summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/Doxyfile78
-rw-r--r--source3/Makefile.in49
-rw-r--r--source3/auth/pampass.c5
-rw-r--r--source3/client/cifs.upcall.c21
-rw-r--r--source3/client/cifs_spnego.h2
-rw-r--r--source3/client/mount.cifs.c3
-rw-r--r--source3/configure.in48
-rw-r--r--source3/exports/libsmbclient.syms4
-rw-r--r--source3/exports/libsmbsharemodes.syms3
-rw-r--r--source3/include/proto.h3
-rw-r--r--source3/include/smb.h15
-rw-r--r--source3/lib/dbwrap_ctdb.c32
-rw-r--r--source3/lib/idmap_cache.c (renamed from source3/winbindd/idmap_cache.c)1
-rw-r--r--source3/lib/interface.c7
-rw-r--r--source3/lib/util_str.c5
-rw-r--r--source3/libads/ldap.c3
-rw-r--r--source3/librpc/gen_ndr/cli_netlogon.c6
-rw-r--r--source3/librpc/gen_ndr/cli_netlogon.h6
-rw-r--r--source3/librpc/gen_ndr/krb5pac.h2
-rw-r--r--source3/librpc/gen_ndr/ndr_krb5pac.c20
-rw-r--r--source3/librpc/gen_ndr/ndr_netlogon.c38
-rw-r--r--source3/librpc/gen_ndr/netlogon.h4
-rw-r--r--source3/librpc/idl/krb5pac.idl2
-rw-r--r--source3/librpc/idl/netlogon.idl6
-rw-r--r--source3/libsmb/clikrb5.c2
-rw-r--r--source3/libsmb/trusts_util.c75
-rw-r--r--source3/m4/aclocal.m44
-rw-r--r--source3/modules/vfs_tsmsm.c15
-rw-r--r--source3/nmbd/nmbd.c4
-rw-r--r--source3/nmbd/nmbd_processlogon.c2
-rw-r--r--source3/nmbd/nmbd_subnetdb.c11
-rw-r--r--source3/nsswitch/pam_winbind.c111
-rw-r--r--source3/nsswitch/pam_winbind.h28
-rw-r--r--source3/nsswitch/wb_common.c20
-rw-r--r--source3/nsswitch/wbinfo.c66
-rw-r--r--source3/nsswitch/winbind_nss_solaris.c25
-rw-r--r--source3/param/loadparm.c16
-rw-r--r--source3/passdb/lookup_sid.c96
-rw-r--r--source3/rpc_client/cli_pipe.c4
-rw-r--r--source3/rpc_server/srv_netlog_nt.c11
-rw-r--r--source3/smbd/aio.c8
-rw-r--r--source3/smbd/nttrans.c12
-rw-r--r--source3/smbd/open.c5
-rw-r--r--source3/smbd/reply.c5
-rw-r--r--source3/smbd/sesssetup.c23
-rw-r--r--source3/utils/net_rpc_samsync.c4
-rw-r--r--source3/utils/net_util.c5
-rw-r--r--source3/utils/smbcontrol.c7
-rw-r--r--source3/winbindd/idmap_util.c2
-rw-r--r--source3/winbindd/winbindd.h2
-rw-r--r--source3/winbindd/winbindd_cm.c103
-rw-r--r--source3/winbindd/winbindd_dual.c120
-rw-r--r--source3/winbindd/winbindd_misc.c5
-rw-r--r--source3/winbindd/winbindd_pam.c444
-rw-r--r--source3/winbindd/winbindd_proto.h1
-rw-r--r--source3/winbindd/winbindd_util.c14
56 files changed, 1023 insertions, 590 deletions
diff --git a/source3/Doxyfile b/source3/Doxyfile
index c1040781d8..9ade25c9a6 100644
--- a/source3/Doxyfile
+++ b/source3/Doxyfile
@@ -1,7 +1,7 @@
-# Doxyfile 0.1
+# Doxyfile 1.5.3
#---------------------------------------------------------------------------
-# General configuration options
+# Project related configuration options
#---------------------------------------------------------------------------
PROJECT_NAME = Samba
PROJECT_NUMBER = HEAD
@@ -13,68 +13,84 @@ PROJECT_NUMBER = HEAD
# doesn't mind variables being redefined.
OUTPUT_DIRECTORY = dox
-
OUTPUT_LANGUAGE = English
-EXTRACT_ALL = YES
-EXTRACT_PRIVATE = YES
-EXTRACT_STATIC = YES
-HIDE_UNDOC_MEMBERS = NO
-HIDE_UNDOC_CLASSES = NO
+DOXYFILE_ENCODING = UTF-8
BRIEF_MEMBER_DESC = YES
REPEAT_BRIEF = YES
ALWAYS_DETAILED_SEC = NO
FULL_PATH_NAMES = YES
STRIP_FROM_PATH = $(PWD)/
+SHORT_NAMES = NO
+JAVADOC_AUTOBRIEF = YES
+INHERIT_DOCS = YES
+TAB_SIZE = 8
+ALIASES =
+OPTIMIZE_OUTPUT_FOR_C = YES
+DISTRIBUTE_GROUP_DOC = NO
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+EXTRACT_ALL = YES
+EXTRACT_PRIVATE = YES
+EXTRACT_STATIC = YES
+EXTRACT_LOCAL_CLASSES = YES
+HIDE_UNDOC_MEMBERS = NO
+HIDE_UNDOC_CLASSES = NO
INTERNAL_DOCS = YES
-CLASS_DIAGRAMS = YES
-SOURCE_BROWSER = YES
-INLINE_SOURCES = YES
-STRIP_CODE_COMMENTS = NO
CASE_SENSE_NAMES = YES
-SHORT_NAMES = NO
HIDE_SCOPE_NAMES = YES
-VERBATIM_HEADERS = YES
SHOW_INCLUDE_FILES = YES
-JAVADOC_AUTOBRIEF = YES
-INHERIT_DOCS = YES
INLINE_INFO = YES
SORT_MEMBER_DOCS = NO
-DISTRIBUTE_GROUP_DOC = NO
-TAB_SIZE = 8
+SORT_BRIEF_DOCS = NO
GENERATE_TODOLIST = YES
GENERATE_TESTLIST = YES
GENERATE_BUGLIST = YES
-ALIASES =
+GENERATE_DEPRECATEDLIST= YES
ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
-OPTIMIZE_OUTPUT_FOR_C = YES
SHOW_USED_FILES = YES
-REFERENCED_BY_RELATION = YES
+SHOW_DIRECTORIES = YES
#---------------------------------------------------------------------------
# configuration options related to warning and progress messages
#---------------------------------------------------------------------------
QUIET = YES
WARNINGS = NO
WARN_IF_UNDOCUMENTED = NO
+WARN_IF_DOC_ERROR = NO
+WARN_NO_PARAMDOC = NO
WARN_FORMAT = "$file:$line: $text"
WARN_LOGFILE =
#---------------------------------------------------------------------------
# configuration options related to the input files
#---------------------------------------------------------------------------
INPUT = .
+INPUT_ENCODING = UTF-8
FILE_PATTERNS = *.c \
*.h \
*.idl
RECURSIVE = YES
EXCLUDE = include/includes.h \
include/proto.h
+EXCLUDE_SYMLINKS = NO
EXCLUDE_PATTERNS =
EXAMPLE_PATH =
EXAMPLE_PATTERNS =
+EXAMPLE_RECURSIVE = NO
IMAGE_PATH =
INPUT_FILTER =
FILTER_SOURCE_FILES = NO
#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+SOURCE_BROWSER = YES
+INLINE_SOURCES = YES
+STRIP_CODE_COMMENTS = NO
+REFERENCED_BY_RELATION = YES
+REFERENCES_RELATION = YES
+REFERENCES_LINK_SOURCE = YES
+VERBATIM_HEADERS = YES
+#---------------------------------------------------------------------------
# configuration options related to the alphabetical class index
#---------------------------------------------------------------------------
ALPHABETICAL_INDEX = YES
@@ -85,13 +101,12 @@ IGNORE_PREFIX =
#---------------------------------------------------------------------------
GENERATE_HTML = YES
HTML_OUTPUT = .
+HTML_FILE_EXTENSION = .html
HTML_HEADER =
HTML_FOOTER =
HTML_STYLESHEET =
HTML_ALIGN_MEMBERS = YES
GENERATE_HTMLHELP = NO
-GENERATE_CHI = NO
-BINARY_TOC = NO
TOC_EXPAND = NO
DISABLE_INDEX = NO
ENUM_VALUES_PER_LINE = 3
@@ -152,25 +167,26 @@ PERL_PATH = /usr/bin/perl
# configuration options related to the dot tool
#---------------------------------------------------------------------------
HAVE_DOT = NO
+CLASS_DIAGRAMS = YES
+HIDE_UNDOC_RELATIONS = NO
CLASS_GRAPH = YES
COLLABORATION_GRAPH = YES
+GROUP_GRAPHS = YES
TEMPLATE_RELATIONS = YES
INCLUDE_GRAPH = YES
INCLUDED_BY_GRAPH = YES
+CALL_GRAPH = YES
+CALLER_GRAPH = YES
GRAPHICAL_HIERARCHY = YES
+DIRECTORY_GRAPH = YES
+DOT_IMAGE_FORMAT = png
DOT_PATH =
DOTFILE_DIRS =
-MAX_DOT_GRAPH_WIDTH = 1024
-MAX_DOT_GRAPH_HEIGHT = 1024
+DOT_GRAPH_MAX_NODES = 50
+MAX_DOT_GRAPH_DEPTH = 0
GENERATE_LEGEND = YES
DOT_CLEANUP = YES
#---------------------------------------------------------------------------
# configuration::additions related to the search engine
#---------------------------------------------------------------------------
SEARCHENGINE = NO
-CGI_NAME = search.cgi
-CGI_URL =
-DOC_URL =
-DOC_ABSPATH =
-BIN_ABSPATH = /usr/local/bin/
-EXT_DOC_PATHS =
diff --git a/source3/Makefile.in b/source3/Makefile.in
index d92ececbbf..486d47f5f8 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -178,9 +178,9 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \
# Note that all executable programs now provide for an optional executable suffix.
-SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ @CIFSUPCALL_PROGS@
-ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@ @CIFSUPCALL_PROGS@
+ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@
BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \
bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@
@@ -339,7 +339,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) \
lib/module.o lib/events.o lib/ldap_escape.o @CHARSET_STATIC@ \
lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
- lib/file_id.o
+ lib/file_id.o lib/idmap_cache.o
LIB_DUMMY_OBJ = lib/dummysmbd.o lib/dummyroot.o
LIB_NONSMBD_OBJ = $(LIB_OBJ) $(LIB_DUMMY_OBJ)
@@ -980,7 +980,7 @@ PAM_SMBPASS_OBJ = $(PAM_SMBPASS_OBJ_0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(PASSDB_
$(SMBLDAP_OBJ) $(LIBSAMBA_OBJ) \
$(LDB_OBJ)
-IDMAP_OBJ = winbindd/idmap.o winbindd/idmap_cache.o winbindd/idmap_util.o @IDMAP_STATIC@
+IDMAP_OBJ = winbindd/idmap.o winbindd/idmap_util.o @IDMAP_STATIC@
NSS_INFO_OBJ = winbindd/nss_info.o @NSS_INFO_STATIC@
@@ -1350,7 +1350,7 @@ bin/cifs.upcall@EXEEXT@: $(BINARY_PREREQS) $(CIFS_UPCALL_OBJ) $(LIBSMBCLIENT_OBJ
@$(CC) $(FLAGS) -o $@ $(CIFS_UPCALL_OBJ) $(DYNEXP) $(LDFLAGS) \
-lkeyutils $(LIBS) $(LIBSMBCLIENT_OBJ1) $(KRB5LIBS) \
$(LDAP_LIBS) $(POPT_LIBS) $(LIBTALLOC_LIBS) $(WINBIND_LIBS) \
- $(LIBTDB_LIBS)
+ $(LIBTDB_LIBS) $(NSCD_LIBS)
bin/testparm@EXEEXT@: $(BINARY_PREREQS) $(TESTPARM_OBJ) @BUILD_POPT@ @LIBTALLOC_SHARED@ @LIBTDB_SHARED@
@echo Linking $@
@@ -1824,7 +1824,7 @@ shlibs test_shlibs: @LIBADDNS_SHARED@
#
#-------------------------------------------------------------------
-LIBNETAPI_OBJ1 = lib/netapi/netapi.o \
+LIBNETAPI_OBJ0 = lib/netapi/netapi.o \
lib/netapi/cm.o \
librpc/gen_ndr/ndr_libnetapi.o \
lib/netapi/libnetapi.o \
@@ -1837,7 +1837,7 @@ LIBNETAPI_OBJ1 = lib/netapi/netapi.o \
lib/netapi/samr.o \
lib/netapi/sid.o
-LIBNETAPI_OBJ = $(LIBNETAPI_OBJ1) $(LIBNET_OBJ) \
+LIBNETAPI_OBJ = $(LIBNETAPI_OBJ0) $(LIBNET_OBJ) \
$(LIBSMBCONF_OBJ) \
$(REG_SMBCONF_OBJ) \
$(PARAM_WITHOUT_REG_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1869,9 +1869,9 @@ $(LIBNETAPI_SHARED_TARGET): $(LIBNETAPI_SHARED_TARGET_SONAME)
@rm -f $@
@ln -s -f `basename $(LIBNETAPI_SHARED_TARGET_SONAME)` $@
-$(LIBNETAPI_STATIC_TARGET): $(BINARY_PREREQS) $(LIBNETAPI_OBJ1)
+$(LIBNETAPI_STATIC_TARGET): $(BINARY_PREREQS) $(LIBNETAPI_OBJ0)
@echo Linking non-shared library $@
- @-$(AR) -rc $@ $(LIBNETAPI_OBJ1)
+ @-$(AR) -rc $@ $(LIBNETAPI_OBJ0)
libnetapi: $(LIBNETAPI)
@@ -1917,10 +1917,13 @@ LIBSMBCLIENT_SOVER=@LIBSMBCLIENT_SOVER@
LIBSMBCLIENT_SHARED_TARGET_SONAME=$(LIBSMBCLIENT_SHARED_TARGET).$(LIBSMBCLIENT_SOVER)
LIBSMBCLIENT_STATIC_TARGET=@LIBSMBCLIENT_STATIC_TARGET@
LIBSMBCLIENT=$(LIBSMBCLIENT_STATIC_TARGET) @LIBSMBCLIENT_SHARED@
-#LIBSMBCLIENT_SYMS=$(srcdir)/exports/libsmbclient.@SYMSEXT@
+LIBSMBCLIENT_SYMS=$(srcdir)/exports/libsmbclient.@SYMSEXT@
LIBSMBCLIENT_HEADERS=$(srcdir)/include/libsmbclient.h
-$(LIBSMBCLIENT_SHARED_TARGET_SONAME): $(BINARY_PREREQS) $(LIBSMBCLIENT_OBJ) @LIBTALLOC_SHARED@ @LIBTDB_SHARED@ @LIBWBCLIENT_SHARED@
+$(LIBSMBCLIENT_SYMS): $(LIBSMBCLIENT_HEADERS)
+ @$(MKSYMS_SH) $(AWK) $@ $(LIBSMBCLIENT_HEADERS)
+
+$(LIBSMBCLIENT_SHARED_TARGET_SONAME): $(BINARY_PREREQS) $(LIBSMBCLIENT_OBJ) $(LIBSMBCLIENT_SYMS) @LIBTALLOC_SHARED@ @LIBTDB_SHARED@ @LIBWBCLIENT_SHARED@
@echo Linking shared library $@
@$(SHLD_DSO) $(LIBSMBCLIENT_OBJ) \
$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(WINBIND_LIBS) $(LIBS) \
@@ -1986,12 +1989,13 @@ LIBSMBSHAREMODES_SOVER=@LIBSMBSHAREMODES_SOVER@
LIBSMBSHAREMODES_SHARED_TARGET_SONAME=$(LIBSMBSHAREMODES_SHARED_TARGET).$(LIBSMBSHAREMODES_SOVER)
LIBSMBSHAREMODES_STATIC_TARGET=@LIBSMBSHAREMODES_STATIC_TARGET@
LIBSMBSHAREMODES=$(LIBSMBSHAREMODES_STATIC_TARGET) @LIBSMBSHAREMODES_SHARED@
-#LIBSMBSHAREMODES_SYMS=$(srcdir)/exports/libsmbsharemodes.@SYMSEXT@
+LIBSMBSHAREMODES_SYMS=$(srcdir)/exports/libsmbsharemodes.@SYMSEXT@
LIBSMBSHAREMODES_HEADERS=$(srcdir)/include/smb_share_modes.h
-LIBSMBSHAREMODES=bin/libsmbsharemodes.a @LIBSMBSHAREMODES_SHARED@
+$(LIBSMBSHAREMODES_SYMS): $(LIBSMBSHAREMODES_HEADERS)
+ @$(MKSYMS_SH) $(AWK) $@ $(LIBSMBSHAREMODES_HEADERS)
-$(LIBSMBSHAREMODES_SHARED_TARGET_SONAME): $(BINARY_PREREQS) $(LIBSMBSHAREMODES_OBJ) @LIBTALLOC_SHARED@ @LIBTDB_SHARED@
+$(LIBSMBSHAREMODES_SHARED_TARGET_SONAME): $(BINARY_PREREQS) $(LIBSMBSHAREMODES_OBJ) $(LIBSMBSHAREMODES_SYMS) @LIBTALLOC_SHARED@ @LIBTDB_SHARED@
@echo Linking shared library $@
@$(SHLD_DSO) $(LIBSMBSHAREMODES_OBJ) \
$(LIBS) $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) \
@@ -2471,7 +2475,7 @@ install-everything:: install installmodules
# is not used
installdirs::
- @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(BINDIR) $(SBINDIR) $(LIBDIR) $(VARDIR) $(PRIVATEDIR) $(PIDDIR) $(LOCKDIR) $(MANDIR)
+ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(BINDIR) $(SBINDIR) $(LIBDIR) $(VARDIR) $(PRIVATEDIR) $(PIDDIR) $(LOCKDIR) $(MANDIR) $(CODEPAGEDIR) $(MODULESDIR)
installservers:: all installdirs
@$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(SBINDIR) $(SBIN_PROGS)
@@ -2484,8 +2488,8 @@ installcifsmount:: @CIFSMOUNT_PROGS@
@$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS@
installcifsupcall:: @CIFSUPCALL_PROGS@
- @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(ROOTSBINDIR)
- @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSUPCALL_PROGS@
+ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(SBINDIR)
+ @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(SBINDIR) @CIFSUPCALL_PROGS@
# Some symlinks are required for the 'probing' of modules.
# This mechanism should go at some point..
@@ -2716,3 +2720,14 @@ valgrindtest:: all torture timelimit
SMBD_VALGRIND="xterm -n smbd -e valgrind -q --db-attach=yes --num-callers=30" \
VALGRIND="valgrind -q --num-callers=30 --log-file=${selftest_prefix}/valgrind.log" \
PERL="$(PERL)" $(srcdir)/script/tests/selftest.sh ${selftest_prefix} all "${smbtorture4_path}"
+
+
+##
+## Examples:
+##
+
+libsmbclient_examples:
+ $(MAKE) -C ../examples/libsmbclient -f Makefile.internal
+
+clean_libsmbclient_examples:
+ $(MAKE) -C ../examples/libsmbclient -f Makefile.internal clean
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 58921bdf15..9345eed27a 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -63,6 +63,7 @@ typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_resp
* Macros to help make life easy
*/
#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
+#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
/*******************************************************************
PAM error handler.
@@ -327,7 +328,7 @@ static int smb_pam_passchange_conv(int num_msg,
DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
#endif
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = COPY_STRING(current_reply);
+ reply[replies].resp = COPY_FSTRING(current_reply);
found = True;
break;
}
@@ -355,7 +356,7 @@ static int smb_pam_passchange_conv(int num_msg,
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = COPY_STRING(current_reply);
+ reply[replies].resp = COPY_FSTRING(current_reply);
#ifdef DEBUG_PASSWORD
DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
#endif
diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c
index aa5eb57310..7cb51660d7 100644
--- a/source3/client/cifs.upcall.c
+++ b/source3/client/cifs.upcall.c
@@ -29,7 +29,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
#include "cifs_spnego.h"
-const char *CIFSSPNEGO_VERSION = "1.1";
+const char *CIFSSPNEGO_VERSION = "1.2";
static const char *prog = "cifs.upcall";
typedef enum _secType {
KRB5,
@@ -73,7 +73,7 @@ int handle_krb5_mech(const char *oid, const char *principal,
tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
/* and wrap that in a shiny SPNEGO wrapper */
- *secblob = gen_negTokenInit(OID_KERBEROS5, tkt_wrapped);
+ *secblob = gen_negTokenInit(oid, tkt_wrapped);
data_blob_free(&tkt_wrapped);
data_blob_free(&tkt);
@@ -118,6 +118,9 @@ int decode_key_description(const char *desc, int *ver, secType_t * sec,
if (strncmp(tkn + 4, "krb5", 4) == 0) {
retval |= DKD_HAVE_SEC;
*sec = KRB5;
+ } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
+ retval |= DKD_HAVE_SEC;
+ *sec = MS_KRB5;
}
} else if (strncmp(tkn, "uid=", 4) == 0) {
errno = 0;
@@ -220,6 +223,7 @@ int main(const int argc, char *const argv[])
int kernel_upcall_version;
int c, use_cifs_service_prefix = 0;
char *buf, *hostname = NULL;
+ const char *oid;
openlog(prog, 0, LOG_DAEMON);
@@ -280,7 +284,7 @@ int main(const int argc, char *const argv[])
}
SAFE_FREE(buf);
- if (kernel_upcall_version != CIFS_SPNEGO_UPCALL_VERSION) {
+ if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
syslog(LOG_WARNING,
"incompatible kernel upcall version: 0x%x",
kernel_upcall_version);
@@ -301,6 +305,7 @@ int main(const int argc, char *const argv[])
// do mech specific authorization
switch (sectype) {
+ case MS_KRB5:
case KRB5:{
char *princ;
size_t len;
@@ -319,8 +324,12 @@ int main(const int argc, char *const argv[])
}
strlcpy(princ + 5, hostname, len - 5);
- rc = handle_krb5_mech(OID_KERBEROS5, princ,
- &secblob, &sess_key);
+ if (sectype == MS_KRB5)
+ oid = OID_KERBEROS5_OLD;
+ else
+ oid = OID_KERBEROS5;
+
+ rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
SAFE_FREE(princ);
break;
}
@@ -344,7 +353,7 @@ int main(const int argc, char *const argv[])
rc = 1;
goto out;
}
- keydata->version = CIFS_SPNEGO_UPCALL_VERSION;
+ keydata->version = kernel_upcall_version;
keydata->flags = 0;
keydata->sesskey_len = sess_key.length;
keydata->secblob_len = secblob.length;
diff --git a/source3/client/cifs_spnego.h b/source3/client/cifs_spnego.h
index 13909dd505..f8753a7d59 100644
--- a/source3/client/cifs_spnego.h
+++ b/source3/client/cifs_spnego.h
@@ -23,7 +23,7 @@
#ifndef _CIFS_SPNEGO_H
#define _CIFS_SPNEGO_H
-#define CIFS_SPNEGO_UPCALL_VERSION 1
+#define CIFS_SPNEGO_UPCALL_VERSION 2
/*
* The version field should always be set to CIFS_SPNEGO_UPCALL_VERSION.
diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
index c7009e306c..dd878aa07b 100644
--- a/source3/client/mount.cifs.c
+++ b/source3/client/mount.cifs.c
@@ -473,7 +473,8 @@ static int parse_options(char ** optionsp, int * filesys_flags)
}
} else if (strncmp(data, "sec", 3) == 0) {
if (value) {
- if (!strcmp(value, "none"))
+ if (!strncmp(value, "none", 4) ||
+ !strncmp(value, "krb5", 4))
got_password = 1;
}
} else if (strncmp(data, "ip", 2) == 0) {
diff --git a/source3/configure.in b/source3/configure.in
index c7698590a9..9436fed1ff 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -2627,30 +2627,32 @@ AC_CHECK_FUNCS(getpagesize)
################################################
# look for a method of setting the effective uid
seteuid=no;
+
if test $seteuid = no; then
-AC_CACHE_CHECK([for setresuid],samba_cv_USE_SETRESUID,[
+AC_CACHE_CHECK([for setreuid],samba_cv_USE_SETREUID,[
AC_TRY_RUN([
#define AUTOCONF_TEST 1
-#define USE_SETRESUID 1
+#define USE_SETREUID 1
#include "confdefs.h"
#include "${srcdir-.}/lib/util_sec.c"],
- samba_cv_USE_SETRESUID=yes,samba_cv_USE_SETRESUID=no,samba_cv_USE_SETRESUID=cross)])
-if test x"$samba_cv_USE_SETRESUID" = x"yes"; then
- seteuid=yes;AC_DEFINE(USE_SETRESUID,1,[Whether setresuid() is available])
+ samba_cv_USE_SETREUID=yes,samba_cv_USE_SETREUID=no,samba_cv_USE_SETREUID=cross)])
+if test x"$samba_cv_USE_SETREUID" = x"yes"; then
+ seteuid=yes;AC_DEFINE(USE_SETREUID,1,[Whether setreuid() is available])
fi
fi
-
+# we check for setresuid second as it conflicts with AIO on Linux.
