8 files changed, 155 insertions, 126 deletions

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index f5812f9e65..66271068d2 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -927,6 +927,97 @@ static bool remove_idle_client(void)
 	return False;
 }
 
+struct winbindd_listen_state {
+	bool privileged;
+	int fd;
+	struct tevent_fd *fde;
+};
+
+static void winbindd_listen_fde_handler(struct tevent_context *ev,
+					struct tevent_fd *fde,
+					uint16_t flags,
+					void *private_data)
+{
+	struct winbindd_listen_state *s = talloc_get_type_abort(private_data,
+					  struct winbindd_listen_state);
+
+	while (winbindd_num_clients() >
+	       WINBINDD_MAX_SIMULTANEOUS_CLIENTS - 1) {
+		DEBUG(5,("winbindd: Exceeding %d client "
+			 "connections, removing idle "
+			 "connection.\n",
+			 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
+		if (!remove_idle_client()) {
+			DEBUG(0,("winbindd: Exceeding %d "
+				 "client connections, no idle "
+				 "connection found\n",
+				 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
+			break;
+		}
+	}
+
+	/* new, non-privileged connection */
+	new_connection(s->fd, s->privileged);
+}
+
+static bool winbindd_setup_listeners(void)
+{
+	struct winbindd_listen_state *pub_state = NULL;
+	struct winbindd_listen_state *priv_state = NULL;
+
+	pub_state = talloc(winbind_event_context(),
+			   struct winbindd_listen_state);
+	if (!pub_state) {
+		goto failed;
+	}
+
+	pub_state->privileged = false;
+	pub_state->fd = open_winbindd_socket();
+	if (pub_state->fd == -1) {
+		goto failed;
+	}
+
+	pub_state->fde = tevent_add_fd(winbind_event_context(),
+				       pub_state, pub_state->fd,
+				       TEVENT_FD_READ,
+				       winbindd_listen_fde_handler,
+				       pub_state);
+	if (!pub_state->fde) {
+		close(pub_state->fd);
+		goto failed;
+	}
+	tevent_fd_set_auto_close(pub_state->fde);
+
+	priv_state = talloc(winbind_event_context(),
+			    struct winbindd_listen_state);
+	if (!priv_state) {
+		goto failed;
+	}
+
+	priv_state->privileged = true;
+	priv_state->fd = open_winbindd_priv_socket();
+	if (priv_state->fd == -1) {
+		goto failed;
+	}
+
+	priv_state->fde = tevent_add_fd(winbind_event_context(),
+					priv_state, priv_state->fd,
+					TEVENT_FD_READ,
+					winbindd_listen_fde_handler,
+					priv_state);
+	if (!priv_state->fde) {
+		close(priv_state->fd);
+		goto failed;
+	}
+	tevent_fd_set_auto_close(priv_state->fde);
+
+	return true;
+failed:
+	TALLOC_FREE(pub_state);
+	TALLOC_FREE(priv_state);
+	return false;
+}
+
 /* Process incoming clients on listen_sock.  We use a tricky non-blocking,
    non-forking, non-threaded model which allows us to handle many
    simultaneous connections while remaining impervious to many denial of
@@ -934,35 +1025,17 @@ static bool remove_idle_client(void)
 
 static void process_loop(void)
 {
-	struct winbindd_cli_state *state;
 	struct winbindd_fd_event *ev;
 	fd_set r_fds, w_fds;
-	int maxfd, listen_sock, listen_priv_sock, selret;
+	int maxfd = 0, selret;
 	struct timeval timeout, ev_timeout;
 
-	/* Open Sockets here to get stuff going ASAP */
-	listen_sock = open_winbindd_socket();
-	listen_priv_sock = open_winbindd_priv_socket();
-
-	if (listen_sock == -1 || listen_priv_sock == -1) {
-		perror("open_winbind_socket");
-		exit(1);
-	}
-
 	run_events(winbind_event_context(), 0, NULL, NULL);
 
-	/* refresh the trusted domain cache */
-
-	rescan_trusted_domains();
-
 	/* Initialise fd lists for select() */
 
