diff options
Diffstat (limited to 'source3/nsswitch')
| -rw-r--r-- | source3/nsswitch/pam_winbind.c | 21 | ||||
| -rw-r--r-- | source3/nsswitch/pam_winbind.h | 3 | ||||
| -rw-r--r-- | source3/nsswitch/wb_common.c | 78 | ||||
| -rw-r--r-- | source3/nsswitch/wbinfo.c | 104 | ||||
| -rw-r--r-- | source3/nsswitch/winbind_nss.c | 14 | ||||
| -rw-r--r-- | source3/nsswitch/winbind_nss_config.h | 12 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd.c | 5 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_ads.c | 8 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_cm.c | 44 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_nss.h | 3 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 6 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_rpc.c | 5 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_util.c | 10 |
13 files changed, 183 insertions, 130 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 29ceca4e79..f95caefb4c 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -11,11 +11,6 @@ #include "pam_winbind.h" -/* prototypes from common.c */ -void init_request(struct winbindd_request *req,int rq_type); -int write_sock(void *buffer, int count); -int read_reply(struct winbindd_response *response); - /* data tokens */ #define MAX_PASSWD_TRIES 3 @@ -99,24 +94,30 @@ static int _make_remark(pam_handle_t * pamh, int type, const char *text) return retval; } -static int winbind_request(enum winbindd_cmd req_type, - struct winbindd_request *request, - struct winbindd_response *response) +static int pam_winbind_request(enum winbindd_cmd req_type, + struct winbindd_request *request, + struct winbindd_response *response) { + /* Fill in request and send down pipe */ init_request(request, req_type); if (write_sock(request, sizeof(*request)) == -1) { _pam_log(LOG_ERR, "write to socket failed!"); + close_sock(); return PAM_SERVICE_ERR; } /* Wait for reply */ if (read_reply(response) == -1) { _pam_log(LOG_ERR, "read from socket failed!"); + close_sock(); return PAM_SERVICE_ERR; } + /* We are done with the socket - close it and avoid mischeif */ + close_sock(); + /* Copy reply data from socket */ if (response->result != WINBINDD_OK) { if (response->data.auth.pam_error != PAM_SUCCESS) { @@ -148,7 +149,7 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl) strncpy(request.data.auth.pass, pass, sizeof(request.data.auth.pass)-1); - retval = winbind_request(WINBINDD_PAM_AUTH, &request, &response); + retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response); switch (retval) { case PAM_AUTH_ERR: @@ -217,7 +218,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass, request.data.chauthtok.newpass[0] = '\0'; } - return winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response); + return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response); } /* diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 9897249e16..fae635d806 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -90,5 +90,4 @@ do { \ #define on(x, y) (x & y) #define off(x, y) (!(x & y)) -#include "winbind_nss_config.h" -#include "winbindd_nss.h" +#include "winbind_client.h" diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index 9bc9faafb5..51792f63fe 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -5,6 +5,8 @@ Copyright (C) Tim Potter 2000 Copyright (C) Andrew Tridgell 2000 + Copyright (C) Andrew Bartlett 2002 + This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public @@ -75,7 +77,7 @@ void init_response(struct winbindd_response *response) /* Close established socket */ -static void close_sock(void) +void close_sock(void) { if (winbindd_fd != -1) { close(winbindd_fd); @@ -83,14 +85,75 @@ static void close_sock(void) } } +/* Make sure socket handle isn't stdin, stdout or stderr */ +#define RECURSION_LIMIT 3 + +static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */) +{ + int new_fd; + if (fd >= 0 && fd <= 2) { +#ifdef F_DUPFD + if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) { + return -1; + } + /* Parinoia */ + if (new_fd < 3) { + close(new_fd); + return -1; + } + close(fd); + return new_fd; +#else + if (limit <= 0) + return -1; + + new_fd = dup(fd); + if (new_fd == -1) + return -1; + + /* use the program stack to hold our list of FDs to close */ + new_fd = make_nonstd_fd_internals(new_fd, limit - 1); + close(fd); + return new_fd; +#endif + } + return fd; +} + +static int make_safe_fd(int fd) +{ + int result, flags; + int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT); + if (new_fd == -1) { + close(fd); + return -1; + } + /* Socket should be closed on exec() */ + +#ifdef FD_CLOEXEC + result = flags = fcntl(new_fd, F_GETFD, 0); + if (flags >= 0) { + flags |= FD_CLOEXEC; + result = fcntl( new_fd, F_SETFD, flags ); + } + if (result < 0) { + close(new_fd); + return -1; + } +#endif + return new_fd; +} + /* Connect to winbindd socket */ int winbind_open_pipe_sock(void) { +#ifdef HAVE_UNIXSOCKET struct sockaddr_un sunaddr; static pid_t our_pid; struct stat st; pstring path; + int fd; if (our_pid != getpid()) { close_sock(); @@ -144,9 +207,13 @@ int winbind_open_pipe_sock(void) /* Connect to socket */ - if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { + if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { return -1; } + + if ((winbindd_fd = make_safe_fd( fd)) == -1) { + return winbindd_fd; + } if (connect(winbindd_fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) { @@ -155,6 +222,9 @@ int