summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/pam_winbind.c21
-rw-r--r--source3/nsswitch/pam_winbind.h3
-rw-r--r--source3/nsswitch/wb_common.c78
-rw-r--r--source3/nsswitch/wbinfo.c104
-rw-r--r--source3/nsswitch/winbind_nss.c14
-rw-r--r--source3/nsswitch/winbind_nss_config.h12
-rw-r--r--source3/nsswitch/winbindd.c5
-rw-r--r--source3/nsswitch/winbindd_ads.c8
-rw-r--r--source3/nsswitch/winbindd_cm.c44
-rw-r--r--source3/nsswitch/winbindd_nss.h3
-rw-r--r--source3/nsswitch/winbindd_pam.c6
-rw-r--r--source3/nsswitch/winbindd_rpc.c5
-rw-r--r--source3/nsswitch/winbindd_util.c10
13 files changed, 183 insertions, 130 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 29ceca4e79..f95caefb4c 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -11,11 +11,6 @@
#include "pam_winbind.h"
-/* prototypes from common.c */
-void init_request(struct winbindd_request *req,int rq_type);
-int write_sock(void *buffer, int count);
-int read_reply(struct winbindd_response *response);
-
/* data tokens */
#define MAX_PASSWD_TRIES 3
@@ -99,24 +94,30 @@ static int _make_remark(pam_handle_t * pamh, int type, const char *text)
return retval;
}
-static int winbind_request(enum winbindd_cmd req_type,
- struct winbindd_request *request,
- struct winbindd_response *response)
+static int pam_winbind_request(enum winbindd_cmd req_type,
+ struct winbindd_request *request,
+ struct winbindd_response *response)
{
+
/* Fill in request and send down pipe */
init_request(request, req_type);
if (write_sock(request, sizeof(*request)) == -1) {
_pam_log(LOG_ERR, "write to socket failed!");
+ close_sock();
return PAM_SERVICE_ERR;
}
/* Wait for reply */
if (read_reply(response) == -1) {
_pam_log(LOG_ERR, "read from socket failed!");
+ close_sock();
return PAM_SERVICE_ERR;
}
+ /* We are done with the socket - close it and avoid mischeif */
+ close_sock();
+
/* Copy reply data from socket */
if (response->result != WINBINDD_OK) {
if (response->data.auth.pam_error != PAM_SUCCESS) {
@@ -148,7 +149,7 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
strncpy(request.data.auth.pass, pass,
sizeof(request.data.auth.pass)-1);
- retval = winbind_request(WINBINDD_PAM_AUTH, &request, &response);
+ retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response);
switch (retval) {
case PAM_AUTH_ERR:
@@ -217,7 +218,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass,
request.data.chauthtok.newpass[0] = '\0';
}
- return winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
+ return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response);
}
/*
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index 9897249e16..fae635d806 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -90,5 +90,4 @@ do { \
#define on(x, y) (x & y)
#define off(x, y) (!(x & y))
-#include "winbind_nss_config.h"
-#include "winbindd_nss.h"
+#include "winbind_client.h"
diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c
index 9bc9faafb5..51792f63fe 100644
--- a/source3/nsswitch/wb_common.c
+++ b/source3/nsswitch/wb_common.c
@@ -5,6 +5,8 @@
Copyright (C) Tim Potter 2000
Copyright (C) Andrew Tridgell 2000
+ Copyright (C) Andrew Bartlett 2002
+
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
@@ -75,7 +77,7 @@ void init_response(struct winbindd_response *response)
/* Close established socket */
-static void close_sock(void)
+void close_sock(void)
{
if (winbindd_fd != -1) {
close(winbindd_fd);
@@ -83,14 +85,75 @@ static void close_sock(void)
}
}
+/* Make sure socket handle isn't stdin, stdout or stderr */
+#define RECURSION_LIMIT 3
+
+static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */)
+{
+ int new_fd;
+ if (fd >= 0 && fd <= 2) {
+#ifdef F_DUPFD
+ if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) {
+ return -1;
+ }
+ /* Parinoia */
+ if (new_fd < 3) {
+ close(new_fd);
+ return -1;
+ }
+ close(fd);
+ return new_fd;
+#else
+ if (limit <= 0)
+ return -1;
+
+ new_fd = dup(fd);
+ if (new_fd == -1)
+ return -1;
+
+ /* use the program stack to hold our list of FDs to close */
+ new_fd = make_nonstd_fd_internals(new_fd, limit - 1);