-	maxfd = MAX(listen_sock, listen_priv_sock);
-
 	FD_ZERO(&r_fds);
 	FD_ZERO(&w_fds);
-	FD_SET(listen_sock, &r_fds);
-	FD_SET(listen_priv_sock, &r_fds);
 
 	timeout.tv_sec = WINBINDD_ESTABLISH_LOOP;
 	timeout.tv_usec = 0;
@@ -979,23 +1052,6 @@ static void process_loop(void)
 		timeout = timeval_min(&timeout, &ev_timeout);
 	}
 
-	/* Set up client readers and writers */
-
-	state = winbindd_client_list();
-
-	while (state) {
-
-		struct winbindd_cli_state *next = state->next;
-
-		/* Dispose of client connection if it is marked as 
-		   finished */ 
-
-		if (state->finished)
-			remove_client(state);
-
-		state = next;
-	}
-
 	for (ev = fd_events; ev; ev = ev->next) {
 		if (ev->flags & EVENT_FD_READ) {
 			FD_SET(ev->fd, &r_fds);
@@ -1043,43 +1099,7 @@ static void process_loop(void)
 		ev = next;
 	}
 
-	if (FD_ISSET(listen_sock, &r_fds)) {
-		while (winbindd_num_clients() >
-		       WINBINDD_MAX_SIMULTANEOUS_CLIENTS - 1) {
-			DEBUG(5,("winbindd: Exceeding %d client "
-				 "connections, removing idle "
-				 "connection.\n",
-				 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
-			if (!remove_idle_client()) {
-				DEBUG(0,("winbindd: Exceeding %d "
-					 "client connections, no idle "
-					 "connection found\n",
-					 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
-				break;
-			}
-		}
-		/* new, non-privileged connection */
-		new_connection(listen_sock, False);
-	}
-
-	if (FD_ISSET(listen_priv_sock, &r_fds)) {
-		while (winbindd_num_clients() >
-		       WINBINDD_MAX_SIMULTANEOUS_CLIENTS - 1) {
-			DEBUG(5,("winbindd: Exceeding %d client "
-				 "connections, removing idle "
-				 "connection.\n",
-				 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
-			if (!remove_idle_client()) {
-				DEBUG(0,("winbindd: Exceeding %d "
-					 "client connections, no idle "
-					 "connection found\n",
-					 WINBINDD_MAX_SIMULTANEOUS_CLIENTS));
-				break;
-			}
-		}
-		/* new, privileged connection */
-		new_connection(listen_priv_sock, True);
-	}
+	return;
 
  no_fds_ready:
 
@@ -1366,12 +1386,39 @@ int main(int argc, char **argv, char **envp)
 	smb_nscd_flush_user_cache();
 	smb_nscd_flush_group_cache();
 
-	/* Loop waiting for requests */
+	/* setup listen sockets */
+
+	if (!winbindd_setup_listeners()) {
+		DEBUG(0,("winbindd_setup_listeners() failed\n"));
+		exit(1);
+	}
 
 	TALLOC_FREE(frame);
+	/* Loop waiting for requests */
 	while (1) {
+		struct winbindd_cli_state *state;
+
 		frame = talloc_stackframe();
+
+		/* refresh the trusted domain cache */
+
+		rescan_trusted_domains();
+
+		/* Dispose of client connection if it is marked as
+		   finished */
+		state = winbindd_client_list();
+		while (state) {
+			struct winbindd_cli_state *next = state->next;
+
+			if (state->finished) {
+				remove_client(state);
+			}
+
+			state = next;
+		}
+
 		process_loop();
+
 		TALLOC_FREE(frame);
 	}
 
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 5ebbb72cf5..f3733dc131 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -119,10 +119,10 @@ struct winbindd_cm_conn {
 	struct cli_state *cli;
 
 	struct rpc_pipe_client *samr_pipe;
-	POLICY_HND sam_connect_handle, sam_domain_handle;
+	struct policy_handle sam_connect_handle, sam_domain_handle;
 
 	struct rpc_pipe_client *lsa_pipe;
-	POLICY_HND lsa_policy;
+	struct policy_handle lsa_policy;
 