winbind_open_pipe_sock(void) } return winbindd_fd; +#else + return -1; +#endif /* HAVE_UNIXSOCKET */ } /* Write data to winbindd socket */ @@ -366,8 +436,8 @@ NSS_STATUS winbindd_get_response(struct winbindd_response *response) /* Handle simple types of requests */ NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response) + struct winbindd_request *request, + struct winbindd_response *response) { NSS_STATUS status; diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 4d36acc51b..875df231dc 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -28,11 +28,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -/* Prototypes from common.h */ - -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); +extern int winbindd_fd; static char winbind_separator(void) { @@ -450,9 +446,10 @@ static BOOL wbinfo_auth(char *username) d_printf("plaintext password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); - d_printf("error code was %s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); + if (response.data.auth.nt_status) + d_printf("error code was %s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); return result == NSS_STATUS_SUCCESS; } @@ -504,9 +501,10 @@ static BOOL wbinfo_auth_crap(char *username) d_printf("challenge/response password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); - d_printf("error code was %s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); + if (response.data.auth.nt_status) + d_printf("error code was %s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); return result == NSS_STATUS_SUCCESS; } @@ -608,43 +606,17 @@ static BOOL wbinfo_set_auth_user(char *username) static BOOL wbinfo_ping(void) { NSS_STATUS result; - + result = winbindd_request(WINBINDD_PING, NULL, NULL); /* Display response */ - d_printf("'ping' to winbindd %s\n", - (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); + d_printf("'ping' to winbindd %s on fd %d\n", + (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed", winbindd_fd); return result == NSS_STATUS_SUCCESS; } -/* Print program usage */ - -static void usage(void) -{ - d_printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm " - "| -[aA] user%%password\n"); - d_printf("\t-u\t\t\tlists all domain users\n"); - d_printf("\t-g\t\t\tlists all domain groups\n"); - d_printf("\t-n name\t\t\tconverts name to sid\n"); - d_printf("\t-s sid\t\t\tconverts sid to name\n"); - d_printf("\t-N name\t\t\tconverts NetBIOS name to IP (WINS)\n"); - d_printf("\t-I name\t\t\tconverts IP address to NetBIOS name (WINS)\n"); - d_printf("\t-U uid\t\t\tconverts uid to sid\n"); - d_printf("\t-G gid\t\t\tconverts gid to sid\n"); - d_printf("\t-S sid\t\t\tconverts sid to uid\n"); - d_printf("\t-Y sid\t\t\tconverts sid to gid\n"); - d_printf("\t-t\t\t\tcheck shared secret\n"); - d_printf("\t-m\t\t\tlist trusted domains\n"); - d_printf("\t-r user\t\t\tget user groups\n"); - d_printf("\t-a user%%password\tauthenticate user\n"); - d_printf("\t-A user%%password\tstore user and password used by winbindd (root only)\n"); - d_printf("\t-p\t\t\t'ping' winbindd to see if it is alive\n"); - d_printf("\t--sequence\t\tshow sequence numbers of all domains\n"); - d_printf("\t--set-auth-user DOMAIN\\user%%password\tset password for restrict anonymous\n"); -} - /* Main program */ enum { @@ -664,28 +636,28 @@ int main(int argc, char **argv) int result = 1; struct poptOption long_options[] = { + POPT_AUTOHELP /* longName, shortName, argInfo, argPtr, value, descrip, argDesc */ - { "help", 'h', POPT_ARG_NONE, 0, 'h' }, - { "domain-users", 'u', POPT_ARG_NONE, 0, 'u' }, - { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' }, - { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N' }, - { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I' }, - { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' }, - { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's' }, - { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U' }, - { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G' }, - { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S' }, - { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y' }, - { "check-secret", 't', POPT_ARG_NONE, 0, 't' }, - { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm' }, - { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE }, - { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' }, - { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' }, - { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER }, - { "ping", 'p', POPT_ARG_NONE, 0, 'p' }, + { "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users"}, + { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups" }, + { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N', "Converts NetBIOS name to IP (WINS)" }, + { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I', "Converts IP address to NetBIOS name (WINS)" }, + { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n', "Converts name to sid" }, + { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's', "Converts sid to name" }, + { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U', "Converts uid to sid" }, + { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G', "Converts gid to sid" }, + { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S', "Converts sid to uid" }, + { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y', "Converts sid to