+ close(fd);
+ return new_fd;
+#endif
+ }
+ return fd;
+}
+
+static int make_safe_fd(int fd)
+{
+ int result, flags;
+ int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT);
+ if (new_fd == -1) {
+ close(fd);
+ return -1;
+ }
+ /* Socket should be closed on exec() */
+
+#ifdef FD_CLOEXEC
+ result = flags = fcntl(new_fd, F_GETFD, 0);
+ if (flags >= 0) {
+ flags |= FD_CLOEXEC;
+ result = fcntl( new_fd, F_SETFD, flags );
+ }
+ if (result < 0) {
+ close(new_fd);
+ return -1;
+ }
+#endif
+ return new_fd;
+}
+
/* Connect to winbindd socket */
int winbind_open_pipe_sock(void)
{
+#ifdef HAVE_UNIXSOCKET
struct sockaddr_un sunaddr;
static pid_t our_pid;
struct stat st;
pstring path;
+ int fd;
if (our_pid != getpid()) {
close_sock();
@@ -144,9 +207,13 @@ int winbind_open_pipe_sock(void)
/* Connect to socket */
- if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+ if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
return -1;
}
+
+ if ((winbindd_fd = make_safe_fd( fd)) == -1) {
+ return winbindd_fd;
+ }
if (connect(winbindd_fd, (struct sockaddr *)&sunaddr,
sizeof(sunaddr)) == -1) {
@@ -155,6 +222,9 @@ int winbind_open_pipe_sock(void)
}
return winbindd_fd;
+#else
+ return -1;
+#endif /* HAVE_UNIXSOCKET */
}
/* Write data to winbindd socket */
@@ -366,8 +436,8 @@ NSS_STATUS winbindd_get_response(struct winbindd_response *response)
/* Handle simple types of requests */
NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response)
+ struct winbindd_request *request,
+ struct winbindd_response *response)
{
NSS_STATUS status;
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 4d36acc51b..875df231dc 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -28,11 +28,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-/* Prototypes from common.h */
-
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response);
+extern int winbindd_fd;
static char winbind_separator(void)
{
@@ -450,9 +446,10 @@ static BOOL wbinfo_auth(char *username)
d_printf("plaintext password authentication %s\n",
(result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
- d_printf("error code was %s (0x%x)\n",
- response.data.auth.nt_status_string,
- response.data.auth.nt_status);
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status);
return result == NSS_STATUS_SUCCESS;
}
@@ -504,9 +501,10 @@ static BOOL wbinfo_auth_crap(char *username)
d_printf("challenge/response password authentication %s\n",
(result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
- d_printf("error code was %s (0x%x)\n",
- response.data.auth.nt_status_string,
- response.data.auth.nt_status);
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status);
return result == NSS_STATUS_SUCCESS;
}
@@ -608,43 +606,17 @@ static BOOL wbinfo_set_auth_user(char *username)
static BOOL wbinfo_ping(void)
{
NSS_STATUS result;
-
+
result = winbindd_request(WINBINDD_PING, NULL, NULL);
/* Display response */
- d_printf("'ping' to winbindd %s\n",
- (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
+ d_printf("'ping' to winbindd %s on fd %d\n",
+ (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed", winbindd_fd);
return result == NSS_STATUS_SUCCESS;
}
-/* Print program usage */
-
-static void usage(void)
-{
- d_printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm "
- "| -[aA] user%%password\n");
- d_printf("\t-u\t\t\tlists all domain users\n");
- d_printf("\t-g\t\t\tlists all domain groups\n");
- d_printf("\t-n name\t\t\tconverts name to sid\n");
- d_printf("\t-s sid\t\t\tconverts sid to name\n");
- d_printf("\t-N name\t\t\tconverts NetBIOS name to IP (WINS)\n");
- d_printf("\t-I name\t\t\tconverts IP address to NetBIOS name (WINS)\n");
- d_printf("\t-U uid\t\t\tconverts uid to sid\n");
- d_printf("\t-G gid\t\t\tconverts gid to sid\n");
- d_printf("\t-S sid\t\t\tconverts sid to uid\n");
- d_printf("\t-Y sid\t\t\tconverts sid to gid\n");
- d_printf("\t-t\t\t\tcheck shared secret\n");
- d_printf("\t-m\t\t\tlist trusted domains\n");
- d_printf("\t-r user\t\t\tget user groups\n");
- d_printf("\t-a user%%password\tauthenticate user\n");
