diff options
Diffstat (limited to 'source3/nsswitch')
-rw-r--r-- | source3/nsswitch/pam_winbind.h | 5 | ||||
-rw-r--r-- | source3/nsswitch/wb_client.c | 74 | ||||
-rw-r--r-- | source3/nsswitch/wbinfo.c | 74 | ||||
-rw-r--r-- | source3/nsswitch/winbindd.c | 8 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_acct.c | 15 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 74 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cache.c | 8 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 126 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_group.c | 12 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_misc.c | 30 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_nss.h | 1 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 36 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_rpc.c | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_sid.c | 18 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_user.c | 14 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 131 | ||||
-rw-r--r-- | source3/nsswitch/wins.c | 110 |
17 files changed, 556 insertions, 184 deletions
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index fae635d806..0afcceb6aa 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -25,15 +25,18 @@ #define PAM_SM_ACCOUNT #define PAM_SM_PASSWORD -#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) +#if defined(SUNOS5) || defined(SUNOS4) || defined(HPUX) || defined(FREEBSD) /* Solaris always uses dynamic pam modules */ #define PAM_EXTERN extern #include <security/pam_appl.h> +#ifndef PAM_AUTHTOK_RECOVER_ERR #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR #endif +#endif + #ifdef HAVE_SECURITY_PAM_MODULES_H #include <security/pam_modules.h> #endif diff --git a/source3/nsswitch/wb_client.c b/source3/nsswitch/wb_client.c index 7c5a8dd054..0c6644e9d0 100644 --- a/source3/nsswitch/wb_client.c +++ b/source3/nsswitch/wb_client.c @@ -264,6 +264,80 @@ static int wb_getgroups(const char *user, gid_t **groups) return -1; } +/* Call winbindd to initialise group membership. This is necessary for + some systems (i.e RH5.2) that do not have an initgroups function as part + of the nss extension. In RH5.2 this is implemented using getgrent() + which can be amazingly inefficient as well as having problems with + username case. */ + +int winbind_initgroups(char *user, gid_t gid) +{ + gid_t *tgr, *groups = NULL; + int result; + + /* Call normal initgroups if we are a local user */ + + if (!strchr(user, *lp_winbind_separator())) { + return initgroups(user, gid); + } + + result = wb_getgroups(user, &groups); + + DEBUG(10,("winbind_getgroups: %s: result = %s\n", user, + result == -1 ? "FAIL" : "SUCCESS")); + + if (result != -1) { + int ngroups = result, i; + BOOL is_member = False; + + /* Check to see if the passed gid is already in the list */ + + for (i = 0; i < ngroups; i++) { + if (groups[i] == gid) { + is_member = True; + } + } + + /* Add group to list if necessary */ + + if (!is_member) { + tgr = (gid_t *)Realloc(groups, sizeof(gid_t) * ngroups + 1); + + if (!tgr) { + errno = ENOMEM; + result = -1; + goto done; + } + else groups = tgr; + + groups[ngroups] = gid; + ngroups++; + } + + /* Set the groups */ + + if (sys_setgroups(ngroups, groups) == -1) { + errno = EPERM; + result = -1; + goto done; + } + + } else { + + /* The call failed. Set errno to something so we don't get + a bogus value from the last failed system call. */ + + errno = EIO; + } + + /* Free response data if necessary */ + + done: + SAFE_FREE(groups); + + return result; +} + /* Return a list of groups the user is a member of. This function is useful for large systems where inverting the group database would be too time consuming. If size is zero, list is not modified and the total diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index fcd7d2d508..0018e99f60 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -3,7 +3,7 @@ Winbind status program. - Copyright (C) Tim Potter 2000-2002 + Copyright (C) Tim Potter 2000-2003 Copyright (C) Andrew Bartlett 2002 This program is free software; you can redistribute it and/or modify @@ -219,15 +219,20 @@ static BOOL wbinfo_list_domains(void) /* show sequence numbers */ -static BOOL wbinfo_show_sequence(void) +static BOOL wbinfo_show_sequence(const char *domain) { + struct winbindd_request request; struct winbindd_response response; ZERO_STRUCT(response); + ZERO_STRUCT(request); + + if ( domain ) + fstrcpy( request.domain_name, domain ); /* Send request */ - if (winbindd_request(WINBINDD_SHOW_SEQUENCE, NULL, &response) != + if (winbindd_request(WINBINDD_SHOW_SEQUENCE, &request, &response) != NSS_STATUS_SUCCESS) return False; @@ -481,9 +486,18 @@ static BOOL wbinfo_auth_crap(char *username) parse_wbinfo_domain_user(username, name_domain, name_user); - fstrcpy(request.data.auth_crap.user, name_user); + if (push_utf8_fstring(request.data.auth_crap.user, name_user) == -1) { + d_printf("unable to create utf8 string for '%s'\n", + name_user); + return False; + } - fstrcpy(request.data.auth_crap.domain, name_domain); + if (push_utf8_fstring(request.data.auth_crap.domain, + name_domain) == -1) { + d_printf("unable to create utf8 string for '%s'\n", + name_domain); + return False; + } generate_random_buffer(request.data.auth_crap.chal, 8, False); @@ -682,17 +696,27 @@ static BOOL wbinfo_remove_user_from_group(char *string) /* Print domain users */ -static BOOL print_domain_users(void) +static BOOL print_domain_users(const char *domain) { + struct winbindd_request request; struct winbindd_response response; const char *extra_data; fstring name; /* Send request to winbind daemon */ + ZERO_STRUCT(request); ZERO_STRUCT(response); + + if (domain) { + /* '.' is the special sign for our own