gid" }, + { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" }, + { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" }, + { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "show sequence numbers of all domains" }, + { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups" }, + { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" }, + { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" }, + { "ping", 'p', POPT_ARG_NONE, 0, 'p', "'ping' winbindd to see if it is alive" }, { 0, 0, 0, 0 } }; @@ -708,17 +680,17 @@ int main(int argc, char **argv) load_interfaces(); + /* Parse options */ + + pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0); + /* Parse command line options */ if (argc == 1) { - usage(); + poptPrintHelp(pc, stderr, 0); return 1; } - /* Parse options */ - - pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0); - while((opt = poptGetNextOpt(pc)) != -1) { if (got_command) { d_fprintf(stderr, "No more than one command may be specified at once.\n"); @@ -734,10 +706,6 @@ int main(int argc, char **argv) while((opt = poptGetNextOpt(pc)) != -1) { switch (opt) { - case 'h': - usage(); - result = 0; - goto done; case 'u': if (!print_domain_users()) { d_printf("Error looking up domain users\n"); @@ -859,7 +827,7 @@ int main(int argc, char **argv) break; default: d_fprintf(stderr, "Invalid option\n"); - usage(); + poptPrintHelp(pc, stderr, 0); goto done; } } diff --git a/source3/nsswitch/winbind_nss.c b/source3/nsswitch/winbind_nss.c index 594b5fbadb..0b4c0ce1d0 100644 --- a/source3/nsswitch/winbind_nss.c +++ b/source3/nsswitch/winbind_nss.c @@ -21,8 +21,7 @@ Boston, MA 02111-1307, USA. */ -#include "winbind_nss_config.h" -#include "winbindd_nss.h" +#include "winbind_client.h" #ifdef HAVE_NS_API_H #undef VOLATILE @@ -37,17 +36,6 @@ extern int winbindd_fd; -void init_request(struct winbindd_request *req,int rq_type); -NSS_STATUS winbindd_send_request(int req_type, - struct winbindd_request *request); -NSS_STATUS winbindd_get_response(struct winbindd_response *response); -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); -int winbind_open_pipe_sock(void); -int write_sock(void *buffer, int count); -int read_reply(struct winbindd_response *response); -void free_response(struct winbindd_response *response); #ifdef HAVE_NS_API_H /* IRIX version */ diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h index b9c738211e..d9a9b8aaae 100644 --- a/source3/nsswitch/winbind_nss_config.h +++ b/source3/nsswitch/winbind_nss_config.h @@ -38,6 +38,10 @@ #include <unistd.h> #endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif + #ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> #endif @@ -58,6 +62,14 @@ #include <string.h> #endif +#ifdef HAVE_FCNTL_H +#include <fcntl.h> +#else +#ifdef HAVE_SYS_FCNTL_H +#include <sys/fcntl.h> +#endif +#endif + #include <sys/types.h> #include <sys/stat.h> #include <errno.h> diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 256c0203c0..bb4a1b78ec 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -628,8 +628,8 @@ static void process_loop(int accept_sock) if (state->read_buf_len >= sizeof(uint32) && *(uint32 *) &state->request != sizeof(state->request)) { - DEBUG(0,("process_loop: Invalid request size (%d) send, should be (%d)\n", - *(uint32 *) &state->request, sizeof(state->request))); + DEBUG(0,("process_loop: Invalid request size from pid %d: %d bytes sent, should be %d\n", + state->request.pid, *(uint32 *) &state->request, sizeof(state->request))); remove_client(state); break; @@ -858,6 +858,7 @@ static void usage(void) pidfile_create("winbindd"); } + #if HAVE_SETPGID /* * If we're interactive we want to set our own process group for diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index b0b70178a4..4f91ed0f20 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) /* if we get ECONNREFUSED then it might be a NT4 server, fall back to MSRPC */ if (status.error_type == ADS_ERROR_SYSTEM && - status.rc == ECONNREFUSED) { + status.err.rc == ECONNREFUSED) { DEBUG(1,("Trying MSRPC methods\n")); domain->methods = &msrpc_methods; } @@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si static enum SID_NAME_USE ads_atype_map(uint32 atype) { switch (atype & 0xF0000000) { - case ATYPE_GROUP: + case ATYPE_GLOBAL_GROUP: return SID_NAME_DOM_GRP; - case ATYPE_USER: + case ATYPE_ACCOUNT: return SID_NAME_USER; default: DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); @@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || - !(account_type & ATYPE_GROUP)) continue; + !(account_type & ATYPE_GLOBAL_GROUP)) continue; name = pull_username(ads, mem_ctx, msg); gecos = ads_pull_string(ads, mem_ctx, msg, "name"); diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 2dec9f0558..01f5569889 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -109,7 +109,7 @@ static BOOL cm_ads_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr } /* we don't need to bind, just connect */ - ads->auth.no_bind = 1; + ads->auth.flags |= ADS_AUTH_NO_BIND; DEBUG(4,("cm_ads_find_dc: domain=%s\n", domain)); @@ -145,11 +145,16 @@ static BOOL cm_rpc_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr /* Lookup domain controller name. Try the real PDC first to avoid SAM sync delays */ - if (!get_dc_list(True, domain, &ip_list, &count)) { - if (!get_dc_list(False, domain, &ip_list, &count)) { - DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); - return False; - } + if (get_dc_list(True, domain, &ip_list, &count) && + name_status_find(domain, 