- d_printf("\t-A user%%password\tstore user and password used by winbindd (root only)\n");
- d_printf("\t-p\t\t\t'ping' winbindd to see if it is alive\n");
- d_printf("\t--sequence\t\tshow sequence numbers of all domains\n");
- d_printf("\t--set-auth-user DOMAIN\\user%%password\tset password for restrict anonymous\n");
-}
-
/* Main program */
enum {
@@ -664,28 +636,28 @@ int main(int argc, char **argv)
int result = 1;
struct poptOption long_options[] = {
+ POPT_AUTOHELP
/* longName, shortName, argInfo, argPtr, value, descrip,
argDesc */
- { "help", 'h', POPT_ARG_NONE, 0, 'h' },
- { "domain-users", 'u', POPT_ARG_NONE, 0, 'u' },
- { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' },
- { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N' },
- { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I' },
- { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' },
- { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's' },
- { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U' },
- { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G' },
- { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S' },
- { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y' },
- { "check-secret", 't', POPT_ARG_NONE, 0, 't' },
- { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm' },
- { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE },
- { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' },
- { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' },
- { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER },
- { "ping", 'p', POPT_ARG_NONE, 0, 'p' },
+ { "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users"},
+ { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups" },
+ { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N', "Converts NetBIOS name to IP (WINS)" },
+ { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I', "Converts IP address to NetBIOS name (WINS)" },
+ { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n', "Converts name to sid" },
+ { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's', "Converts sid to name" },
+ { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U', "Converts uid to sid" },
+ { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G', "Converts gid to sid" },
+ { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S', "Converts sid to uid" },
+ { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y', "Converts sid to gid" },
+ { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
+ { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
+ { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "show sequence numbers of all domains" },
+ { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups" },
+ { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" },
+ { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" },
+ { "ping", 'p', POPT_ARG_NONE, 0, 'p', "'ping' winbindd to see if it is alive" },
{ 0, 0, 0, 0 }
};
@@ -708,17 +680,17 @@ int main(int argc, char **argv)
load_interfaces();
+ /* Parse options */
+
+ pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0);
+
/* Parse command line options */
if (argc == 1) {
- usage();
+ poptPrintHelp(pc, stderr, 0);
return 1;
}
- /* Parse options */
-
- pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0);
-
while((opt = poptGetNextOpt(pc)) != -1) {
if (got_command) {
d_fprintf(stderr, "No more than one command may be specified at once.\n");
@@ -734,10 +706,6 @@ int main(int argc, char **argv)
while((opt = poptGetNextOpt(pc)) != -1) {
switch (opt) {
- case 'h':
- usage();
- result = 0;
- goto done;
case 'u':
if (!print_domain_users()) {
d_printf("Error looking up domain users\n");
@@ -859,7 +827,7 @@ int main(int argc, char **argv)
break;
default:
d_fprintf(stderr, "Invalid option\n");
- usage();
+ poptPrintHelp(pc, stderr, 0);
goto done;
}
}
diff --git a/source3/nsswitch/winbind_nss.c b/source3/nsswitch/winbind_nss.c
index 594b5fbadb..0b4c0ce1d0 100644
--- a/source3/nsswitch/winbind_nss.c
+++ b/source3/nsswitch/winbind_nss.c
@@ -21,8 +21,7 @@
Boston, MA 02111-1307, USA.