 	struct rpc_pipe_client *netlogon_pipe;
 };
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index a508682e5e..a76faa7a25 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -978,7 +978,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 	size_t num_members = 0;
 	ads_control args;
         struct rpc_pipe_client *cli;
-        POLICY_HND lsa_policy;
+        struct policy_handle lsa_policy;
 	DOM_SID *sid_mem_nocache = NULL;
 	char **names_nocache = NULL;
 	enum lsa_SidType *name_types_nocache = NULL;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index e06e30e0a8..ed0a33a5f2 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1772,8 +1772,8 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 	NTSTATUS 		result;
 	WERROR werr;
 	TALLOC_CTX              *mem_ctx = NULL;
-	struct rpc_pipe_client  *cli;
-	POLICY_HND pol;
+	struct rpc_pipe_client  *cli = NULL;
+	struct policy_handle pol;
 	union dssetup_DsRoleInfo info;
 	union lsa_PolicyInformation *lsa_info = NULL;
 
@@ -1990,7 +1990,7 @@ static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
 }
 
 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-			struct rpc_pipe_client **cli, POLICY_HND *sam_handle)
+			struct rpc_pipe_client **cli, struct policy_handle *sam_handle)
 {
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -2156,7 +2156,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 }
 
 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-			struct rpc_pipe_client **cli, POLICY_HND *lsa_policy)
+			struct rpc_pipe_client **cli, struct policy_handle *lsa_policy)
 {
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 597d48aad0..15d1b7e2bf 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1396,7 +1396,7 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 	    NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
 
 		struct rpc_pipe_client *samr_pipe;
-		POLICY_HND samr_domain_handle, user_pol;
+		struct policy_handle samr_domain_handle, user_pol;
 		union samr_UserInfo *info = NULL;
 		NTSTATUS status_tmp;
 		uint32 acct_flags;
@@ -2066,7 +2066,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 {
 	char *oldpass;
 	char *newpass = NULL;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	struct rpc_pipe_client *cli;
 	bool got_info = false;
 	struct samr_DomInfo1 *info = NULL;
@@ -2394,7 +2394,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 	DATA_BLOB new_lm_password;
 	DATA_BLOB old_lm_hash_enc;
 	fstring  domain,user;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	struct winbindd_domain *contact_domain = domainSt;
 	struct rpc_pipe_client *cli;
 
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 4fc96e8a4b..384395f896 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -208,9 +208,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn);
 void close_conns_after_fork(void);
 NTSTATUS init_dc_connection(struct winbindd_domain *domain);
 NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-			struct rpc_pipe_client **cli, POLICY_HND *sam_handle);
+			struct rpc_pipe_client **cli, struct policy_handle *sam_handle);
 NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-			struct rpc_pipe_client **cli, POLICY_HND *lsa_policy);
+			struct rpc_pipe_client **cli, struct policy_handle *lsa_policy);
 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 			     struct rpc_pipe_client **cli);
 
@@ -549,7 +549,6 @@ const char *get_winbind_pipe_dir(void) ;
 char *get_winbind_priv_pipe_dir(void) ;
 int open_winbindd_socket(void);
 int open_winbindd_priv_socket(void);
-void close_winbindd_socket(void);
 struct winbindd_cli_state *winbindd_client_list(void);
 void winbindd_add_client(struct winbindd_cli_state *cli);
 void winbindd_remove_client(struct winbindd_cli_state *cli);
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 0070bde2cc..5edb0d98b0 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -38,7 +38,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 			       WINBIND_USERINFO **info)
 {
 	NTSTATUS result;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	unsigned int i, start_idx;
 	uint32 loop_count;
 	struct rpc_pipe_client *cli;
@@ -130,7 +130,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 				uint32 *num_entries, 
 				struct acct_info **info)
 {
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	NTSTATUS status;
 	uint32 start = 0;
 	struct rpc_pipe_client *cli;
@@ -201,7 +201,7 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
 				uint32 *num_entries, 
 				struct acct_info **info)
 {
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	NTSTATUS result;
 	struct rpc_pipe_client *cli;
 
@@ -278,7 +278,7 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain,
 	enum lsa_SidType *types = NULL;
 	char *full_name = NULL;
 	struct rpc_pipe_client *cli;
-	POLICY_HND lsa_policy;
+	struct policy_handle lsa_policy;
 	NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
 	char *mapped_name = NULL;
 
@@ -343,7 +343,7 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
 	enum lsa_SidType *types = NULL;
 	NTSTATUS result;
 	struct rpc_pipe_client *cli;
-	POLICY_HND lsa_policy;
+	struct policy_handle lsa_policy;
 	NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
 	char *mapped_name = NULL;
 