+# see http://samba.org/~tridge/junkcode/aio_uid.c
if test $seteuid = no; then
-AC_CACHE_CHECK([for setreuid],samba_cv_USE_SETREUID,[
+AC_CACHE_CHECK([for setresuid],samba_cv_USE_SETRESUID,[
AC_TRY_RUN([
#define AUTOCONF_TEST 1
-#define USE_SETREUID 1
+#define USE_SETRESUID 1
#include "confdefs.h"
#include "${srcdir-.}/lib/util_sec.c"],
- samba_cv_USE_SETREUID=yes,samba_cv_USE_SETREUID=no,samba_cv_USE_SETREUID=cross)])
-if test x"$samba_cv_USE_SETREUID" = x"yes"; then
- seteuid=yes;AC_DEFINE(USE_SETREUID,1,[Whether setreuid() is available])
+ samba_cv_USE_SETRESUID=yes,samba_cv_USE_SETRESUID=no,samba_cv_USE_SETRESUID=cross)])
+if test x"$samba_cv_USE_SETRESUID" = x"yes"; then
+ seteuid=yes;AC_DEFINE(USE_SETRESUID,1,[Whether setresuid() is available])
fi
fi
@@ -4048,7 +4050,7 @@ INSTALL_CIFSUPCALL=""
UNINSTALL_CIFSUPCALL=""
AC_MSG_CHECKING(whether to build cifs.upcall)
AC_ARG_WITH(cifsupcall,
-[AS_HELP_STRING([--with-cifsupcall], [Include cifs.upcall (Linux only) support (default=no)])],
+[AS_HELP_STRING([--with-cifsupcall], [Include cifs.upcall (Linux only) support (default=yes)])],
[ case "$withval" in
no)
AC_MSG_RESULT(no)
@@ -4074,9 +4076,24 @@ AC_ARG_WITH(cifsupcall,
esac
;;
esac ],
-[
- AC_MSG_RESULT(no)
- ]
+[ case "$host_os" in
+ *linux*)
+ if test x"$use_ads" != x"yes"; then
+ AC_MSG_WARN(ADS support should be enabled for building cifs.upcall)
+ elif test x"$HAVE_KEYUTILS_H" != "x1"; then
+ AC_MSG_WARN(keyutils package is required for cifs.upcall)
+ else
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_CIFSUPCALL,1,[whether to build cifs.upcall])
+ CIFSUPCALL_PROGS="bin/cifs.upcall"
+ INSTALL_CIFSUPCALL="installcifsupcall"
+ UNINSTALL_CIFSUPCALL="uninstallcifsupcall"
+ fi
+ ;;
+ *)
+ AC_MSG_RESULT(no)
+ ;;
+ esac ]
)
@@ -6149,6 +6166,7 @@ AC_OUTPUT(Makefile
pkgconfig/wbclient.pc
pkgconfig/netapi.pc
pkgconfig/smbsharemodes.pc
+ ../examples/libsmbclient/Makefile.internal
)
#################################################
diff --git a/source3/exports/libsmbclient.syms b/source3/exports/libsmbclient.syms
deleted file mode 100644
index 3062e34bfd..0000000000
--- a/source3/exports/libsmbclient.syms
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- global: smbc_*;
- local: *;
-};
diff --git a/source3/exports/libsmbsharemodes.syms b/source3/exports/libsmbsharemodes.syms
deleted file mode 100644
index eb34bfc012..0000000000
--- a/source3/exports/libsmbsharemodes.syms
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- global: *;
-};
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 2d9734873e..d757b2db80 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -623,7 +623,7 @@ bool is_local_net(const struct sockaddr_storage *from);
void setup_linklocal_scope_id(struct sockaddr_storage *pss);
bool is_local_net_v4(struct in_addr from);
int iface_count(void);
-int iface_count_v4(void);
+int iface_count_v4_nl(void);
const struct in_addr *first_ipv4_iface(void);
struct interface *get_interface(int n);
const struct sockaddr_storage *iface_n_sockaddr_storage(int n);
@@ -6049,6 +6049,7 @@ int lp_directory_name_cache_size(int );
int lp_smb_encrypt(int );
char lp_magicchar(const struct share_params *p );
int lp_winbind_cache_time(void);
+int lp_winbind_reconnect_delay(void);
const char **lp_winbind_nss_info(void);
int lp_algorithmic_rid_base(void);
int lp_name_cache_timeout(void);
diff --git a/source3/include/smb.h b/source3/include/smb.h
index b8ff34f831..c8c4f8c3cc 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1330,12 +1330,19 @@ struct bitmap {
#define FILE_DELETE_ON_CLOSE 0x1000
#define FILE_OPEN_BY_FILE_ID 0x2000
-/* Private create options used by the ntcreatex processing code. From Samba4. */
-#define NTCREATEX_OPTIONS_PRIVATE_DENY_DOS 0x01000000
-#define NTCREATEX_OPTIONS_PRIVATE_DENY_FCB 0x02000000
+#define NTCREATEX_OPTIONS_MUST_IGNORE_MASK (0x008F0480)
+
+#define NTCREATEX_OPTIONS_INVALID_PARAM_MASK (0xFF100030)
+
+/*
+ * Private create options used by the ntcreatex processing code. From Samba4.
+ * We reuse some ignored flags for private use.
+ */
+#define NTCREATEX_OPTIONS_PRIVATE_DENY_DOS 0x00010000
+#define NTCREATEX_OPTIONS_PRIVATE_DENY_FCB 0x00020000
/* Private options for streams support */
-#define NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE 0x04000000
+#define NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE 0x00040000
/* Responses when opening a file. */
#define FILE_WAS_SUPERSEDED 0
diff --git a/source3/lib/dbwrap_ctdb.c b/source3/lib/dbwrap_ctdb.c
index 7c1ef8fed8..63a5ce4de6 100644
--- a/source3/lib/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap_ctdb.c
@@ -2,17 +2,17 @@
Unix SMB/CIFS implementation.
Database interface wrapper around ctdbd
Copyright (C) Volker Lendecke 2007
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -76,7 +76,7 @@ static NTSTATUS tdb_error_to_ntstatus(struct tdb_context *tdb)
/*
form a ctdb_rec_data record from a key/data pair
-
+
note that header may be NULL. If not NULL then it is included in the data portion
of the record
*/
@@ -130,7 +130,8 @@ static struct ctdb_marshall_buffer *db_ctdb_marshall_add(TALLOC_CTX *mem_ctx,
}
if (m == NULL) {
- m = talloc_zero_size(mem_ctx, offsetof(struct ctdb_marshall_buffer, data));
+ m = (struct ctdb_marshall_buffer *)talloc_zero_size(
+ mem_ctx, offsetof(struct ctdb_marshall_buffer, data));
if (m == NULL) {
return NULL;
}
@@ -140,7 +141,8 @@ static struct ctdb_marshall_buffer *db_ctdb_marshall_add(TALLOC_CTX *mem_ctx,
m_size = talloc_get_size(m);
r_size = talloc_get_size(r);
- m2 = talloc_realloc_size(mem_ctx, m, m_size + r_size);
+ m2 = (struct ctdb_marshall_buffer *)talloc_realloc_size(
+ mem_ctx, m, m_size + r_size);
if (m2 == NULL) {
talloc_free(m);
return NULL;
@@ -166,7 +168,7 @@ static TDB_DATA db_ctdb_marshall_finish(struct ctdb_marshall_buffer *m)
/*
loop over a marshalling buffer
-
+
- pass r==NULL to start
- loop the number of times indicated by m->count
*/
@@ -184,7 +186,7 @@ static struct ctdb_rec_data *db_ctdb_marshall_loop_next(struct ctdb_marshall_buf
if (reqid != NULL) {
*reqid = r->reqid;
}
-
+
if (key != NULL) {
key->dptr = &r->data[0];
key->dsize = r->keylen;
@@ -228,7 +230,7 @@ static int db_ctdb_transaction_fetch_start(struct db_ctdb_transaction_handle *h)
struct db_ctdb_ctx *ctx = h->ctx;
TDB_DATA data;
- key.dptr = discard_const(keyname);
+ key.dptr = (uint8_t *)discard_const(keyname);
key.dsize = strlen(keyname);
again:
@@ -483,16 +485,16 @@ static int db_ctdb_transaction_store(struct db_ctdb_transaction_handle *h,
return -1;
}
}
-
+
h->m_write = db_ctdb_marshall_add(h, h->m_write, h->ctx->db_id, 0, key, &header, data);
if (h->m_write == NULL) {
DEBUG(0,(__location__ " Failed to add to marshalling record\n"));
talloc_free(tmp_ctx);
return -1;
}
-
+
rec.dsize = data.dsize + sizeof(struct ctdb_ltdb_header);
- rec.dptr = talloc_size(tmp_ctx, rec.dsize);
+ rec.dptr = (uint8_t *)talloc_size(tmp_ctx, rec.dsize);
if (rec.dptr == NULL) {
DEBUG(0,(__location__ " Failed to alloc record\n"));
talloc_free(tmp_ctx);
@@ -504,7 +506,7 @@ static int db_ctdb_transaction_store(struct db_ctdb_transaction_handle *h,
ret = tdb_store(h->ctx->wtdb->tdb, key, rec, TDB_REPLACE);
talloc_free(tmp_ctx);
-
+
return ret;
}
@@ -590,7 +592,7 @@ static int ctdb_replay_transaction(struct db_ctdb_transaction_handle *h)
talloc_free(tmp_ctx);
}
}
-
+
return 0;
failed:
@@ -868,7 +870,7 @@ again:
(int)crec->ctdb_ctx->db_id, keystr));
TALLOC_FREE(keystr);
}
-
+
if (tdb_chainlock(ctx->wtdb->tdb, key) != 0) {
DEBUG(3, ("tdb_chainlock failed\n"));
TALLOC_FREE(result);
diff --git a/source3/winbindd/idmap_cache.c b/source3/lib/idmap_cache.c
index 496f70ab45..6377635a65 100644
--- a/source3/winbindd/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -18,7 +18,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.*/
#include "includes.h"
-#include "winbindd.h"
/**
* Find a sid2uid mapping
diff --git a/source3/lib/interface.c b/source3/lib/interface.c
index eb0af9ef34..2e7c2706a0 100644
--- a/source3/lib/interface.c
+++ b/source3/lib/interface.c
@@ -131,15 +131,18 @@ int iface_count(void)
}
/****************************************************************************
- How many interfaces do we have (v4 only) ?
+ How many non-loopback IPv4 interfaces do we have ?