domwin */ + if ( strequal(domain, ".") ) + fstrcpy( request.domain_name, lp_workgroup() ); + else + fstrcpy( request.domain_name, domain ); + } - if (winbindd_request(WINBINDD_LIST_USERS, NULL, &response) != + if (winbindd_request(WINBINDD_LIST_USERS, &request, &response) != NSS_STATUS_SUCCESS) return False; @@ -713,15 +737,24 @@ static BOOL print_domain_users(void) /* Print domain groups */ -static BOOL print_domain_groups(void) +static BOOL print_domain_groups(const char *domain) { + struct winbindd_request request; struct winbindd_response response; const char *extra_data; fstring name; + ZERO_STRUCT(request); ZERO_STRUCT(response); - if (winbindd_request(WINBINDD_LIST_GROUPS, NULL, &response) != + if (domain) { + if ( strequal(domain, ".") ) + fstrcpy( request.domain_name, lp_workgroup() ); + else + fstrcpy( request.domain_name, domain ); + } + + if (winbindd_request(WINBINDD_LIST_GROUPS, &request, &response) != NSS_STATUS_SUCCESS) return False; @@ -845,6 +878,7 @@ static BOOL wbinfo_ping(void) enum { OPT_SET_AUTH_USER = 1000, OPT_GET_AUTH_USER, + OPT_DOMAIN_NAME, OPT_SEQUENCE }; @@ -854,8 +888,8 @@ int main(int argc, char **argv) poptContext pc; static char *string_arg; + static char *opt_domain_name; static int int_arg; - BOOL got_command = False; int result = 1; struct poptOption long_options[] = { @@ -864,8 +898,8 @@ int main(int argc, char **argv) /* longName, shortName, argInfo, argPtr, value, descrip, argDesc */ - { "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users"}, - { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups" }, + { "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users", "domain"}, + { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups", "domain" }, { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N', "Converts NetBIOS name to IP", "NETBIOS-NAME" }, { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I', "Converts IP address to NetBIOS name", "IP" }, { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n', "Converts name to sid", "NAME" }, @@ -888,6 +922,7 @@ int main(int argc, char **argv) { "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" }, { "get-auth-user", 0, POPT_ARG_NONE, NULL, OPT_GET_AUTH_USER, "Retrieve user and password used by winbindd (root only)", NULL }, { "ping", 'p', POPT_ARG_NONE, 0, 'p', "Ping winbindd to see if it is alive" }, + { "domain", 0, POPT_ARG_STRING, &opt_domain_name, OPT_DOMAIN_NAME, "Define to the domain to restrict operatio", "domain" }, POPT_COMMON_VERSION POPT_TABLEEND }; @@ -917,11 +952,7 @@ int main(int argc, char **argv) } while((opt = poptGetNextOpt(pc)) != -1) { - if (got_command) { - d_fprintf(stderr, "No more than one command may be specified at once.\n"); - exit(1); - } - got_command = True; + /* get the generic configuration parameters like --domain */ } poptFreeContext(pc); @@ -932,13 +963,13 @@ int main(int argc, char **argv) while((opt = poptGetNextOpt(pc)) != -1) { switch (opt) { case 'u': - if (!print_domain_users()) { + if (!print_domain_users(opt_domain_name)) { d_printf("Error looking up domain users\n"); goto done; } break; case 'g': - if (!print_domain_groups()) { + if (!print_domain_groups(opt_domain_name)) { d_printf("Error looking up domain groups\n"); goto done; } @@ -1007,7 +1038,7 @@ int main(int argc, char **argv) } break; case OPT_SEQUENCE: - if (!wbinfo_show_sequence()) { + if (!wbinfo_show_sequence(opt_domain_name)) { d_printf("Could not show sequence numbers\n"); goto done; } @@ -1086,6 +1117,9 @@ int main(int argc, char **argv) case OPT_GET_AUTH_USER: wbinfo_get_auth_user(); break; + /* generic configuration options */ + case OPT_DOMAIN_NAME: + break; default: d_fprintf(stderr, "Invalid option\n"); poptPrintHelp(pc, stderr, 0); diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 8345fa11d0..6a0056f917 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -570,9 +570,9 @@ static void process_loop(void) message_dispatch(); - /* rescan the trusted domains list. This must be done - regularly to cope with transitive trusts */ - rescan_trusted_domains(False); + /* refresh the trusted domain cache */ + + rescan_trusted_domains(); /* Free up temporary memory */ @@ -829,7 +829,7 @@ int main(int argc, char **argv) setup_logging("winbindd", log_stdout); reopen_logs(); - DEBUG(1, ("winbindd version %s started.\n", VERSION ) ); + DEBUG(1, ("winbindd version %s started.\n", SAMBA_VERSION_STRING) ); DEBUGADD( 1, ( "Copyright The Samba Team 2000-2003\n" ) ); if (!reload_services_file(False)) { diff --git a/source3/nsswitch/winbindd_acct.c b/source3/nsswitch/winbindd_acct.c index 8abfd17110..0c06df7fdd 100644 --- a/source3/nsswitch/winbindd_acct.c +++ b/source3/nsswitch/winbindd_acct.c @@ -70,18 +70,13 @@ static BOOL winbindd_accountdb_init(void) if ( account_tdb ) return True; - - /* Nope. Try to open it */ - if (!(account_tdb = tdb_open_log(lock_path("winbindd_idmap.tdb"), 0, - TDB_DEFAULT, O_RDWR | O_CREAT, 0600))) - { - /* last chance -- maybe idmap has already opened it */ - if ( !(account_tdb = idmap_tdb_handle()) ) { + /* winbindd_idmap.tdb should always be opened by the idmap_init() + code first */ - DEBUG(0, ("winbindd_idmap_init: Unable to open idmap database\n")); - return False; - } + if ( !