swigt__p_param_context, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_param_opt[] = {  {&_swigt__p_param_opt, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_param_section[] = {  {&_swigt__p_param_section, 0, 0, 0},{0, 0, 0, 0}};
@@ -4295,7 +4295,7 @@ static swig_cast_info _swigc__p_short[] = {  {&_swigt__p_short, 0, 0, 0},{0, 0,
 static swig_cast_info _swigc__p_signed_char[] = {  {&_swigt__p_signed_char, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_unsigned_char[] = {  {&_swigt__p_unsigned_char, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_unsigned_int[] = {  {&_swigt__p_unsigned_int, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_unsigned_long_long[] = {  {&_swigt__p_unsigned_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_long[] = {  {&_swigt__p_unsigned_long, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_unsigned_short[] = {  {&_swigt__p_unsigned_short, 0, 0, 0},{0, 0, 0, 0}};
 
 static swig_cast_info *swig_cast_initial[] = {
@@ -4304,7 +4304,7 @@ static swig_cast_info *swig_cast_initial[] = {
   _swigc__p_int,
   _swigc__p_loadparm_context,
   _swigc__p_loadparm_service,
-  _swigc__p_long_long,
+  _swigc__p_long,
   _swigc__p_param_context,
   _swigc__p_param_opt,
   _swigc__p_param_section,
@@ -4312,7 +4312,7 @@ static swig_cast_info *swig_cast_initial[] = {
   _swigc__p_signed_char,
   _swigc__p_unsigned_char,
   _swigc__p_unsigned_int,
-  _swigc__p_unsigned_long_long,
+  _swigc__p_unsigned_long,
   _swigc__p_unsigned_short,
 };
 
diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c
index 14d62b8568..97646f2849 100644
--- a/source4/winbind/wb_server.c
+++ b/source4/winbind/wb_server.c
@@ -136,6 +136,13 @@ static void winbind_task_init(struct task_server *task)
 		return;
 	}
 
+	/* Make sure the directory for the Samba3 socket exists, and is of the correct permissions */
+	if (!directory_create_or_exist(lp_winbindd_privileged_socket_directory(task->lp_ctx), geteuid(), 0750)) {
+		task_server_terminate(task,
+				      "Cannot create winbindd privileged pipe directory");
+		return;
+	}
+
 	service = talloc_zero(task, struct wbsrv_service);
 	if (!service) goto nomem;
 	service->task	= task;
@@ -175,9 +182,10 @@ static void winbind_task_init(struct task_server *task)
 	/* setup the privileged samba3 socket */
 	listen_socket = talloc(service, struct wbsrv_listen_socket);
 	if (!listen_socket) goto nomem;
-	listen_socket->socket_path	=
-		smbd_tmp_path(listen_socket, task->lp_ctx, 
-			      WINBINDD_SAMBA3_PRIVILEGED_SOCKET);
+	listen_socket->socket_path	= talloc_asprintf(listen_socket, "%s/%s", 
+							  lp_winbindd_privileged_socket_directory(task->lp_ctx), 
+							  WINBINDD_SAMBA3_SOCKET);
+	if (!listen_socket->socket_path) goto nomem;
 	if (!listen_socket->socket_path) goto nomem;
 	listen_socket->service		= service;
 	listen_socket->privileged	= true;