**************************************************************************/
-int iface_count_v4(void)
+int iface_count_v4_nl(void)
{
int ret = 0;
struct interface *i;
for (i=local_interfaces;i;i=i->next) {
+ if (is_loopback_addr(&i->ip)) {
+ continue;
+ }
if (i->ip.ss_family == AF_INET) {
ret++;
}
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 5f26cc80f8..9f952abf10 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -2008,6 +2008,7 @@ bool str_list_sub_basic( char **list, const char *smb_name,
bool str_list_substitute(char **list, const char *pattern, const char *insert)
{
+ TALLOC_CTX *ctx = list;
char *p, *s, *t;
ssize_t ls, lp, li, ld, i, d;
@@ -2030,7 +2031,7 @@ bool str_list_substitute(char **list, const char *pattern, const char *insert)
t = *list;
d = p -t;
if (ld) {
- t = (char *) SMB_MALLOC(ls +ld +1);
+ t = TALLOC_ARRAY(ctx, char, ls +ld +1);
if (!t) {
DEBUG(0,("str_list_substitute: "
"Unable to allocate memory"));
@@ -2038,7 +2039,7 @@ bool str_list_substitute(char **list, const char *pattern, const char *insert)
}
memcpy(t, *list, d);
memcpy(t +d +li, p +lp, ls -d -lp +1);
- SAFE_FREE(*list);
+ TALLOC_FREE(*list);
*list = t;
ls += ld;
s = t +d +li;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b59dab1f13..eb45e3a0dd 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -393,9 +393,6 @@ static NTSTATUS ads_lookup_site(void)
ADS_STRUCT *ads = NULL;
ADS_STATUS ads_status;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct nbt_cldap_netlogon_5 cldap_reply;
-
- ZERO_STRUCT(cldap_reply);
ads = ads_init(lp_realm(), NULL, NULL);
if (!ads) {
diff --git a/source3/librpc/gen_ndr/cli_netlogon.c b/source3/librpc/gen_ndr/cli_netlogon.c
index 2ddb165bec..d6ac8b9ede 100644
--- a/source3/librpc/gen_ndr/cli_netlogon.c
+++ b/source3/librpc/gen_ndr/cli_netlogon.c
@@ -1504,9 +1504,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */)
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */)
{
struct netr_ServerPasswordSet2 r;
NTSTATUS status;
diff --git a/source3/librpc/gen_ndr/cli_netlogon.h b/source3/librpc/gen_ndr/cli_netlogon.h
index 296873274e..2033315a5d 100644
--- a/source3/librpc/gen_ndr/cli_netlogon.h
+++ b/source3/librpc/gen_ndr/cli_netlogon.h
@@ -239,9 +239,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */);
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */);
NTSTATUS rpccli_netr_ServerPasswordGet(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *server_name /* [in] [unique,charset(UTF16)] */,
diff --git a/source3/librpc/gen_ndr/krb5pac.h b/source3/librpc/gen_ndr/krb5pac.h
index 2d799ea7c7..b3b29e5b2f 100644
--- a/source3/librpc/gen_ndr/krb5pac.h
+++ b/source3/librpc/gen_ndr/krb5pac.h
@@ -76,7 +76,7 @@ union PAC_INFO {
struct PAC_SIGNATURE_DATA srv_cksum;/* [case(PAC_TYPE_SRV_CHECKSUM)] */
struct PAC_SIGNATURE_DATA kdc_cksum;/* [case(PAC_TYPE_KDC_CHECKSUM)] */
struct PAC_LOGON_NAME logon_name;/* [case(PAC_TYPE_LOGON_NAME)] */
- struct DATA_BLOB_REM unknown;/* [subcontext(0),case(PAC_TYPE_UNKNOWN_12)] */
+ struct DATA_BLOB_REM unknown;/* [subcontext(0),default] */
}/* [gensize,nodiscriminant,public] */;
struct PAC_BUFFER {
diff --git a/source3/librpc/gen_ndr/ndr_krb5pac.c b/source3/librpc/gen_ndr/ndr_krb5pac.c
index 70d63aee91..6e06f90a68 100644
--- a/source3/librpc/gen_ndr/ndr_krb5pac.c
+++ b/source3/librpc/gen_ndr/ndr_krb5pac.c
@@ -319,7 +319,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags
NDR_CHECK(ndr_push_PAC_LOGON_NAME(ndr, NDR_SCALARS, &r->logon_name));
break; }
- case PAC_TYPE_UNKNOWN_12: {
+ default: {
{
struct ndr_push *_ndr_unknown;
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_unknown, 0, -1));
@@ -328,8 +328,6 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags
}
break; }
- default:
- return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
}
}
if (ndr_flags & NDR_BUFFERS) {
@@ -348,11 +346,9 @@ _PUBLIC_ enum ndr_err_code ndr_push_PAC_INFO(struct ndr_push *ndr, int ndr_flags
case PAC_TYPE_LOGON_NAME:
break;
- case PAC_TYPE_UNKNOWN_12:
+ default:
break;
- default:
- return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
}
}
return NDR_ERR_SUCCESS;
@@ -380,7 +376,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags
NDR_CHECK(ndr_pull_PAC_LOGON_NAME(ndr, NDR_SCALARS, &r->logon_name));
break; }
- case PAC_TYPE_UNKNOWN_12: {
+ default: {
{
struct ndr_pull *_ndr_unknown;
NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_unknown, 0, -1));
@@ -389,8 +385,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags
}
break; }
- default:
- return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
}
}
if (ndr_flags & NDR_BUFFERS) {
@@ -408,11 +402,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_PAC_INFO(struct ndr_pull *ndr, int ndr_flags
case PAC_TYPE_LOGON_NAME:
break;
- case PAC_TYPE_UNKNOWN_12:
+ default:
break;
- default:
- return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u", level);
}
}
return NDR_ERR_SUCCESS;
@@ -440,12 +432,10 @@ _PUBLIC_ void ndr_print_PAC_INFO(struct ndr_print *ndr, const char *name, const
ndr_print_PAC_LOGON_NAME(ndr, "logon_name", &r->logon_name);
break;
- case PAC_TYPE_UNKNOWN_12:
+ default:
ndr_print_DATA_BLOB_REM(ndr, "unknown", &r->unknown);
break;
- default:
- ndr_print_bad_level(ndr, name, level);
}
}
diff --git a/source3/librpc/gen_ndr/ndr_netlogon.c b/source3/librpc/gen_ndr/ndr_netlogon.c
index ba05ebc03f..b43a157997 100644
--- a/source3/librpc/gen_ndr/ndr_netlogon.c
+++ b/source3/librpc/gen_ndr/ndr_netlogon.c
@@ -12310,8 +12310,14 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr,
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.computer_name, CH_UTF16)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.computer_name, ndr_charset_length(r->in.computer_name, CH_UTF16), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (r->in.credential == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ if (r->in.new_password == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
}
if (flags & NDR_OUT) {
if (r->out.return_authenticator == NULL) {
@@ -12327,7 +12333,9 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
{
uint32_t _ptr_server_name;
TALLOC_CTX *_mem_save_server_name_0;
+ TALLOC_CTX *_mem_save_credential_0;
TALLOC_CTX *_mem_save_return_authenticator_0;
+ TALLOC_CTX *_mem_save_new_password_0;
if (flags & NDR_IN) {
ZERO_STRUCT(r->out);
@@ -12364,8 +12372,20 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.credential);
+ }
+ _mem_save_credential_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.credential, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_credential_0, LIBNDR_FLAG_REF_ALLOC);
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.new_password);
+ }
+ _mem_save_new_password_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.new_password, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_new_password_0, LIBNDR_FLAG_REF_ALLOC);
NDR_PULL_ALLOC(ndr, r->out.return_authenticator);
ZERO_STRUCTP(r->out.return_authenticator);
}
@@ -12401,8 +12421,14 @@ _PUBLIC_ void ndr_print_netr_ServerPasswordSet2(struct ndr_print *ndr, const cha
ndr_print_string(ndr, "account_name", r->in.account_name);
ndr_print_netr_SchannelType(ndr, "secure_channel_type", r->in.secure_channel_type);
ndr_print_string(ndr, "computer_name", r->in.computer_name);
- ndr_print_netr_Authenticator(ndr, "credential", &r->in.credential);
- ndr_print_netr_CryptPassword(ndr, "new_password", &r->in.new_password);
+ ndr_print_ptr(ndr, "credential", r->in.credential);
+ ndr->depth++;
+ ndr_print_netr_Authenticator(ndr, "credential", r->in.credential);
+ ndr->depth--;
+ ndr_print_ptr(ndr, "new_password", r->in.new_password);
+ ndr->depth++;
+ ndr_print_netr_CryptPassword(ndr, "new_password", r->in.new_password);
+ ndr->depth--;
ndr->depth--;
}
if (flags & NDR_OUT) {
diff --git a/source3/librpc/gen_ndr/netlogon.h b/source3/librpc/gen_ndr/netlogon.h
index 9e8605110f..1cea1f0f42 100644
--- a/source3/librpc/gen_ndr/netlogon.h
+++ b/source3/librpc/gen_ndr/netlogon.h
@@ -1355,8 +1355,8 @@ struct netr_ServerPasswordSet2 {
const char *account_name;/* [charset(UTF16)] */
enum netr_SchannelType secure_channel_type;
const char *computer_name;/* [charset(UTF16)] */
- struct netr_Authenticator credential;
- struct netr_CryptPassword new_password;
+ struct netr_Authenticator *credential;/* [ref] */
+ struct netr_CryptPassword *new_password;/* [ref] */
} in;
struct {
diff --git a/source3/librpc/idl/krb5pac.idl b/source3/librpc/idl/krb5pac.idl
index 7c2f72d3cb..c039502d23 100644
--- a/source3/librpc/idl/krb5pac.idl
+++ b/source3/librpc/idl/krb5pac.idl
@@ -70,7 +70,7 @@ interface krb5pac
[case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
[case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
[case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
- [case(PAC_TYPE_UNKNOWN_12)] [subcontext(0)] DATA_BLOB_REM unknown;
+ [default] [subcontext(0)] DATA_BLOB_REM unknown;
/* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */
} PAC_INFO;
diff --git a/source3/librpc/idl/netlogon.idl b/source3/librpc/idl/netlogon.idl
index 98cf1e7d32..74535fc073 100644
--- a/source3/librpc/idl/netlogon.idl
+++ b/source3/librpc/idl/netlogon.idl
@@ -1182,9 +1182,9 @@ interface netlogon
[in] [string,charset(UTF16)] uint16 account_name[],
[in] netr_SchannelType secure_channel_type,
[in] [string,charset(UTF16)] uint16 computer_name[],
- [in] netr_Authenticator credential,
- [in] netr_CryptPassword new_password,
- [out,ref] netr_Authenticator *return_authenticator
+ [in,ref] netr_Authenticator *credential,
+ [out,ref] netr_Authenticator *return_authenticator,
+ [in,ref] netr_CryptPassword *new_password
);
/****************/
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 5bb33b11d7..fa21ad3467 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -1910,7 +1910,7 @@ static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
}
/* We now have a service ticket, now turn it into an AP-REQ. */
- authenticator->length = ntohs(fwdData.length + GSSAPI_CHECKSUM_SIZE);
+ authenticator->length = fwdData.length + GSSAPI_CHECKSUM_SIZE;
/* Caller should call free() when they're done with this. */
authenticator->data = (char *)pChksum;
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index f4fdf9eb6f..08a49930b4 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -31,34 +31,60 @@
static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const unsigned char orig_trust_passwd_hash[16],
+ const char *new_trust_pwd_cleartext,
const unsigned char new_trust_passwd_hash[16],
uint32 sec_channel_type)
{
NTSTATUS result;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
- /* Check if the netlogon pipe is open using schannel. If so we
- already have valid creds. If not we must set them up. */
-
- if (cli->auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
- result = rpccli_netlogon_setup_creds(cli,
- cli->desthost, /* server name */
- lp_workgroup(), /* domain */
- global_myname(), /* client name */
- global_myname(), /* machine account name */
- orig_trust_passwd_hash,
- sec_channel_type,
- &neg_flags);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
- nt_errstr(result)));
- return result;
- }
+ result = rpccli_netlogon_setup_creds(cli,
+ cli->desthost, /* server name */