(account_tdb = idmap_tdb_handle()) ) { + DEBUG(0, ("winbindd_accountdb_init: Unable to retreive handle for database\n")); + return False; } /* yeah! */ diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 7140dc35a0..c64359a224 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -28,10 +28,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -/* the realm of our primary LDAP server */ -static char *primary_realm; - - /* return our ads connections structure for a domain. We keep the connection open to make things faster @@ -58,10 +54,8 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) SAFE_FREE(ads->auth.password); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - if (primary_realm) { - SAFE_FREE(ads->auth.realm); - ads->auth.realm = strdup(primary_realm); - } + SAFE_FREE(ads->auth.realm); + ads->auth.realm = strdup(lp_realm()); status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { @@ -84,11 +78,6 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) return NULL; } - /* remember our primary realm for trusted domain support */ - if (!primary_realm) { - primary_realm = strdup(ads->config.realm); - } - domain->private = (void *)ads; return ads; } @@ -123,7 +112,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, } rc = ads_search_retry(ads, &res, "(objectCategory=user)", attrs); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !res) { DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc))); goto done; } @@ -190,7 +179,8 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, DEBUG(3,("ads query_user_list gave %d entries\n", (*num_entries))); done: - if (res) ads_msgfree(ads, res); + if (res) + ads_msgfree(ads, res); return status; } @@ -224,7 +214,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, } rc = ads_search_retry(ads, &res, "(objectCategory=group)", attrs); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !res) { DEBUG(1,("enum_dom_groups ads_search: %s\n", ads_errstr(rc))); goto done; } @@ -283,7 +273,8 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); done: - if (res) ads_msgfree(ads, res); + if (res) + ads_msgfree(ads, res); return status; } @@ -378,7 +369,7 @@ static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, SAFE_FREE(ldap_exp); SAFE_FREE(escaped_dn); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !res) { goto failed; } @@ -393,11 +384,15 @@ static BOOL dn_lookup(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, goto failed; } - if (res) ads_msgfree(ads, res); + if (res) + ads_msgfree(ads, res); + return True; failed: - if (res) ads_msgfree(ads, res); + if (res) + ads_msgfree(ads, res); + return False; } @@ -436,7 +431,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, rc = ads_search_retry(ads, &msg, ldap_exp, attrs); free(ldap_exp); free(sidstr); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !msg) { DEBUG(1,("query_user(sid=%s) ads_search: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc))); goto done; } @@ -470,7 +465,8 @@ static NTSTATUS query_user(struct winbindd_domain *domain, DEBUG(3,("ads query_user gave %s\n", info->acct_name)); done: - if (msg) ads_msgfree(ads, msg); + if (msg) + ads_msgfree(ads, msg); return status; } @@ -511,7 +507,7 @@ static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain, rc = ads_search_retry(ads, &res, ldap_exp, group_attrs); free(ldap_exp); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !res) { DEBUG(1,("lookup_usergroups ads_search member=%s: %s\n", user_dn, ads_errstr(rc))); return ads_ntstatus(rc); } @@ -555,8 +551,10 @@ static NTSTATUS lookup_usergroups_alt(struct winbindd_domain *domain, DEBUG(3,("ads lookup_usergroups (alt) for dn=%s\n", user_dn)); done: - if (res) ads_msgfree(ads, res); - if (msg) ads_msgfree(ads, msg); + if (res) + ads_msgfree(ads, res); + if (msg) + ads_msgfree(ads, msg); return status; } @@ -609,7 +607,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, free(ldap_exp); free(sidstr); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !msg) { DEBUG(1,("lookup_usergroups(sid=%s) ads_search: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc))); goto done; } @@ -617,14 +615,16 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, user_dn = ads_pull_string(ads, mem_ctx, msg, "distinguishedName"); if (!user_dn) { DEBUG(1,("lookup_usergroups(sid=%s) ads_search did not return a a distinguishedName!\n", sid_to_string(sid_string, sid))); - if (msg) ads_msgfree(ads, msg); + if (msg) + ads_msgfree(ads, msg); goto done; } - if (msg) ads_msgfree(ads, msg); + if (msg) + ads_msgfree(ads, msg); rc = ads_search_retry_dn(ads, &msg, user_dn, attrs2); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !msg) { DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: %s\n", sid_to_string(sid_string, sid), ads_errstr(rc))); goto done; } @@ -638,7 +638,8 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); - if (msg) ads_msgfree(ads, msg); + if (msg) + ads_msgfree(ads, msg); /* there must always be at least one group in the token, unless we are talking to a buggy Win2k server */ @@ -712,7 +713,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, free(ldap_exp); free(sidstr); - if (!ADS_ERR_OK(rc)) { + if (!ADS_ERR_OK(rc) || !res) { DEBUG(1,("query_user_list ads_search: %s\n", ads_errstr(rc))); goto done; } @@ -761,7 +762,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, status = NT_STATUS_OK; DEBUG(3,("ads lookup_groupmem for sid=%s\n", sid_to_string(sid_string, group_sid))); done: - if (res) ads_msgfree(ads, res); + if (res) + ads_msgfree(ads, res); return status; } @@ -808,6 +810,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, struct cli_state *cli = NULL; /* i think we only need our forest and downlevel trusted domains */ uint32 flags = DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND; + char *contact_domain_name; DEBUG(3,("ads: trusted_domains\n")); @@ -816,14 +819,15 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, *names = NULL; *dom_sids = NULL; - if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(domain->name, PI_NETLOGON, &cli)) ) { + contact_domain_name = *domain->alt_name ? domain->alt_name : domain->name; + if ( !NT_STATUS_IS_OK(result = cm_fresh_connection(contact_domain_name, PI_NETLOGON, &cli)) ) { DEBUG(5, ("trusted_domains: Could