*/
-#include "winbind_nss_config.h"
-#include "winbindd_nss.h"
+#include "winbind_client.h"
#ifdef HAVE_NS_API_H
#undef VOLATILE
@@ -37,17 +36,6 @@
extern int winbindd_fd;
-void init_request(struct winbindd_request *req,int rq_type);
-NSS_STATUS winbindd_send_request(int req_type,
- struct winbindd_request *request);
-NSS_STATUS winbindd_get_response(struct winbindd_response *response);
-NSS_STATUS winbindd_request(int req_type,
- struct winbindd_request *request,
- struct winbindd_response *response);
-int winbind_open_pipe_sock(void);
-int write_sock(void *buffer, int count);
-int read_reply(struct winbindd_response *response);
-void free_response(struct winbindd_response *response);
#ifdef HAVE_NS_API_H
/* IRIX version */
diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h
index b9c738211e..d9a9b8aaae 100644
--- a/source3/nsswitch/winbind_nss_config.h
+++ b/source3/nsswitch/winbind_nss_config.h
@@ -38,6 +38,10 @@
#include <unistd.h>
#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
@@ -58,6 +62,14 @@
#include <string.h>
#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#else
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#endif
+
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 256c0203c0..bb4a1b78ec 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -628,8 +628,8 @@ static void process_loop(int accept_sock)
if (state->read_buf_len >= sizeof(uint32)
&& *(uint32 *) &state->request != sizeof(state->request)) {
- DEBUG(0,("process_loop: Invalid request size (%d) send, should be (%d)\n",
- *(uint32 *) &state->request, sizeof(state->request)));
+ DEBUG(0,("process_loop: Invalid request size from pid %d: %d bytes sent, should be %d\n",
+ state->request.pid, *(uint32 *) &state->request, sizeof(state->request)));
remove_client(state);
break;
@@ -858,6 +858,7 @@ static void usage(void)
pidfile_create("winbindd");
}
+
#if HAVE_SETPGID
/*
* If we're interactive we want to set our own process group for
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index b0b70178a4..4f91ed0f20 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
/* if we get ECONNREFUSED then it might be a NT4
server, fall back to MSRPC */
if (status.error_type == ADS_ERROR_SYSTEM &&
- status.rc == ECONNREFUSED) {
+ status.err.rc == ECONNREFUSED) {
DEBUG(1,("Trying MSRPC methods\n"));
domain->methods = &msrpc_methods;
}
@@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si
static enum SID_NAME_USE ads_atype_map(uint32 atype)
{
switch (atype & 0xF0000000) {
- case ATYPE_GROUP:
+ case ATYPE_GLOBAL_GROUP:
return SID_NAME_DOM_GRP;
- case ATYPE_USER:
+ case ATYPE_ACCOUNT:
return SID_NAME_USER;
default:
DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
@@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if (!ads_pull_uint32(ads, msg, "sAMAccountType",
&account_type) ||
- !(account_type & ATYPE_GROUP)) continue;
+ !(account_type & ATYPE_GLOBAL_GROUP)) continue;
name = pull_username(ads, mem_ctx, msg);
gecos = ads_pull_string(ads, mem_ctx, msg, "name");
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 2dec9f0558..01f5569889 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -109,7 +109,7 @@ static BOOL cm_ads_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr
}
/* we don't need to bind, just connect */
- ads->auth.no_bind = 1;
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
DEBUG(4,("cm_ads_find_dc: domain=%s\n", domain));
@@ -145,11 +145,16 @@ static BOOL cm_rpc_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr
/* Lookup domain controller name. Try the real PDC first to avoid
SAM sync delays */
- if (!get_dc_list(True, domain, &ip_list, &count)) {
- if (!get_dc_list(False, domain, &ip_list, &count)) {
- DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
- return False;
- }
+ if (get_dc_list(True, domain, &ip_list, &count) &&
+ name_status_find(domain, 0x1c, 0x20, ip_list[0], srv_name)) {
+ *dc_ip = ip_list[0];
+ SAFE_FREE(ip_list);
+ return True;
+ }
+
+ if (!get_dc_list(False, domain, &ip_list, &count)) {
+ DEBUG(3, ("Could not look up dc's for domain %s\n", domain));
+ return False;
}
/* Pick a nice close server */
@@ -377,16 +382,6 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name,
fstrcpy(new_conn->domain, domain);
fstrcpy(new_conn->pipe_name, pipe_name);
- /* Look for a domain controller for this domain. Negative results
- are cached so don't bother applying the caching for this
- function just yet. */
-
- if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) {
- result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
- add_failed_connection_entry(new_conn, result);