+ lp_workgroup(), /* domain */
+ global_myname(), /* client name */
+ global_myname(), /* machine account name */
+ orig_trust_passwd_hash,
+ sec_channel_type,
+ &neg_flags);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
+ nt_errstr(result)));
+ return result;
}
- {
+ if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
+
+ struct netr_Authenticator clnt_creds, srv_cred;
+ struct netr_CryptPassword new_password;
+ struct samr_CryptPassword password_buf;
+
+ netlogon_creds_client_step(cli->dc, &clnt_creds);
+
+ encode_pw_buffer(password_buf.data, new_trust_pwd_cleartext, STR_UNICODE);
+
+ SamOEMhash(password_buf.data, cli->dc->sess_key, 516);
+ memcpy(new_password.data, password_buf.data, 512);
+ new_password.length = IVAL(password_buf.data, 512);
+
+ result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx,
+ cli->dc->remote_machine,
+ cli->dc->mach_acct,
+ sec_channel_type,
+ global_myname(),
+ &clnt_creds,
+ &srv_cred,
+ &new_password);
+
+ /* Always check returned credentials. */
+ if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
+ DEBUG(0,("rpccli_netr_ServerPasswordSet2: "
+ "credentials chain check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ } else {
+
struct netr_Authenticator clnt_creds, srv_cred;
struct samr_Password new_password;
@@ -118,8 +144,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
E_md4hash(new_trust_passwd, new_trust_passwd_hash);
- nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
- new_trust_passwd_hash, sec_channel_type);
+ nt_status = just_change_the_password(cli, mem_ctx,
+ orig_trust_passwd_hash,
+ new_trust_passwd,
+ new_trust_passwd_hash,
+ sec_channel_type);
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
diff --git a/source3/m4/aclocal.m4 b/source3/m4/aclocal.m4
index 53ad46cb8d..9a4213d976 100644
--- a/source3/m4/aclocal.m4
+++ b/source3/m4/aclocal.m4
@@ -139,7 +139,7 @@ if eval test x"$build_lib" = "xyes" ; then
LIBUC[_SHARED]=$LIBUC[_SHARED_TARGET]
AC_MSG_RESULT(yes)
if test x"$USESHARED" != x"true" -o x"$[LINK_]LIBUC" = "xSTATIC" ; then
- LIBUC[_STATIC]=$LIBUC[_STATIC_TARGET]
+ enable_static=yes
else
LIBUC[_LIBS]=LIBLIBS
fi
@@ -152,7 +152,7 @@ else
AC_MSG_RESULT(shared library not selected, but will supply static library)
fi
if test $enable_static = yes; then
- LIBUC[_STATIC]=$LIBUC[_STATIC_TARGET]
+ LIBUC[_STATIC]=[\$\(]LIBUC[_OBJ0\)]
fi
m4_popdef([LIBNAME])
diff --git a/source3/modules/vfs_tsmsm.c b/source3/modules/vfs_tsmsm.c
index 4a732bca43..ee958b1be5 100644
--- a/source3/modules/vfs_tsmsm.c
+++ b/source3/modules/vfs_tsmsm.c
@@ -200,9 +200,9 @@ static bool tsmsm_is_offline(struct vfs_handle_struct *handle,
goto done;
}
- lerrno = 0;
-
do {
+ lerrno = 0;
+
ret = dm_get_dmattr(*dmsession_id, dmhandle, dmhandle_len,
DM_NO_TOKEN, &dmname, buflen, buf, &rlen);
if (ret == -1 && errno == EINVAL) {
@@ -279,10 +279,13 @@ static ssize_t tsmsm_aio_return(struct vfs_handle_struct *handle, struct files_s
static ssize_t tsmsm_sendfile(vfs_handle_struct *handle, int tofd, files_struct *fsp, const DATA_BLOB *hdr,
SMB_OFF_T offset, size_t n)
{
- bool file_online = tsmsm_aio_force(handle, fsp);
+ bool file_offline = tsmsm_aio_force(handle, fsp);
- if(!file_online)
- return ENOSYS;
+ if (file_offline) {
+ DEBUG(10,("tsmsm_sendfile on offline file - rejecting\n"));
+ errno = ENOSYS;
+ return -1;
+ }
return SMB_VFS_NEXT_SENDFILE(handle, tofd, fsp, hdr, offset, n);
}
@@ -333,7 +336,7 @@ static int tsmsm_set_offline(struct vfs_handle_struct *handle,
if (tsmd->hsmscript == NULL) {
/* no script enabled */
- DEBUG(1, ("tsmsm_set_offline: No tsmsm:hsmscript configured\n"));
+ DEBUG(1, ("tsmsm_set_offline: No 'tsmsm:hsm script' configured\n"));
return 0;
}
diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index 83005f05bd..d9f2af4c10 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -296,8 +296,8 @@ static void reload_interfaces(time_t t)
BlockSignals(false, SIGTERM);
- /* We only count IPv4 interfaces here. */
- while (iface_count_v4() == 0 && !got_sig_term) {
+ /* We only count IPv4, non-loopback interfaces here. */
+ while (iface_count_v4_nl() == 0 && !got_sig_term) {
sleep(5);
load_interfaces();
}
diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c
index f7990def07..474ae1ca18 100644
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -434,7 +434,7 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n",
char *component, *dc, *q1;
char *q_orig = q;
int str_offset;
- char *saveptr;
+ char *saveptr = NULL;
domain = get_mydnsdomname(talloc_tos());
if (!domain) {
diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
index a4422d27d5..225def52cc 100644
--- a/source3/nmbd/nmbd_subnetdb.c
+++ b/source3/nmbd/nmbd_subnetdb.c
@@ -195,19 +195,20 @@ struct subnet_record *make_normal_subnet(const struct interface *iface)
bool create_subnets(void)
{
/* We only count IPv4 interfaces whilst we're waiting. */
- int num_interfaces = iface_count_v4();
+ int num_interfaces;
int i;
struct in_addr unicast_ip, ipzero;
try_interfaces_again:
- if (iface_count_v4() == 0) {
- DEBUG(0,("create_subnets: No local interfaces !\n"));
+ /* Only count IPv4, non-loopback interfaces. */
+ if (iface_count_v4_nl() == 0) {
+ DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
}
- /* We only count IPv4 interfaces here. */
- while (iface_count_v4() == 0) {
+ /* We only count IPv4, non-loopback interfaces here. */
+ while (iface_count_v4_nl() == 0) {
void (*saved_handler)(int);
/*
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 95b3d23dd4..c28c5d2697 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -12,6 +12,78 @@
#include "pam_winbind.h"
+static const char *_pam_error_code_str(int err)
+{
+ switch (err) {
+ case PAM_SUCCESS:
+ return "PAM_SUCCESS";
+ case PAM_OPEN_ERR:
+ return "PAM_OPEN_ERR";
+ case PAM_SYMBOL_ERR:
+ return "PAM_SYMBOL_ERR";
+ case PAM_SERVICE_ERR:
+ return "PAM_SERVICE_ERR";
+ case PAM_SYSTEM_ERR:
+ return "PAM_SYSTEM_ERR";
+ case PAM_BUF_ERR:
+ return "PAM_BUF_ERR";
+ case PAM_PERM_DENIED:
+ return "PAM_PERM_DENIED";
+ case PAM_AUTH_ERR:
+ return "PAM_AUTH_ERR";
+ case PAM_CRED_INSUFFICIENT:
+ return "PAM_CRED_INSUFFICIENT";
+ case PAM_AUTHINFO_UNAVAIL:
+ return "PAM_AUTHINFO_UNAVAIL";
+ case PAM_USER_UNKNOWN:
+ return "PAM_USER_UNKNOWN";
+ case PAM_MAXTRIES:
+ return "PAM_MAXTRIES";
+ case PAM_NEW_AUTHTOK_REQD:
+ return "PAM_NEW_AUTHTOK_REQD";
+ case PAM_ACCT_EXPIRED:
+ return "PAM_ACCT_EXPIRED";
+ case PAM_SESSION_ERR:
+ return "PAM_SESSION_ERR";
+ case PAM_CRED_UNAVAIL:
+ return "PAM_CRED_UNAVAIL";
+ case PAM_CRED_EXPIRED:
+ return "PAM_CRED_EXPIRED";
+ case PAM_CRED_ERR:
+ return "PAM_CRED_ERR";
+ case PAM_NO_MODULE_DATA:
+ return "PAM_NO_MODULE_DATA";
+ case PAM_CONV_ERR:
+ return "PAM_CONV_ERR";
+ case PAM_AUTHTOK_ERR:
+ return "PAM_AUTHTOK_ERR";
+ case PAM_AUTHTOK_RECOVERY_ERR:
+ return "PAM_AUTHTOK_RECOVERY_ERR";
+ case PAM_AUTHTOK_LOCK_BUSY:
+ return "PAM_AUTHTOK_LOCK_BUSY";
+ case PAM_AUTHTOK_DISABLE_AGING:
+ return "PAM_AUTHTOK_DISABLE_AGING";
+ case PAM_TRY_AGAIN:
+ return "PAM_TRY_AGAIN";
+ case PAM_IGNORE:
+ return "PAM_IGNORE";
+ case PAM_ABORT:
+ return "PAM_ABORT";
+ case PAM_AUTHTOK_EXPIRED:
+ return "PAM_AUTHTOK_EXPIRED";
+ case PAM_MODULE_UNKNOWN:
+ return "PAM_MODULE_UNKNOWN";
+ case PAM_BAD_ITEM:
+ return "PAM_BAD_ITEM";
+ case PAM_CONV_AGAIN:
+ return "PAM_CONV_AGAIN";
+ case PAM_INCOMPLETE:
+ return "PAM_INCOMPLETE";
+ default:
+ return NULL;
+ }
+}
+
#define _PAM_LOG_FUNCTION_ENTER(function, ctx) \
do { \
_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] ENTER: " \
@@ -22,7 +94,8 @@
#define _PAM_LOG_FUNCTION_LEAVE(function, ctx, retval) \
do { \
_pam_log_debug(ctx, LOG_DEBUG, "[pamh: %p] LEAVE: " \
- function " returning %d", ctx->pamh, retval); \
+ function " returning %d (%s)", ctx->pamh, retval, \
+ _pam_error_code_str(retval)); \
_pam_log_state(ctx); \
} while (0)
@@ -698,8 +771,7 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
/**
* send a password expiry message if required
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param next_change expected (calculated) next expiry date.
* @param already_expired pointer to a boolean to indicate if the password is
* already expired.
@@ -760,8 +832,7 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
/**
* Send a warning if the password expires in the near future
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param response The full authentication response structure.
* @param already_expired boolean, is the pwd already expired?
*
@@ -850,8 +921,7 @@ static bool safe_append_string(char *dest,
/**
* Convert a names into a SID string, appending it to a buffer.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user User in PAM request.
* @param name Name to convert.
* @param sid_list_buffer Where to append the string sid.
@@ -906,8 +976,7 @@ static bool winbind_name_to_sid_string(struct pwb_context *ctx,
/**
* Convert a list of names into a list of sids.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user User in PAM request.
* @param name_list List of names or string sids, separated by commas.
* @param sid_list_buffer Where to put the list of string sids.
@@ -971,8 +1040,7 @@ out:
/**
* put krb5ccname variable into environment
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param krb5ccname env variable retrieved from winbindd.
*
* @return void.
@@ -1010,8 +1078,7 @@ static void _pam_setup_krb5_env(struct pwb_context *ctx,
/**
* Set string into the PAM stack.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param data_name Key name for pam_set_data.
* @param value String value.
*
@@ -1042,8 +1109,7 @@ static void _pam_set_data_string(struct pwb_context *ctx,
/**
* Set info3 strings into the PAM stack.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param data_name Key name for pam_set_data.
* @param value String value.
*
@@ -1082,8 +1148,7 @@ static void _pam_free_data_info3(pam_handle_t *pamh)
/**
* Send PAM_ERROR_MSG for cached or grace logons.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param username User in PAM request.
* @param info3_user_flgs Info3 flags containing logon type bits.
*
@@ -1120,8 +1185,7 @@ static void _pam_warn_logon_type(struct pwb_context *ctx,
/**
* Send PAM_ERROR_MSG for krb5 errors.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param username User in PAM request.
* @param info3_user_flgs Info3 flags containing logon type bits.
*
@@ -1869,8 +1933,7 @@ static int get_warn_pwd_expire_from_config(struct pwb_context *ctx)
/**
* Retrieve the winbind separator.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
*
* @return string separator character. NULL on failure.
*/
@@ -1894,8 +1957,7 @@ static char winbind_get_separator(struct pwb_context *ctx)
/**
* Convert a upn to a name.
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param upn USer UPN to be trabslated.
*
* @return converted name. NULL pointer on failure. Caller needs to free.
@@ -2370,8 +2432,7 @@ out:
* evaluate whether we need to re-authenticate with kerberos after a
* password change
*
- * @param pamh PAM handle
- * @param ctrl PAM winbind options.
+ * @param ctx PAM winbind context.
* @param user The username
*
* @return boolean Returns true if required, false if not.