@@ -396,7 +396,7 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
 	char **domains;
 	NTSTATUS result;
 	struct rpc_pipe_client *cli;
-	POLICY_HND lsa_policy;
+	struct policy_handle lsa_policy;
 	DOM_SID *sids;
 	size_t i;
 	char **ret_names;
@@ -461,7 +461,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 			   WINBIND_USERINFO *user_info)
 {
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	POLICY_HND dom_pol, user_pol;
+	struct policy_handle dom_pol, user_pol;
 	union samr_UserInfo *info = NULL;
 	uint32 user_rid;
 	struct netr_SamInfo3 *user;
@@ -564,7 +564,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 				  uint32 *num_groups, DOM_SID **user_grpsids)
 {
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	POLICY_HND dom_pol, user_pol;
+	struct policy_handle dom_pol, user_pol;
 	uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
 	struct samr_RidWithAttributeArray *rid_array = NULL;
 	unsigned int i;
@@ -645,7 +645,7 @@ static NTSTATUS msrpc_lookup_useraliases(struct winbindd_domain *domain,
 					 uint32 **alias_rids)
 {
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	uint32 num_query_sids = 0;
 	int i;
 	struct rpc_pipe_client *cli;
@@ -745,7 +745,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 {
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
         uint32 i, total_names = 0;
-        POLICY_HND dom_pol, group_pol;
+        struct policy_handle dom_pol, group_pol;
         uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
 	uint32 *rid_mem = NULL;
 	uint32 group_rid;
@@ -857,14 +857,15 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 		}
 
 		for (r=0; r<tmp_names.count; r++) {
-			(*names)[i+r] = fill_domain_username_talloc(mem_ctx,
-						domain->name,
-						tmp_names.names[r].string,
-						true);
-			(*name_types)[i+r] = tmp_types.ids[r];
+			if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
+				continue;
+			}
+			(*names)[total_names] = fill_domain_username_talloc(
+				mem_ctx, domain->name,
+				tmp_names.names[r].string, true);
+			(*name_types)[total_names] = tmp_types.ids[r];
+			total_names += 1;
 		}
-
-		total_names += tmp_names.count;
         }
 
         *num_names = total_names;
@@ -952,7 +953,7 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
 	TALLOC_CTX *mem_ctx;
 	union samr_DomainInfo *info = NULL;
 	NTSTATUS result;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	bool got_seq_num = False;
 	struct rpc_pipe_client *cli;
 
@@ -1053,7 +1054,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	uint32 enum_ctx = 0;
 	struct rpc_pipe_client *cli;
-	POLICY_HND lsa_policy;
+	struct policy_handle lsa_policy;
 
 	DEBUG(3,("rpc: trusted_domains\n"));
 
@@ -1111,7 +1112,7 @@ static NTSTATUS msrpc_lockout_policy(struct winbindd_domain *domain,
 {
 	NTSTATUS result;
 	struct rpc_pipe_client *cli;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	union samr_DomainInfo *info = NULL;
 
 	DEBUG(10,("rpc: fetch lockout policy for %s\n", domain->name));
@@ -1152,7 +1153,7 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain,
 {
 	NTSTATUS result;
 	struct rpc_pipe_client *cli;
-	POLICY_HND dom_pol;
+	struct policy_handle dom_pol;
 	union samr_DomainInfo *info = NULL;
 
 	DEBUG(10,("rpc: fetch password policy for %s\n", domain->name));
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2d87015fec..a2c1c85e0b 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1316,24 +1316,6 @@ int open_winbindd_priv_socket(void)
 	return _winbindd_priv_socket;
 }
 
-/* Close the winbindd socket */
-
-void close_winbindd_socket(void)
-{
-	if (_winbindd_socket != -1) {
-		DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
-			   _winbindd_socket));
-		close(_winbindd_socket);
-		_winbindd_socket = -1;
-	}
-	if (_winbindd_priv_socket != -1) {
-		DEBUG(10, ("close_winbindd_socket: closing socket fd %d\n",
-			   _winbindd_priv_socket));
-		close(_winbindd_priv_socket);
-		_winbindd_priv_socket = -1;
-	}
-}
-
 /*
  * Client list accessor functions
  */