- return result;
- }
-
/* Return false if we have tried to look up this domain and netbios
name before and failed. */
@@ -418,6 +413,16 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name,
return result;
}
+ /* Look for a domain controller for this domain. Negative results
+ are cached so don't bother applying the caching for this
+ function just yet. */
+
+ if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) {
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ add_failed_connection_entry(new_conn, result);
+ return result;
+ }
+
/* Initialise SMB connection */
cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
@@ -859,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
{
NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
struct winbindd_cm_conn *conn;
+ uint32 neg_flags = 0x000001ff;
if (!cli) {
return NT_STATUS_INVALID_PARAMETER;
@@ -870,8 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
return result;
}
- result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
- SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd);
+ result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("error connecting to domain password server: %s\n",
@@ -884,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
}
/* Try again */
- result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
- SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd);
+ result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2);
}
if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 9eea94e7c0..368bf10cea 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -127,6 +127,9 @@ struct winbindd_request {
uid_t uid; /* getpwuid, uid_to_sid */
gid_t gid; /* getgrgid, gid_to_sid */
struct {
+ /* We deliberatedly don't split into domain/user to
+ avoid having the client know what the separator
+ character is. */
fstring user;
fstring pass;
} auth; /* pam_winbind auth module */
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index a8b508a49c..3e7a8ad971 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -147,7 +147,7 @@ done:
fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authenticaion for user %s returned %s (PAM: %d)\n",
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
state->request.data.auth.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
@@ -183,7 +183,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
/* Ensure null termination */
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0';
- if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth.user))) {
+ if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
@@ -292,7 +292,7 @@ done:
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
- ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
domain,
user,
state->response.data.auth.nt_status_string,
diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c
index 5ec34f663d..047280e21e 100644
--- a/source3/nsswitch/winbindd_rpc.c
+++ b/source3/nsswitch/winbindd_rpc.c
@@ -315,6 +315,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
cli_samr_close(hnd->cli, mem_ctx, &user_pol);
got_user_pol = False;
+ user_info->user_rid = user_rid;
user_info->group_rid = ctr->info.id21->group_rid;
user_info->acct_name = unistr2_tdup(mem_ctx,
&ctr->info.id21->uni_user_name);
@@ -419,7 +420,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
BOOL got_dom_pol = False, got_group_pol = False;
- DEBUG(3,("rpc: lookup_groupmem rid=%u\n", group_rid));
+ DEBUG(10,("rpc: lookup_groupmem %s rid=%u\n", domain->name, group_rid));
*num_names = 0;
@@ -523,7 +524,7 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
BOOL got_dom_pol = False;
uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
- DEBUG(3,("rpc: sequence_number\n"));
+ DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name));
*seq = DOM_SEQUENCE_NONE;
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index daa3abb340..2016c27881 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -83,10 +83,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
/* We can't call domain_list() as this function is called from
init_domain_list() and we'll get stuck in a loop. */
for (domain = _domain_list; domain; domain = domain->next) {
- if (strcmp(domain_name, domain->name) == 0 ||
- strcmp(domain_name, domain->alt_name) == 0) {
+ if (strcasecmp(domain_name, domain->name) == 0 ||
+ strcasecmp(domain_name, domain->alt_name) == 0) {
return domain;
}
+ if (alt_name && *alt_name) {
+ if (strcasecmp(alt_name, domain->name) == 0 ||
+ strcasecmp(alt_name, domain->alt_name) == 0) {
+ return domain;
+ }
+ }
}
/* Create new domain entry */