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h
index be17a6fe45..c8c1910641 100644
--- a/source3/nsswitch/pam_winbind.h
+++ b/source3/nsswitch/pam_winbind.h
@@ -83,20 +83,20 @@ do { \
#include <security/pam_ext.h>
#endif
-#define WINBIND_DEBUG_ARG (1<<0)
-#define WINBIND_USE_AUTHTOK_ARG (1<<1)
-#define WINBIND_UNKNOWN_OK_ARG (1<<2)
-#define WINBIND_TRY_FIRST_PASS_ARG (1<<3)
-#define WINBIND_USE_FIRST_PASS_ARG (1<<4)
-#define WINBIND__OLD_PASSWORD (1<<5)
-#define WINBIND_REQUIRED_MEMBERSHIP (1<<6)
-#define WINBIND_KRB5_AUTH (1<<7)
-#define WINBIND_KRB5_CCACHE_TYPE (1<<8)
-#define WINBIND_CACHED_LOGIN (1<<9)
-#define WINBIND_CONFIG_FILE (1<<10)
-#define WINBIND_SILENT (1<<11)
-#define WINBIND_DEBUG_STATE (1<<12)
-#define WINBIND_WARN_PWD_EXPIRE (1<<13)
+#define WINBIND_DEBUG_ARG 0x00000001
+#define WINBIND_USE_AUTHTOK_ARG 0x00000002
+#define WINBIND_UNKNOWN_OK_ARG 0x00000004
+#define WINBIND_TRY_FIRST_PASS_ARG 0x00000008
+#define WINBIND_USE_FIRST_PASS_ARG 0x00000010
+#define WINBIND__OLD_PASSWORD 0x00000020
+#define WINBIND_REQUIRED_MEMBERSHIP 0x00000040
+#define WINBIND_KRB5_AUTH 0x00000080
+#define WINBIND_KRB5_CCACHE_TYPE 0x00000100
+#define WINBIND_CACHED_LOGIN 0x00000200
+#define WINBIND_CONFIG_FILE 0x00000400
+#define WINBIND_SILENT 0x00000800
+#define WINBIND_DEBUG_STATE 0x00001000
+#define WINBIND_WARN_PWD_EXPIRE 0x00002000
/*
* here is the string to inform the user that the new passwords they
diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c
index b113fc3336..6e6d2bbbf8 100644
--- a/source3/nsswitch/wb_common.c
+++ b/source3/nsswitch/wb_common.c
@@ -176,11 +176,13 @@ static int winbind_named_pipe_sock(const char *dir)
/* Check permissions on unix socket directory */
if (lstat(dir, &st) == -1) {
+ errno = ENOENT;
return -1;
}
if (!S_ISDIR(st.st_mode) ||
(st.st_uid != 0 && st.st_uid != geteuid())) {
+ errno = ENOENT;
return -1;
}
@@ -199,6 +201,7 @@ static int winbind_named_pipe_sock(const char *dir)
the winbindd daemon is not running. */
if (lstat(path, &st) == -1) {
+ errno = ENOENT;
SAFE_FREE(path);
return -1;
}
@@ -208,6 +211,7 @@ static int winbind_named_pipe_sock(const char *dir)
if (!S_ISSOCK(st.st_mode) ||
(st.st_uid != 0 && st.st_uid != geteuid())) {
+ errno = ENOENT;
return -1;
}
@@ -368,6 +372,7 @@ int winbind_write_sock(void *buffer, int count, int recursing, int need_priv)
restart:
if (winbind_open_pipe_sock(recursing, need_priv) == -1) {
+ errno = ENOENT;
return -1;
}
@@ -564,7 +569,11 @@ NSS_STATUS winbindd_send_request(int req_type, int need_priv,
if (winbind_write_sock(request, sizeof(*request),
request->wb_flags & WBFLAG_RECURSE,
- need_priv) == -1) {
+ need_priv) == -1)
+ {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
return NSS_STATUS_UNAVAIL;
}
@@ -572,7 +581,11 @@ NSS_STATUS winbindd_send_request(int req_type, int need_priv,
(winbind_write_sock(request->extra_data.data,
request->extra_len,
request->wb_flags & WBFLAG_RECURSE,
- need_priv) == -1)) {
+ need_priv) == -1))
+ {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
return NSS_STATUS_UNAVAIL;
}
@@ -596,6 +609,9 @@ NSS_STATUS winbindd_get_response(struct winbindd_response *response)
/* Wait for reply */
if (winbindd_read_reply(response) == -1) {
+ /* Set ENOENT for consistency. Required by some apps */
+ errno = ENOENT;
+
return NSS_STATUS_UNAVAIL;
}
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index c1d41a53fd..463d9233d0 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -879,6 +879,33 @@ static bool wbinfo_lookupname(const char *full_name)
return true;
}
+static char *wbinfo_prompt_pass(const char *prefix,
+ const char *username)
+{
+ char *prompt;
+ const char *ret = NULL;
+
+ prompt = talloc_asprintf(talloc_tos(), "Enter %s's ", username);
+ if (!prompt) {
+ return NULL;
+ }
+ if (prefix) {
+ prompt = talloc_asprintf_append(prompt, "%s ", prefix);
+ if (!prompt) {
+ return NULL;
+ }
+ }
+ prompt = talloc_asprintf_append(prompt, "password: ");
+ if (!prompt) {
+ return NULL;
+ }
+
+ ret = getpass(prompt);
+ TALLOC_FREE(prompt);
+
+ return SMB_STRDUP(ret);
+}
+
/* Authenticate a user with a plaintext password */
static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
@@ -887,6 +914,7 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
struct winbindd_response response;
NSS_STATUS result;
char *p;
+ char *password;
/* Send off request */
@@ -900,8 +928,12 @@ static bool wbinfo_auth_krb5(char *username, const char *cctype, uint32 flags)
fstrcpy(request.data.auth.user, username);
fstrcpy(request.data.auth.pass, p + 1);
*p = '%';
- } else
+ } else {
fstrcpy(request.data.auth.user, username);
+ password = wbinfo_prompt_pass(NULL, username);
+ fstrcpy(request.data.auth.pass, password);
+ SAFE_FREE(password);
+ }
request.flags = flags;
@@ -947,7 +979,7 @@ static bool wbinfo_auth(char *username)
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
char *s = NULL;
char *p = NULL;
- const char *password = NULL;
+ char *password = NULL;
char *name = NULL;
if ((s = SMB_STRDUP(username)) == NULL) {
@@ -957,16 +989,9 @@ static bool wbinfo_auth(char *username)
if ((p = strchr(s, '%')) != NULL) {
*p = 0;
p++;
- password = p;
+ password = SMB_STRDUP(p);
} else {
- char *prompt;
- asprintf(&prompt, "Enter %s's password:", username);
- if (!prompt) {
- return false;
- }
-
- password = getpass(prompt);
- SAFE_FREE(prompt);
+ password = wbinfo_prompt_pass(NULL, username);
}
name = s;
@@ -985,6 +1010,7 @@ static bool wbinfo_auth(char *username)
#endif
SAFE_FREE(s);
+ SAFE_FREE(password);
return WBC_ERROR_IS_OK(wbc_status);
}
@@ -1001,26 +1027,18 @@ static bool wbinfo_auth_crap(char *username)
DATA_BLOB nt = data_blob_null;
fstring name_user;
fstring name_domain;
- fstring pass;
+ char *pass;
char *p;
p = strchr(username, '%');
if (p) {
*p = 0;
- fstrcpy(pass, p + 1);
+ pass = SMB_STRDUP(p + 1);
} else {
- char *prompt;
- asprintf(&prompt, "Enter %s's password:", username);
- if (!prompt) {
- return false;
- }
-
- fstrcpy(pass, getpass(prompt));
- SAFE_FREE(prompt);
-
+ pass = wbinfo_prompt_pass(NULL, username);
}
-
+
parse_wbinfo_domain_user(username, name_domain, name_user);
params.account_name = name_user;
@@ -1049,6 +1067,7 @@ static bool wbinfo_auth_crap(char *username)
&lm, &nt, NULL)) {
data_blob_free(&names_blob);
data_blob_free(&server_chal);
+ SAFE_FREE(pass);
return false;
}
data_blob_free(&names_blob);
@@ -1093,6 +1112,7 @@ static bool wbinfo_auth_crap(char *username)
data_blob_free(&nt);
data_blob_free(&lm);
+ SAFE_FREE(pass);
return WBC_ERROR_IS_OK(wbc_status);
}
diff --git a/source3/nsswitch/winbind_nss_solaris.c b/source3/nsswitch/winbind_nss_solaris.c
index 5a72393788..865b6ebbb0 100644
--- a/source3/nsswitch/winbind_nss_solaris.c
+++ b/source3/nsswitch/winbind_nss_solaris.c
@@ -359,7 +359,9 @@ parse_response(int af, nss_XbyY_args_t* argp, struct winbindd_response *response
int addrcount = 0;
int len = 0;
struct in_addr *addrp;
+#if defined(AF_INET6)
struct in6_addr *addrp6;
+#endif
int i;
/* response is tab separated list of ip addresses with hostname
@@ -391,7 +393,9 @@ parse_response(int af, nss_XbyY_args_t* argp, struct winbindd_response *response
addrp -= addrcount;
he->h_addr_list = (char **)ROUND_DOWN(addrp, sizeof (char*));
he->h_addr_list -= addrcount+1;
- } else {
+ }
+#if defined(AF_INET6)
+ else {
he->h_length = sizeof(struct in6_addr);
addrp6 = (struct in6_addr *)ROUND_DOWN(buffer + buflen,
sizeof(struct in6_addr));
@@ -399,6 +403,7 @@ parse_response(int af, nss_XbyY_args_t* argp, struct winbindd_response *response
he->h_addr_list = (char **)ROUND_DOWN(addrp6, sizeof (char*));
he->h_addr_list -= addrcount+1;
}
+#endif
/* buffer too small?! */
if((char *)he->h_addr_list < buffer ) {
@@ -418,7 +423,9 @@ parse_response(int af, nss_XbyY_args_t* argp, struct winbindd_response *response
argp->erange = 1;
return NSS_STR_PARSE_ERANGE;
}
- } else {
+ }
+#if defined(AF_INET6)
+ else {
he->h_addr_list[i] = (char *)&addrp6[i];
if (strchr(data, ':') != 0) {
if (inet_pton(AF_INET6, data, &addrp6[i]) != 1) {
@@ -434,6 +441,7 @@ parse_response(int af, nss_XbyY_args_t* argp, struct winbindd_response *response
IN6_INADDR_TO_V4MAPPED(&in4, &addrp6[i]);
}
}
+#endif
data = p+1;
}
@@ -481,6 +489,7 @@ _nss_winbind_ipnodes_getbyname(nss_backend_t* be, void *args)
AF_INET or for AF_INET6 and AI_ALL|AI_V4MAPPED we have to map
IPv4 to IPv6.