not open a connection to %s for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); + contact_domain_name, nt_errstr(result))); return NT_STATUS_UNSUCCESSFUL; } if ( NT_STATUS_IS_OK(result) ) - result = cli_ds_enum_domain_trusts( cli, mem_ctx, cli->desthost, flags, &domains, &count ); + result = cli_ds_enum_domain_trusts( cli, mem_ctx, cli->desthost, flags, &domains, (unsigned int *)&count ); if ( NT_STATUS_IS_OK(result) && count) { diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 2891a4fa68..bc6967dee1 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -432,7 +432,7 @@ static struct cache_entry *wcache_fetch(struct winbind_cache *cache, } centry = smb_xmalloc(sizeof(*centry)); - centry->data = data.dptr; + centry->data = (unsigned char *)data.dptr; centry->len = data.dsize; centry->ofs = 0; @@ -576,7 +576,7 @@ static void centry_end(struct cache_entry *centry, const char *format, ...) key.dptr = kstr; key.dsize = strlen(kstr); - data.dptr = centry->data; + data.dptr = (char *)centry->data; data.dsize = centry->ofs; tdb_store(wcache->tdb, key, data, TDB_REPLACE); @@ -924,7 +924,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, centry = wcache_fetch(cache, domain, "NS/%s/%s", domain->name, uname); if (!centry) goto do_query; - *type = centry_uint32(centry); + *type = (enum SID_NAME_USE)centry_uint32(centry); sid2 = centry_sid(centry, mem_ctx); if (!sid2) { ZERO_STRUCTP(sid); @@ -988,7 +988,7 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain, if (!centry) goto do_query; if (NT_STATUS_IS_OK(centry->status)) { - *type = centry_uint32(centry); + *type = (enum SID_NAME_USE)centry_uint32(centry); *name = centry_string(centry, mem_ctx); } status = centry->status; diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index f07117b5ab..8513a46f8f 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -116,7 +116,8 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, struct winbindd_cm_conn *new_conn) { NTSTATUS result; - char *ipc_username, *ipc_domain, *ipc_password; + char *machine_password; + char *machine_krb5_principal, *ipc_username, *ipc_domain, *ipc_password; struct in_addr dc_ip; int i; BOOL retry = True; @@ -137,10 +138,15 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, /* Initialise SMB connection */ - cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); + /* grab stored passwords */ + machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + + if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) { + SAFE_FREE(machine_password); + return NT_STATUS_NO_MEMORY; + } - DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", - new_conn->controller, global_myname(), ipc_domain, ipc_username)); + cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); for (i = 0; retry && (i < 3); i++) { BOOL got_mutex; @@ -150,12 +156,99 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, continue; } - result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller, - &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain, - ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, - Undefined, &retry); - - secrets_named_mutex_release(new_conn->controller); + new_conn->cli = NULL; + result = cli_start_connection(&new_conn->cli, global_myname(), + new_conn->controller, + &dc_ip, 0, Undefined, + CLI_FULL_CONNECTION_USE_KERBEROS, + &retry); + + if (NT_STATUS_IS_OK(result)) { + + /* reset the error code */ + result = NT_STATUS_UNSUCCESSFUL; + + /* Krb5 session */ + + if ((lp_security() == SEC_ADS) + && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) { + new_conn->cli->use_kerberos = True; + DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n", + new_conn->controller, global_myname(), machine_krb5_principal)); + + result = NT_STATUS_OK; + + if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, + machine_password, + domain)) { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + } + new_conn->cli->use_kerberos = False; + + /* only do this is we have a username/password for thr IPC$ connection */ + + if ( !NT_STATUS_IS_OK(result) + && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE + && strlen(ipc_username) ) + { + DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", + new_conn->controller, global_myname(), ipc_domain, ipc_username)); + + result = NT_STATUS_OK; + + if (!cli_session_setup(new_conn->cli, ipc_username, + ipc_password, strlen(ipc_password)+1, + ipc_password, strlen(ipc_password)+1, + domain)) { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed authenticated session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + } + + /* anonymous is all that is left if we get to here */ + + if (!NT_STATUS_IS_OK(result)) { + + DEBUG(5, ("anonymous connection attempt to %s from %s\n", + new_conn->controller, global_myname())); + + result = NT_STATUS_OK; + + if (!cli_session_setup(new_conn->cli, "", NULL, 0, NULL, 0, "")) + { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed anonymous session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + + } + + if (NT_STATUS_IS_OK(result) && !cli_send_tconX(new_conn->cli, "IPC$", "IPC", + "", 0)) { + result = cli_nt_error(new_conn->cli); + DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result))); + cli_shutdown(new_conn->cli); + if (NT_STATUS_IS_OK(result)) { + result = NT_STATUS_UNSUCCESSFUL; + } + } + } + + if (NT_STATUS_IS_OK(result)) { + struct ntuser_creds creds; + init_creds(&creds, ipc_username, ipc_domain, ipc_password); + cli_init_creds(new_conn->cli, &creds); + } + + if (got_mutex) + secrets_named_mutex_release(new_conn->controller); if (NT_STATUS_IS_OK(result)) break; @@ -164,6 +257,7 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, SAFE_FREE(ipc_username); SAFE_FREE(ipc_domain); SAFE_FREE(ipc_password); + SAFE_FREE(machine_password); if (!NT_STATUS_IS_OK(result)) { add_failed_connection_entry(domain, new_conn->controller, result); @@ -479,6 +573,7 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, struct winbindd_cm_conn *conn; fstring lock_name; BOOL got_mutex; + struct winbindd_domain *wb_domain = NULL; if (!cli) return NT_STATUS_INVALID_PARAMETER; @@ -520,6 +615,17 @@ NTSTATUS cm_get_netlogon_cli(const char *domain, if ( sec_channel_type == SEC_CHAN_DOMAIN ) fstr_sprintf(conn->cli->mach_acct, "%s$", lp_workgroup()); + /* we need the short form of the domain name for the schanel + rpc bind. What if we fail? I don't think we should ever get + a request for a domain name not in our list but I'm not bailing + out if we do since I'm not 10% certain about this --jerry */ + + if ( (wb_domain = find_domain_from_name( domain )) != NULL ) { + DEBUG(5,("cm_get_netlogon_cli: Using short for of domain name [%s] for netlogon rpc bind\n", + wb_domain->name)); + fstrcpy( conn->cli->domain, wb_domain->name); + } + result = cli_nt_establish_netlogon(conn->cli, sec_channel_type, trust_passwd); if (got_mutex) diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 96c121685a..fba427536c 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -821,17 +821,29 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state) { uint32 total_entries = 0; struct winbindd_domain *domain; + const char *which_domain; char *extra_data = NULL; char *ted = NULL; unsigned int extra_data_len = 0, i; DEBUG(3, ("[%5lu]: list groups\n", (unsigned long)state->pid)); + /* Ensure null termination */ + state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; + which_domain = state->request.domain_name; + /* Enumerate over trusted domains */ for (domain = domain_list(); domain; domain = domain->next) { struct getent_state groups; + /* if we have a domain name restricting the request and this + one in the list doesn't match, then just bypass the remainder + of the loop */ + + if ( *which_domain && !strequal(which_domain, domain->name) ) + continue; + ZERO_STRUCT(groups); /* Get list of sam groups */ diff --git a/source3/nsswitch/winbindd_misc.c b/source3/nsswitch/winbindd_misc.c index 740b760b93..88fbb5ee00 100644 --- a/source3/nsswitch/winbindd_misc.c +++ b/source3/nsswitch/winbindd_misc.c @@ -35,6 +35,8 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat int num_retries = 0; struct cli_state *cli; uint32 sec_channel_type; + const char *contact_domain_name = NULL; + DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid)); /* Get trust account password */ @@ -46,11 +48,21 @@ enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *stat goto done; } + + /* use the realm name if appropriate and possible */ + + if ( lp_security() == SEC_ADS ) + contact_domain_name = lp_realm(); + + if ( !contact_domain_name || !*contact_domain_name ) + contact_domain_name = lp_workgroup(); + /* This call does a cli_nt_setup_creds() which implicitly checks the trust account password. */ - /* Don't shut this down - it belongs to the connection cache code */ - result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, sec_channel_type, True, &cli); + + result = cm_get_netlogon_cli(contact_domain_name, + trust_passwd, sec_channel_type, True, &cli); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe\n")); @@ -148,9 +160,14 @@ enum winbindd_result winbindd_show_sequence(struct winbindd_cli_state *state) { struct winbindd_domain *domain; char *extra_data = NULL; + const char *which_domain; DEBUG(3, ("[%5lu]: show sequence\n", (unsigned long)state->pid)); + /* Ensure null termination */ + state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; + which_domain = state->request.domain_name; + extra_data = strdup(""); /* this makes for a very simple data format, and is easily parsable as well @@ -158,6 +175,13 @@ enum winbindd_result winbindd_show_sequence(struct winbindd_cli_state *state) for (domain = domain_list(); domain; domain = domain->next) { char *s; + /* if we have a domain name restricting the request and this + one in the list doesn't match, then just bypass the remainder + of the loop */ + + if ( *which_domain && !strequal(which_domain, domain->name) ) + continue; + domain->methods->sequence_number(domain, &domain->sequence_number); if (DOM_SEQUENCE_NONE == (unsigned)domain->sequence_number) { @@ -194,7 +218,7 @@ enum winbindd_result winbindd_info(struct winbindd_cli_state *state) DEBUG(3, ("[%5lu]: request misc info\n", (unsigned long)state->pid)); state->response.data.info.winbind_separator = *lp_winbind_separator(); - fstrcpy(state->response.data.info.samba_version, VERSION); + fstrcpy(state->response.data.info.samba_version, SAMBA_VERSION_STRING); return WINBINDD_OK; } diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index c4407bbe31..41fecd2816 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -157,6 +157,7 @@ struct winbindd_request { enum winbindd_cmd cmd; /* Winbindd command to execute */ pid_t pid; /* pid of calling process */ uint32 flags; /* flags relavant to a given request */ + fstring domain_name; /* name of domain for which the request applies */ union { fstring winsreq; /* WINS request */ diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index a8908487c1..21ae6478de 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -65,7 +65,7 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) time_t last_change_time; uint32 sec_channel_type; NET_USER_INFO_3 info3; - struct cli_state *cli = NULL; + struct cli_state *cli; uchar chal[8]; TALLOC_CTX *mem_ctx = NULL; DATA_BLOB lm_resp; @@ -75,6 +75,7 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; const char *contact_domain; + BOOL retry; /* Ensure null termination */ state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0'; @@ -127,6 +128,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); + cli = NULL; + retry = False; /* Don't shut this down - it belongs to the connection cache code */ result = cm_get_netlogon_cli(contact_domain, trust_passwd, @@ -154,15 +157,14 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) "password was changed and we didn't know it. Killing connections to domain %s\n", name_domain)); winbindd_cm_flush(); - cli->fd = -1; + retry = True; } /* We have to try a second time as cm_get_netlogon_cli might not yet have noticed that the DC has killed our connection. */ - } while ( (attempts < 2) && (cli->fd == -1) ); - + } while ( (attempts < 2) && retry ); clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds); @@ -170,10 +172,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) netsamlogon_cache_store( cli->mem_ctx, &info3 ); wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); } - - + done: - /* give us a more useful (more correct?) error code */ if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { result = NT_STATUS_NO_LOGON_SERVERS; @@ -206,7 +206,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) time_t last_change_time; uint32 sec_channel_type; NET_USER_INFO_3 info3; - struct cli_state *cli = NULL; + struct cli_state *cli; TALLOC_CTX *mem_ctx = NULL; char *user = NULL; const char *domain = NULL; @@ -214,6 +214,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) const char *contact_domain; DOM_CRED ret_creds; int attempts = 0; + BOOL retry; DATA_BLOB lm_resp, nt_resp; @@ -226,10 +227,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) } /* Ensure null termination */ - state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]='\0'; - - /* Ensure null termination */ - state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0'; + state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0; + state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0; if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); @@ -239,12 +238,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) if (pull_utf8_talloc(mem_ctx, &user, state->request.data.auth_crap.user) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); + result = NT_STATUS_UNSUCCESSFUL; + goto done; } if (*state->request.data.auth_crap.domain) { char *dom = NULL; if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); + result = NT_STATUS_UNSUCCESSFUL; + goto done; } domain = dom; } else if (lp_winbind_use_default_domain()) { @@ -268,6 +271,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) char *wrk = NULL; if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); + result = NT_STATUS_UNSUCCESSFUL; + goto done; } workstation = wrk; } else { @@ -296,6 +301,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); + cli = NULL; + retry = False; /* Don't shut this down - it belongs to the connection cache code */ result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli); @@ -325,14 +332,14 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) "password was changed and we didn't know it. Killing connections to domain %s\n", domain)); winbindd_cm_flush(); - cli->fd = -1; + retry = True; } /* We have to try a second time as cm_get_netlogon_cli might not yet have noticed that the DC has killed our connection. */ - } while ( (attempts < 2) && (cli->fd == -1) ); + } while ( (attempts < 2) && retry ); clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds); @@ -353,7 +360,6 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) } done: - /* give us a more useful (more correct?) error code */ if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { result = NT_STATUS_NO_LOGON_SERVERS; diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index 33339d7ca0..8bd2c66511 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -295,7 +295,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, if (NT_STATUS_IS_OK(result)) { sid_copy(sid, &sids[0]); - *type = types[0]; + *type = (enum SID_NAME_USE)types[0]; } return result; @@ -331,7 +331,7 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain, hnd && hnd->cli && hnd->cli->fd == -1); if (NT_STATUS_IS_OK(result)) { - *type = types[0]; + *type = (enum SID_NAME_USE)types[0]; *name = names[0]; DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name)); diff --git a/source3/nsswitch/winbindd_sid.c b/source3/nsswitch/winbindd_sid.c index 98a6fce24b..ac1ee11555 100644 --- a/source3/nsswitch/winbindd_sid.c +++ b/source3/nsswitch/winbindd_sid.c @@ -185,12 +185,17 @@ enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state) { DOM_SID sid; - /* Bug out if the uid isn't in the winbind range */ - +#if 0 /* JERRY */ + /* we cannot do this check this anymore since a domain member of + a Samba domain may share unix accounts via NIS or LDAP. In this + case the uid/gid will be out of winbindd's range but still might + be resolved to a SID via an ldap idmap backend */ + if ((state->request.data.uid < server_state.uid_low ) || (state->request.data.uid > server_state.uid_high)) { return WINBINDD_ERROR; } +#endif DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid, (unsigned long)state->request.data.uid)); @@ -214,12 +219,17 @@ enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state) { DOM_SID sid; - /* Bug out if the gid isn't in the winbind range */ - +#if 0 /* JERRY */ + /* we cannot do this check this anymore since a domain member of + a Samba domain may share unix accounts via NIS or LDAP. In this + case the uid/gid will be out of winbindd's range but still might + be resolved to a SID via an ldap idmap backend */ + if ((state->request.data.gid < server_state.gid_low) || (state->request.data.gid > server_state.gid_high)) { return WINBINDD_ERROR; } +#endif DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid, (unsigned long)state->request.data.gid)); diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c index c0b0d94167..eab88c842e 100644 --- a/source3/nsswitch/winbindd_user.c +++ b/source3/nsswitch/winbindd_user.c @@ -575,6 +575,7 @@ enum winbindd_result winbindd_list_users(struct winbindd_cli_state *state) { struct winbindd_domain *domain; WINBIND_USERINFO *info; + const char *which_domain; uint32 num_entries = 0, total_entries = 0; char *ted, *extra_data = NULL; int extra_data_len = 0; @@ -586,13 +587,24 @@ enum winbindd_result winbindd_list_users(struct winbindd_cli_state *state) if (!