diff options
| -rw-r--r-- | source3/nsswitch/winbindd_group.c | 24 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 4 |
2 files changed, 28 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index de19ee02b5..676bf918b4 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -1018,6 +1018,30 @@ void winbindd_getgroups(struct winbindd_cli_state *state) DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid, state->request.data.username)); + /* when using "winbind use default domain" we need to avoid that + * initgroups() requests from NSS hit our DC too badly for accounts + * that will never be on the remote DC */ + + if (lp_winbind_use_default_domain()) { + + const char **list = lp_winbind_initgroups_blacklist(); + int i; + + if (!list || !list[0]) { + goto parse; + } + + for (i=0; list[i] != NULL; i++) { + + if (strequal(state->request.data.username, list[i])) { + DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n", + state->request.data.username)); + request_ok(state); + return; + } + } + } + parse: /* Parse domain and username */ s = TALLOC_P(state->mem_ctx, struct getgroups_state); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 8f2258bb72..0dff2e36c7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -181,6 +181,7 @@ typedef struct { BOOL bWinbindRefreshTickets; BOOL bWinbindOfflineLogon; char **szIdmapBackend; + char **szWinbindInitgroupsBlacklist; char *szAddShareCommand; char *szChangeShareCommand; char *szDeleteShareCommand; @@ -1278,6 +1279,7 @@ static struct parm_struct parm_table[] = { {"winbind nss info", P_LIST, P_GLOBAL, &Globals.szWinbindNssInfo, NULL, NULL, FLAG_ADVANCED}, {"winbind refresh tickets", P_BOOL, P_GLOBAL, &Globals.bWinbindRefreshTickets, NULL, NULL, FLAG_ADVANCED}, {"winbind offline logon", P_BOOL, P_GLOBAL, &Globals.bWinbindOfflineLogon, NULL, NULL, FLAG_ADVANCED}, + {"winbind initgroups blacklist", P_LIST, P_GLOBAL, &Globals.szWinbindInitgroupsBlacklist, NULL, NULL, FLAG_ADVANCED}, {NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0} }; @@ -1624,6 +1626,7 @@ static void init_globals(BOOL first_time_only) Globals.szWinbindNssInfo = str_list_make("template", NULL); Globals.bWinbindRefreshTickets = False; Globals.bWinbindOfflineLogon = False; + Globals.szWinbindInitgroupsBlacklist = str_list_make("root nobody lp", NULL); Globals.bPassdbExpandExplicit = False; @@ -1839,6 +1842,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) FN_GLOBAL_LIST(lp_idmap_backend, &Globals.szIdmapBackend) +FN_GLOBAL_LIST(lp_winbind_initgroups_blacklist, &Globals.szWinbindInitgroupsBlacklist) FN_GLOBAL_BOOL(lp_passdb_expand_explicit, &Globals.bPassdbExpandExplicit) FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix) |