*/
+#if defined(AF_INET6)
#ifdef HAVE_NSS_XBYY_KEY_IPNODE
af = argp->key.ipnode.af_family;
if(af == AF_INET6 && argp->key.ipnode.flags == 0) {
@@ -491,6 +500,7 @@ _nss_winbind_ipnodes_getbyname(nss_backend_t* be, void *args)
/* I'm not that sure if this is correct, but... */
af = AF_INET6;
#endif
+#endif
strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1);
request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0';
@@ -539,6 +549,7 @@ _nss_winbind_hosts_getbyaddr(nss_backend_t* be, void *args)
ZERO_STRUCT(response);
ZERO_STRUCT(request);
+#if defined(AF_INET6)
/* winbindd currently does not resolve IPv6 */
if(argp->key.hostaddr.type == AF_INET6) {
argp->h_errno = NO_DATA;
@@ -546,7 +557,15 @@ _nss_winbind_hosts_getbyaddr(nss_backend_t* be, void *args)
}
p = inet_ntop(argp->key.hostaddr.type, argp->key.hostaddr.addr,
- request.data.winsreq, INET6_ADDRSTRLEN);
+ request.data.winsreq, sizeof request.data.winsreq);
+#else
+ snprintf(request.data.winsreq, sizeof request.data.winsreq,
+ "%u.%u.%u.%u",
+ ((unsigned char *)argp->key.hostaddr.addr)[0],
+ ((unsigned char *)argp->key.hostaddr.addr)[1],
+ ((unsigned char *)argp->key.hostaddr.addr)[2],
+ ((unsigned char *)argp->key.hostaddr.addr)[3]);
+#endif
ret = winbindd_request_response(WINBINDD_WINS_BYIP, &request, &response);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index bc111df4e1..fbcc26a81d 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -240,6 +240,7 @@ struct global {
int map_to_guest;
int oplock_break_wait_time;
int winbind_cache_time;
+ int winbind_reconnect_delay;
int winbind_max_idle_children;
char **szWinbindNssInfo;
int iLockSpinTime;
@@ -4363,6 +4364,15 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
+ .label = "winbind reconnect delay",
+ .type = P_INTEGER,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.winbind_reconnect_delay,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "winbind enum users",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -4829,6 +4839,7 @@ static void init_globals(bool first_time_only)
Globals.clustering = False;
Globals.winbind_cache_time = 300; /* 5 minutes */
+ Globals.winbind_reconnect_delay = 30; /* 30 seconds */
Globals.bWinbindEnumUsers = False;
Globals.bWinbindEnumGroups = False;
Globals.bWinbindUseDefaultDomain = False;
@@ -4839,7 +4850,7 @@ static void init_globals(bool first_time_only)
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
- Globals.iIdmapCacheTime = 900; /* 15 minutes by default */
+ Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
Globals.bPassdbExpandExplicit = False;
@@ -5082,7 +5093,7 @@ FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
-FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend) /* deprecated */
+FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)
FN_GLOBAL_INTEGER(lp_idmap_cache_time, &Globals.iIdmapCacheTime)
FN_GLOBAL_INTEGER(lp_idmap_negative_cache_time, &Globals.iIdmapNegativeCacheTime)
@@ -5341,6 +5352,7 @@ FN_LOCAL_INTEGER(lp_directory_name_cache_size, iDirectoryNameCacheSize)
FN_LOCAL_INTEGER(lp_smb_encrypt, ismb_encrypt)
FN_LOCAL_CHAR(lp_magicchar, magic_char)
FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time)
+FN_GLOBAL_INTEGER(lp_winbind_reconnect_delay, &Globals.winbind_reconnect_delay)
FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 57152c34b5..706df48923 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1301,20 +1301,28 @@ static bool legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
void uid_to_sid(DOM_SID *psid, uid_t uid)
{
+ bool expired = true;
+ bool ret;
ZERO_STRUCTP(psid);
if (fetch_sid_from_uid_cache(psid, uid))
return;
- if (!winbind_uid_to_sid(psid, uid)) {
- if (!winbind_ping()) {
- legacy_uid_to_sid(psid, uid);
+ /* Check the winbindd cache directly. */
+ ret = idmap_cache_find_uid2sid(uid, psid, &expired);
+
+ if (!ret || expired || (ret && is_null_sid(psid))) {
+ /* Not in cache. Ask winbindd. */
+ if (!winbind_uid_to_sid(psid, uid)) {
+ if (!winbind_ping()) {
+ legacy_uid_to_sid(psid, uid);
+ return;
+ }
+
+ DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n",
+ uid));
return;
}
-
- DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n",
- uid));
- return;
}
DEBUG(10,("uid %u -> sid %s\n", (unsigned int)uid,
@@ -1330,25 +1338,33 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
void gid_to_sid(DOM_SID *psid, gid_t gid)
{
+ bool expired = true;
+ bool ret;
ZERO_STRUCTP(psid);
if (fetch_sid_from_gid_cache(psid, gid))
return;
- if (!winbind_gid_to_sid(psid, gid)) {
- if (!winbind_ping()) {
- legacy_gid_to_sid(psid, gid);
+ /* Check the winbindd cache directly. */
+ ret = idmap_cache_find_gid2sid(gid, psid, &expired);
+
+ if (!ret || expired || (ret && is_null_sid(psid))) {
+ /* Not in cache. Ask winbindd. */
+ if (!winbind_gid_to_sid(psid, gid)) {
+ if (!winbind_ping()) {
+ legacy_gid_to_sid(psid, gid);
+ return;
+ }
+
+ DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n",
+ gid));
return;
}
-
- DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n",
- gid));
- return;
}
DEBUG(10,("gid %u -> sid %s\n", (unsigned int)gid,
sid_string_dbg(psid)));
-
+
store_gid_sid_cache(psid, gid);
return;
}
@@ -1359,6 +1375,8 @@ void gid_to_sid(DOM_SID *psid, gid_t gid)
bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
{
+ bool expired = true;
+ bool ret;
uint32 rid;
gid_t gid;
@@ -1381,14 +1399,20 @@ bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
return true;
}
- if (!winbind_sid_to_uid(puid, psid)) {
- if (!winbind_ping()) {
- return legacy_sid_to_uid(psid, puid);
- }
+ /* Check the winbindd cache directly. */
+ ret = idmap_cache_find_sid2uid(psid, puid, &expired);
- DEBUG(5, ("winbind failed to find a uid for sid %s\n",
- sid_string_dbg(psid)));
- return false;
+ if (!ret || expired || (ret && (*puid == (uid_t)-1))) {
+ /* Not in cache. Ask winbindd. */
+ if (!winbind_sid_to_uid(puid, psid)) {
+ if (!winbind_ping()) {
+ return legacy_sid_to_uid(psid, puid);
+ }
+
+ DEBUG(5, ("winbind failed to find a uid for sid %s\n",
+ sid_string_dbg(psid)));
+ return false;
+ }
}
/* TODO: Here would be the place to allocate both a gid and a uid for
@@ -1408,6 +1432,8 @@ bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
bool sid_to_gid(const DOM_SID *psid, gid_t *pgid)
{
+ bool expired = true;
+ bool ret;
uint32 rid;
uid_t uid;
@@ -1429,24 +1455,28 @@ bool sid_to_gid(const DOM_SID *psid, gid_t *pgid)
return true;
}
- /* Ask winbindd if it can map this sid to a gid.
- * (Idmap will check it is a valid SID and of the right type) */
+ /* Check the winbindd cache directly. */
+ ret = idmap_cache_find_sid2gid(psid, pgid, &expired);
- if ( !winbind_sid_to_gid(pgid, psid) ) {
- if (!winbind_ping()) {
- return legacy_sid_to_gid(psid, pgid);
- }
+ if (!ret || expired || (ret && (*pgid == (gid_t)-1))) {
+ /* Not in cache or negative. Ask winbindd. */
+ /* Ask winbindd if it can map this sid to a gid.
+ * (Idmap will check it is a valid SID and of the right type) */
- DEBUG(10,("winbind failed to find a gid for sid %s\n",
- sid_string_dbg(psid)));
- return false;
+ if ( !winbind_sid_to_gid(pgid, psid) ) {
+ if (!winbind_ping()) {
+ return legacy_sid_to_gid(psid, pgid);
+ }
+
+ DEBUG(10,("winbind failed to find a gid for sid %s\n",
+ sid_string_dbg(psid)));
+ return false;
+ }
}
DEBUG(10,("sid %s -> gid %u\n", sid_string_dbg(psid),
(unsigned int)*pgid ));
store_gid_sid_cache(psid, *pgid);
-
return true;
}
-
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index ad2f512647..41dde87c42 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -979,8 +979,8 @@ static NTSTATUS rpc_api_pipe(struct rpc_pipe_client *cli,
while(1) {
RPC_HDR rhdr;
- char *ret_data;
- uint32 ret_data_len;
+ char *ret_data = NULL;
+ uint32 ret_data_len = 0;
/* Ensure we have enough data for a pdu. */
ret = cli_pipe_get_current_pdu(cli, &rhdr, &current_pdu);
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 7ece482d75..4e211cfb81 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -521,7 +521,16 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
return NT_STATUS_ACCESS_DENIED;
}
- srv_flgs = 0x000001ff;
+ /* 0x000001ff */
+ srv_flgs = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+ NETLOGON_NEG_PERSISTENT_SAMREPL |
+ NETLOGON_NEG_ARCFOUR |
+ NETLOGON_NEG_PROMOTION_COUNT |
+ NETLOGON_NEG_CHANGELOG_BDC |
+ NETLOGON_NEG_FULL_SYNC_REPL |
+ NETLOGON_NEG_MULTIPLE_SIDS |
+ NETLOGON_NEG_REDO |
+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
if (lp_server_schannel() != false) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index 2889e3c13f..74275368bd 100644
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -268,12 +268,15 @@ bool schedule_aio_read_and_X(connection_struct *conn,
a->aio_sigevent.sigev_signo = RT_SIGNAL_AIO;
a->aio_sigevent.sigev_value.sival_int = aio_ex->mid;
+ become_root();
if (SMB_VFS_AIO_READ(fsp,a) == -1) {
DEBUG(0,("schedule_aio_read_and_X: aio_read failed. "
"Error %s\n", strerror(errno) ));
delete_aio_ex(aio_ex);
+ unbecome_root();
return False;
}
+ unbecome_root();
DEBUG(10,("schedule_aio_read_and_X: scheduled aio_read for file %s, "
"offset %.0f, len = %u (mid = %u)\n",
@@ -366,13 +369,16 @@ bool schedule_aio_write_and_X(connection_struct *conn,
a->aio_sigevent.sigev_signo = RT_SIGNAL_AIO;
a->aio_sigevent.sigev_value.sival_int = aio_ex->mid;
+ become_root();
if (SMB_VFS_AIO_WRITE(fsp,a) == -1) {
DEBUG(3,("schedule_aio_wrote_and_X: aio_write failed. "
"Error %s\n", strerror(errno) ));
delete_aio_ex(aio_ex);
+ unbecome_root();
return False;
}
-
+ unbecome_root();
+
release_level_2_oplocks_on_change(fsp);
if (!write_through && !lp_syncalways(SNUM(fsp->conn))
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 149e6ecbd9..b6951272d7 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -455,6 +455,12 @@ void reply_ntcreate_and_X(struct smb_request *req)
fname));
/*
+ * we need to remove ignored bits when they come directly from the client
+ * because we reuse some of them for internal stuff
+ */
+ create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
+
+ /*
* If it's an IPC, use the pipe handler.
*/
@@ -858,6 +864,12 @@ static void call_nt_transact_create(connection_struct *conn,
allocation_size |= (((SMB_BIG_UINT)IVAL(params,16)) << 32);
#endif
+ /*
+ * we need to remove ignored bits when they come directly from the client
+ * because we reuse some of them for internal stuff
+ */
+ create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
+
/* Ensure the data_len is correct for the sd and ea values given. */
if ((ea_len + sd_len > data_count)
|| (ea_len > data_count) || (sd_len > data_count)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 03efd09f06..8b32907a4b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2560,6 +2560,11 @@ NTSTATUS create_file_unixpath(connection_struct *conn,
goto fail;
}
+ if (create_options & NTCREATEX_OPTIONS_INVALID_PARAM_MASK) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
if (req == NULL) {
oplock_request |= INTERNAL_OPEN_ONLY;
}
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index b3d691fbe7..06aa835cb0 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3198,8 +3198,9 @@ static void send_file_readX(connection_struct *conn, struct smb_request *req,
setup_readX_header((char *)headerbuf, smb_maxcnt);
if ((nread = SMB_VFS_SENDFILE(smbd_server_fd(), fsp, &header, startpos, smb_maxcnt)) == -1) {
- /* Returning ENOSYS means no data at all was sent. Do this as a normal read. */
- if (errno == ENOSYS) {
+ /* Returning ENOSYS or EINVAL means no data at all was sent.