(mem_ctx = talloc_init("winbindd_list_users"))) return WINBINDD_ERROR; + /* Ensure null termination */ + state->request.domain_name[sizeof(state->request.domain_name)-1]='\0'; + which_domain = state->request.domain_name; + /* Enumerate over trusted domains */ for (domain = domain_list(); domain; domain = domain->next) { NTSTATUS status; struct winbindd_methods *methods; unsigned int i; - + + /* if we have a domain name restricting the request and this + one in the list doesn't match, then just bypass the remainder + of the loop */ + + if ( *which_domain && !strequal(which_domain, domain->name) ) + continue; + methods = domain->methods; /* Query display info */ diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index a810e503a0..25de4eff71 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -80,6 +80,14 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const DOM_SID *sid) { struct winbindd_domain *domain; + char *contact_name; + const char *alternative_name = NULL; + + /* ignore alt_name if we are not in an AD domain */ + + if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) { + alternative_name = alt_name; + } /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ @@ -88,9 +96,9 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const strcasecmp(domain_name, domain->alt_name) == 0) { return domain; } - if (alt_name && *alt_name) { - if (strcasecmp(alt_name, domain->name) == 0 || - strcasecmp(alt_name, domain->alt_name) == 0) { + if (alternative_name && *alternative_name) { + if (strcasecmp(alternative_name, domain->name) == 0 || + strcasecmp(alternative_name, domain->alt_name) == 0) { return domain; } } @@ -107,13 +115,13 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const ZERO_STRUCTP(domain); /* prioritise the short name */ - if (strchr_m(domain_name, '.') && alt_name && *alt_name) { - fstrcpy(domain->name, alt_name); + if (strchr_m(domain_name, '.') && alternative_name && *alternative_name) { + fstrcpy(domain->name, alternative_name); fstrcpy(domain->alt_name, domain_name); } else { fstrcpy(domain->name, domain_name); - if (alt_name) { - fstrcpy(domain->alt_name, alt_name); + if (alternative_name) { + fstrcpy(domain->alt_name, alternative_name); } } @@ -125,10 +133,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const sid_copy(&domain->sid, sid); } - /* see if this is a native mode win2k domain */ + /* see if this is a native mode win2k domain (use realm name if possible) */ - domain->native_mode = cm_check_for_native_mode_win2k( domain_name ); - DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", domain_name, + contact_name = *domain->alt_name ? domain->alt_name : domain->name; + domain->native_mode = cm_check_for_native_mode_win2k( contact_name ); + + DEBUG(3,("add_trusted_domain: %s is a %s mode domain\n", contact_name, domain->native_mode ? "native" : "mixed (or NT4)" )); /* Link to domain list */ @@ -141,57 +151,80 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const return domain; } +/******************************************************************** + Periodically we need to refresh the trusted domain cache for smbd +********************************************************************/ -/* +void rescan_trusted_domains( void ) +{ + static time_t last_scan; + time_t now = time(NULL); + struct winbindd_domain *mydomain = NULL; + + /* see if the time has come... */ + + if ( (now > last_scan) && ((now-last_scan) < WINBINDD_RESCAN_FREQ) ) + return; + + /* get the handle for our domain */ + + if ( (mydomain = find_domain_from_name(lp_workgroup())) == NULL ) { + DEBUG(0,("rescan_trusted_domains: Can't find my own domain!\n")); + return; + } + + /* this will only add new domains we didn't already know about */ + + add_trusted_domains( mydomain ); + + last_scan = now; + + return; +} + +/******************************************************************** rescan our domains looking for new trusted domains - */ -void rescan_trusted_domains(BOOL force) +********************************************************************/ + +void add_trusted_domains( struct winbindd_domain *domain ) { - struct winbindd_domain *domain; TALLOC_CTX *mem_ctx; - static time_t last_scan; - time_t t = time(NULL); + NTSTATUS result; + time_t t; + char **names; + char **alt_names; + int num_domains = 0; + DOM_SID *dom_sids, null_sid; + int i; + struct winbindd_domain *new_domain; /* trusted domains might be disabled */ if (!lp_allow_trusted_domains()) { return; } - /* Only rescan every few minutes but force if necessary */ - - if (((unsigned)(t - last_scan) < WINBINDD_RESCAN_FREQ) && !force) - return; - - last_scan = t; - DEBUG(1, ("scanning trusted domain list\n")); if (!