0x1c, 0x20, ip_list[0], srv_name)) { + *dc_ip = ip_list[0]; + SAFE_FREE(ip_list); + return True; + } + + if (!get_dc_list(False, domain, &ip_list, &count)) { + DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); + return False; } /* Pick a nice close server */ @@ -377,16 +382,6 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name, fstrcpy(new_conn->domain, domain); fstrcpy(new_conn->pipe_name, pipe_name); - /* Look for a domain controller for this domain. Negative results - are cached so don't bother applying the caching for this - function just yet. */ - - if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) { - result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; - add_failed_connection_entry(new_conn, result); - return result; - } - /* Return false if we have tried to look up this domain and netbios name before and failed. */ @@ -418,6 +413,16 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name, return result; } + /* Look for a domain controller for this domain. Negative results + are cached so don't bother applying the caching for this + function just yet. */ + + if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) { + result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; + add_failed_connection_entry(new_conn, result); + return result; + } + /* Initialise SMB connection */ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); @@ -859,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, { NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct winbindd_cm_conn *conn; + uint32 neg_flags = 0x000001ff; if (!cli) { return NT_STATUS_INVALID_PARAMETER; @@ -870,8 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, return result; } - result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ? - SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd); + result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("error connecting to domain password server: %s\n", @@ -884,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, } /* Try again */ - result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ? - SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd); + result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2); } if (!NT_STATUS_IS_OK(result)) { diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 9eea94e7c0..368bf10cea 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -127,6 +127,9 @@ struct winbindd_request { uid_t uid; /* getpwuid, uid_to_sid */ gid_t gid; /* getgrgid, gid_to_sid */ struct { + /* We deliberatedly don't split into domain/user to + avoid having the client know what the separator + character is. */ fstring user; fstring pass; } auth; /* pam_winbind auth module */ diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index a8b508a49c..3e7a8ad971 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -147,7 +147,7 @@ done: fstrcpy(state->response.data.auth.error_string, nt_errstr(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authenticaion for user %s returned %s (PAM: %d)\n", + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", state->request.data.auth.user, state->response.data.auth.nt_status_string, state->response.data.auth.pam_error)); @@ -183,7 +183,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* Ensure null termination */ state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0'; - if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth.user))) { + if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); result = NT_STATUS_NO_MEMORY; goto done; @@ -292,7 +292,7 @@ done: state->response.data.auth.pam_error = nt_status_to_pam(result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n", + ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", domain, user, state->response.data.auth.nt_status_string, diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index 5ec34f663d..047280e21e 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -315,6 +315,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, cli_samr_close(hnd->cli, mem_ctx, &user_pol); got_user_pol = False; + user_info->user_rid = user_rid; user_info->group_rid = ctr->info.id21->group_rid; user_info->acct_name = unistr2_tdup(mem_ctx, &ctr->info.id21->uni_user_name); @@ -419,7 +420,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; BOOL got_dom_pol = False, got_group_pol = False; - DEBUG(3,("rpc: lookup_groupmem rid=%u\n", group_rid)); + DEBUG(10,("rpc: lookup_groupmem %s rid=%u\n", domain->name, group_rid)); *num_names = 0; @@ -523,7 +524,7 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) BOOL got_dom_pol = False; uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; - DEBUG(3,("rpc: sequence_number\n")); + DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name)); *seq = DOM_SEQUENCE_NONE; diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index daa3abb340..2016c27881 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -83,10 +83,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ for (domain = _domain_list; domain; domain = domain->next) { - if (strcmp(domain_name, domain->name) == 0 || - strcmp(domain_name, domain->alt_name) == 0) { + if (strcasecmp(domain_name, domain->name) == 0 || + strcasecmp(domain_name, domain->alt_name) == 0) { return domain; } + if (alt_name && *alt_name) { + if (strcasecmp(alt_name, domain->name) == 0 || + strcasecmp(alt_name, domain->alt_name) == 0) { + return domain; + } + } } /* Create new domain entry */ |