(mem_ctx = talloc_init("init_domain_list"))) return; + + ZERO_STRUCTP(&null_sid); - for (domain = _domain_list; domain; domain = domain->next) { - NTSTATUS result; - char **names; - char **alt_names; - int num_domains = 0; - DOM_SID *dom_sids, null_sid; - int i; - struct winbindd_domain *new_domain; + t = time(NULL); + + /* ask the DC what domains it trusts */ + + result = domain->methods->trusted_domains(domain, mem_ctx, (unsigned int *)&num_domains, + &names, &alt_names, &dom_sids); - ZERO_STRUCTP(&null_sid); - - result = domain->methods->trusted_domains(domain, mem_ctx, &num_domains, - &names, &alt_names, &dom_sids); - if (!NT_STATUS_IS_OK(result)) { - continue; - } + if ( NT_STATUS_IS_OK(result) ) { /* Add each domain to the trusted domain list */ for(i = 0; i < num_domains; i++) { DEBUG(10,("Found domain %s\n", names[i])); add_trusted_domain(names[i], alt_names?alt_names[i]:NULL, - domain->methods, &dom_sids[i]); + domain->methods, &dom_sids[i]); /* if the SID was empty, we better set it now */ @@ -212,7 +245,7 @@ void rescan_trusted_domains(BOOL force) result = domain->methods->domain_sid( new_domain, &new_domain->sid ); if ( NT_STATUS_IS_OK(result) ) - sid_copy( &dom_sids[i], &domain->sid ); + sid_copy( &dom_sids[i], &new_domain->sid ); } /* store trusted domain in the cache */ @@ -234,18 +267,26 @@ BOOL init_domain_list(void) free_domain_list(); /* Add ourselves as the first entry */ - domain = add_trusted_domain( lp_workgroup(), NULL, &cache_methods, NULL); + + domain = add_trusted_domain( lp_workgroup(), lp_realm(), &cache_methods, NULL); + + /* get any alternate name for the primary domain */ + + cache_methods.alternate_name(domain); + + /* now we have the correct netbios (short) domain name */ + + if ( *domain->name ) + set_global_myworkgroup( domain->name ); + if (!secrets_fetch_domain_sid(domain->name, &domain->sid)) { DEBUG(1, ("Could not fetch sid for our domain %s\n", domain->name)); return False; } - /* get any alternate name for the primary domain */ - cache_methods.alternate_name(domain); - /* do an initial scan for trusted domains */ - rescan_trusted_domains(True); + add_trusted_domains(domain); return True; } diff --git a/source3/nsswitch/wins.c b/source3/nsswitch/wins.c index 87dac60192..0fc4e46cdb 100644 --- a/source3/nsswitch/wins.c +++ b/source3/nsswitch/wins.c @@ -260,54 +260,105 @@ int lookup(nsd_file_t *rq) } #else + +/* Allocate some space from the nss static buffer. The buffer and buflen + are the pointers passed in by the C library to the _nss_*_* + functions. */ + +static char *get_static(char **buffer, int *buflen, int len) +{ + char *result; + + /* Error check. We return false if things aren't set up right, or + there isn't enough buffer space left. */ + + if ((buffer == NULL) || (buflen == NULL) || (*buflen < len)) { + return NULL; + } + + /* Return an index into the static buffer */ + + result = *buffer; + *buffer += len; + *buflen -= len; + + return result; +} + /**************************************************************************** gethostbyname() - we ignore any domain portion of the name and only handle names that are at most 15 characters long **************************************************************************/ NSS_STATUS -_nss_wins_gethostbyname_r(const char *name, struct hostent *he, - char *buffer, size_t buflen, int *errnop, - int *h_errnop) +_nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, + char *buffer, size_t buflen, int *h_errnop) { - char **host_addresses; struct in_addr *ip_list; int i, count; - size_t namelen = strlen(name) + 1; + fstring name; + size_t namelen; memset(he, '\0', sizeof(*he)); + fstrcpy(name, hostname); + + /* Do lookup */ ip_list = lookup_byname_backend(name, &count); - if (!ip_list) { - return NSS_STATUS_NOTFOUND; - } - if (buflen < namelen + (2*count+1)*INADDRSZ) { - /* no ENOMEM error type?! */ + if (!ip_list) return NSS_STATUS_NOTFOUND; - } + /* Copy h_name */ - host_addresses = (char **)buffer; - he->h_addr_list = host_addresses; - host_addresses[count] = NULL; - buffer += (count + 1) * INADDRSZ; - buflen += (count + 1) * INADDRSZ; - he->h_addrtype = AF_INET; - he->h_length = INADDRSZ; + namelen = strlen(name) + 1; + + if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) + return NSS_STATUS_TRYAGAIN; + + memcpy(he->h_name, name, namelen); + + /* Copy h_addr_list, align to pointer boundary first */ - for (i=0;i<count;i++) { - memcpy(buffer, &ip_list[i].s_addr, INADDRSZ); - *host_addresses = buffer; - buffer += INADDRSZ; - buflen -= INADDRSZ; - host_addresses++; + if ((i = (unsigned long)(buffer) % sizeof(char*)) != 0) + i = sizeof(char*) - i; + + if (get_static(&buffer, &buflen, i) == NULL) + return NSS_STATUS_TRYAGAIN; + + if ((he->h_addr_list = (char **)get_static( + &buffer, &buflen, (count + 1) * sizeof(char *))) == NULL) + return NSS_STATUS_TRYAGAIN; + + for (i = 0; i < count; i++) { + if ((he->h_addr_list[i] = get_static(&buffer, &buflen, + INADDRSZ)) == NULL) + return NSS_STATUS_TRYAGAIN; + memcpy(he->h_addr_list[i], &ip_list[i], INADDRSZ); } + he->h_addr_list[count] = NULL; + if (ip_list) free(ip_list); - memcpy(buffer, name, namelen); - he->h_name = buffer; + /* Set h_addr_type and h_length */ + + he->h_addrtype = AF_INET; + he->h_length = INADDRSZ; + + /* Set h_aliases */ + + if ((i = (unsigned long)(buffer) % sizeof(char*)) != 0) + i = sizeof(char*) - i; + + if (get_static(&buffer, &buflen, i) == NULL) + return NSS_STATUS_TRYAGAIN; + + if ((he->h_aliases = (char **)get_static( + &buffer, &buflen, sizeof(char *))) == NULL) + return NSS_STATUS_TRYAGAIN; + + he->h_aliases[0] = NULL; return NSS_STATUS_SUCCESS; } @@ -315,15 +366,14 @@ _nss_wins_gethostbyname_r(const char *name, struct hostent *he, NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he, - char *buffer, size_t buflen, int *errnop, - int *h_errnop) + char *buffer, size_t buflen, int *h_errnop) { if(af!=AF_INET) { *h_errnop = NO_DATA; - *errnop = EAFNOSUPPORT; return NSS_STATUS_UNAVAIL; } - return _nss_wins_gethostbyname_r(name,he,buffer,buflen,errnop,h_errnop); + return _nss_wins_gethostbyname_r( + name, he, buffer, buflen, h_errnop); } #endif |