+ Do this as a normal read. */
+ if (errno == ENOSYS || errno == EINVAL) {
goto normal_read;
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 041596b953..9c9d0a97bc 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -1738,16 +1738,19 @@ void reply_sesssetup_and_X(struct smb_request *req)
return;
}
- nt_status = create_local_token(server_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("create_local_token failed: %s\n",
- nt_errstr(nt_status)));
- data_blob_free(&nt_resp);
- data_blob_free(&lm_resp);
- data_blob_clear_free(&plaintext_password);
- reply_nterror(req, nt_status_squash(nt_status));
- END_PROFILE(SMBsesssetupX);
- return;
+ if (!server_info->ptok) {
+ nt_status = create_local_token(server_info);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(10, ("create_local_token failed: %s\n",
+ nt_errstr(nt_status)));
+ data_blob_free(&nt_resp);
+ data_blob_free(&lm_resp);
+ data_blob_clear_free(&plaintext_password);
+ reply_nterror(req, nt_status_squash(nt_status));
+ END_PROFILE(SMBsesssetupX);
+ return;
+ }
}
data_blob_clear_free(&plaintext_password);
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index c01aace8f5..c0922efe6b 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -219,7 +219,7 @@ NTSTATUS rpc_vampire_ldif_internals(struct net_context *c,
int rpc_vampire_ldif(struct net_context *c, int argc, const char **argv)
{
if (c->display_usage) {
- d_printf("Usage\n"
+ d_printf("Usage:\n"
"net rpc vampire ldif\n"
" Dump remote SAM database to LDIF file or stdout\n");
return 0;
@@ -343,7 +343,7 @@ int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv)
int ret = 0;
if (c->display_usage) {
- d_printf("Usage\n"
+ d_printf("Usage:\n"
"net rpc vampire keytab\n"
" Dump remote SAM database to Kerberos keytab file\n");
return 0;
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index eb39c739e7..88850d29df 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -476,7 +476,7 @@ bool net_find_pdc(struct sockaddr_storage *server_ss,
NTSTATUS net_make_ipc_connection(struct net_context *c, unsigned flags,
struct cli_state **pcli)
{
- return net_make_ipc_connection_ex(c, NULL, NULL, NULL, flags, pcli);
+ return net_make_ipc_connection_ex(c, c->opt_workgroup, NULL, NULL, flags, pcli);
}
NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain,
@@ -492,7 +492,8 @@ NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain,
if ( !server || !pss ) {
if (!net_find_server(c, domain, flags, &server_ss,
&server_name)) {
- d_fprintf(stderr, "Unable to find a suitable server\n");
+ d_fprintf(stderr, "Unable to find a suitable server "
+ "for domain %s\n", domain);
nt_status = NT_STATUS_UNSUCCESSFUL;
goto done;
}
diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
index 6699763cd2..750030d916 100644
--- a/source3/utils/smbcontrol.c
+++ b/source3/utils/smbcontrol.c
@@ -1228,9 +1228,9 @@ static struct server_id parse_dest(const char *dest)
struct server_id result = {-1};
pid_t pid;
- /* Zero is a special return value for broadcast smbd */
+ /* Zero is a special return value for broadcast to all processes */
- if (strequal(dest, "smbd")) {
+ if (strequal(dest, "all")) {
return interpret_pid(MSG_BROADCAST_PID_STR);
}
@@ -1245,7 +1245,6 @@ static struct server_id parse_dest(const char *dest)
dest = "winbindd";
}
-
if (!(strequal(dest, "winbindd") || strequal(dest, "nmbd"))) {
/* Check for numeric pid number */
@@ -1266,7 +1265,7 @@ static struct server_id parse_dest(const char *dest)
fprintf(stderr,"Can't find pid for destination '%s'\n", dest);
return result;
-}
+}
/* Execute smbcontrol command */
diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c
index 2a6beca5a2..b10a1a4ba9 100644
--- a/source3/winbindd/idmap_util.c
+++ b/source3/winbindd/idmap_util.c
@@ -87,7 +87,7 @@ NTSTATUS idmap_gid_to_sid(const char *domname, DOM_SID *sid, gid_t gid)
DEBUG(10,("gid = [%lu]\n", (unsigned long)gid));
- if (idmap_cache_find_uid2sid(gid, sid, &expired)) {
+ if (idmap_cache_find_gid2sid(gid, sid, &expired)) {
DEBUG(10, ("idmap_cache_find_gid2sid found %d%s\n", gid,
expired ? " (expired)": ""));
if (expired && idmap_is_online()) {
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index fe0c076209..04b0b39f81 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -153,6 +153,7 @@ struct winbindd_child {
struct fd_event event;
struct timed_event *lockout_policy_event;
+ struct timed_event *machine_password_change_event;
struct winbindd_async_request *requests;
const struct winbindd_child_dispatch_table *table;
@@ -204,6 +205,7 @@ struct winbindd_domain {
uint32_t id_range_low, id_range_high;
/* A working DC */
+ pid_t dc_probe_pid; /* Child we're using to detect the DC. */
fstring dcname;
struct sockaddr_storage dcaddr;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 47df4e4058..71f1a56519 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -8,17 +8,17 @@
Copyright (C) Gerald (Jerry) Carter 2003-2005.
Copyright (C) Volker Lendecke 2004-2005
Copyright (C) Jeremy Allison 2006
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -27,14 +27,14 @@
We need to manage connections to domain controllers without having to
mess up the main winbindd code with other issues. The aim of the
connection manager is to:
-
+
- make connections to domain controllers and cache them
- re-establish connections when networks or servers go down
- centralise the policy on connection timeouts, domain controller
selection etc
- manage re-entrancy for when winbindd becomes able to handle
multiple outstanding rpc requests
-
+
Why not have connection management as part of the rpc layer like tng?
Good question. This code may morph into libsmb/rpc_cache.c or something
like that but at the moment it's simply staying as part of winbind. I
@@ -171,20 +171,33 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
struct dc_name_ip *dcs = NULL;
int num_dcs = 0;
TALLOC_CTX *mem_ctx = NULL;
- pid_t child_pid;
pid_t parent_pid = sys_getpid();
/* Stop zombies */
CatchChild();
- child_pid = sys_fork();
+ if (domain->dc_probe_pid != (pid_t)-1) {
+ /*
+ * We might already have a DC probe
+ * child working, check.
+ */
+ if (process_exists_by_pid(domain->dc_probe_pid)) {
+ DEBUG(10,("fork_child_dc_connect: pid %u already "
+ "checking for DC's.\n",
+ (unsigned int)domain->dc_probe_pid));
+ return true;
+ }
+ domain->dc_probe_pid = (pid_t)-1;
+ }
+
+ domain->dc_probe_pid = sys_fork();
- if (child_pid == -1) {
+ if (domain->dc_probe_pid == (pid_t)-1) {
DEBUG(0, ("fork_child_dc_connect: Could not fork: %s\n", strerror(errno)));
return False;
}
- if (child_pid != 0) {
+ if (domain->dc_probe_pid != (pid_t)0) {
/* Parent */
messaging_register(winbind_messaging_context(), NULL,
MSG_WINBIND_TRY_TO_GO_ONLINE,
@@ -201,6 +214,11 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
if (!reinit_after_fork(winbind_messaging_context(), true)) {
DEBUG(0,("reinit_after_fork() failed\n"));
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
_exit(0);
}
@@ -218,6 +236,11 @@ static bool fork_child_dc_connect(struct winbindd_domain *domain)
mem_ctx = talloc_init("fork_child_dc_connect");
if (!mem_ctx) {
DEBUG(0,("talloc_init failed.\n"));
+ messaging_send_buf(winbind_messaging_context(),
+ pid_to_procid(parent_pid),
+ MSG_WINBIND_FAILED_TO_GO_ONLINE,
+ (uint8 *)domain->name,
+ strlen(domain->name)+1);
_exit(0);
}
@@ -291,12 +314,12 @@ static void check_domain_online_handler(struct event_context *ctx,
static void calc_new_online_timeout_check(struct winbindd_domain *domain)
{
- int wbc = lp_winbind_cache_time();
+ int wbr = lp_winbind_reconnect_delay();
if (domain->startup) {
domain->check_online_timeout = 10;
- } else if (domain->check_online_timeout < wbc) {
- domain->check_online_timeout = wbc;
+ } else if (domain->check_online_timeout < wbr) {
+ domain->check_online_timeout = wbr;
}
}
@@ -336,7 +359,7 @@ void set_domain_offline(struct winbindd_domain *domain)
}
/* If we're in statup mode, check again in 10 seconds, not in
- lp_winbind_cache_time() seconds (which is 5 mins by default). */
+ lp_winbind_reconnect_delay() seconds (which is 30 seconds by default). */
calc_new_online_timeout_check(domain);
@@ -360,7 +383,7 @@ void set_domain_offline(struct winbindd_domain *domain)
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
-
+
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
@@ -439,7 +462,7 @@ static void set_domain_online(struct winbindd_domain *domain)
if ( domain->primary ) {
struct winbindd_child *idmap = idmap_child();
-
+
if ( idmap->pid != 0 ) {
messaging_send_buf(winbind_messaging_context(),
pid_to_procid(idmap->pid),
@@ -530,7 +553,7 @@ void winbind_add_failed_connection_entry(const struct winbindd_domain *domain,
an authenticated connection if DCs have the RestrictAnonymous registry
entry set > 0, or the "Additional restrictions for anonymous
connections" set in the win2k Local Security Policy.
-
+
Caller to free() result in domain, username, password
*/
@@ -539,12 +562,12 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
*username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
*domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
*password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
-
+
if (*username && **username) {
if (!*domain || !**domain)
*domain = smb_xstrdup(lp_workgroup());
-
+
if (!*password || !**password)
*password = smb_xstrdup("");
@@ -680,7 +703,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
{
const char *account_name;
const char *name = NULL;
-
+
/* If we are a DC and this is not our own domain */
if (IS_DC) {
@@ -690,10 +713,10 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
if (!our_domain)
return NT_STATUS_INVALID_SERVER_STATE;
-
+
name = our_domain->name;
}
-
+
if (!get_trust_pw_clear(name, machine_password,
&account_name, NULL))
{
@@ -715,7 +738,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
if (!our_domain) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
-
+
if (asprintf(machine_krb5_principal, "%s$@%s",
account_name, our_domain->alt_name) == -1)
{
@@ -852,7 +875,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
@@ -877,7 +900,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
@@ -914,6 +937,9 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
anon_fallback:
/* Fall back to anonymous connection, this might fail later */
+ DEBUG(10,("cm_prepare_connection: falling back to anonymous "
+ "connection for DC %s\n",
+ controller ));
if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
NULL, 0, ""))) {
@@ -1316,7 +1342,7 @@ static bool find_new_dc(TALLOC_CTX *mem_ctx,
TALLOC_FREE(dcnames);
num_dcnames = 0;
-
+
TALLOC_FREE(addrs);
num_addrs = 0;
@@ -1342,7 +1368,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
/* we have to check the server affinity cache here since
later we selecte a DC based on response time and not preference */
-
+
/* Check the negative connection cache
before talking to it. It going down may have
triggered the reconnection. */
@@ -1592,26 +1618,26 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
TALLOC_CTX *mem_ctx = NULL;
DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name ));
-
+
/* Our primary domain doesn't need to worry about trust flags.
Force it to go through the network setup */
if ( domain->primary ) {
return False;
}
-
+
our_domain = find_our_domain();
-
+
if ( !connection_ok(our_domain) ) {
DEBUG(3,("set_dc_type_and_flags_trustinfo: No connection to our domain!\n"));
return False;
}
/* This won't work unless our domain is AD */
-
+
if ( !our_domain->active_directory ) {
return False;
}
-
+
/* Use DsEnumerateDomainTrusts to get us the trust direction
and type */
@@ -1672,13 +1698,13 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
if ( !winbindd_can_contact_domain( domain) )
domain->internal = True;
-
+
break;
}
}
-
+
talloc_destroy( mem_ctx );
-
+
return domain->initialized;
}
@@ -1775,7 +1801,7 @@ no_dssetup:
result = rpccli_lsa_open_policy2(cli, mem_ctx, True,
SEC_RIGHTS_MAXIMUM_ALLOWED, &pol);
-
+
if (NT_STATUS_IS_OK(result)) {
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
@@ -1904,6 +1930,10 @@ static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
/* Return a pointer to the struct dcinfo from the
netlogon pipe. */
+ if (!domain->conn.netlogon_pipe->dc) {
+ return false;
+ }
+
*ppdc = domain->conn.netlogon_pipe->dc;
return True;
}
@@ -1930,6 +1960,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
goto done;
}
+
/*
* No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
* sign and sealed pipe using the machine account password by
@@ -2303,7 +2334,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
"was %s\n", nt_errstr(result)));
-
+
/* make sure we return something besides OK */
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 1e8325f983..916e8c07c7 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -840,6 +840,111 @@ static void account_lockout_policy_handler(struct event_context *ctx,
child);
}
+static time_t get_machine_password_timeout(void)
+{
+ /* until we have gpo support use lp setting */
+ return lp_machine_password_timeout();
+}
+
+static bool calculate_next_machine_pwd_change(const char *domain,
+ struct timeval *t)
+{
+ time_t pass_last_set_time;
+ time_t timeout;
+ time_t next_change;
+ char *pw;
+
+ pw = secrets_fetch_machine_password(domain,
+ &pass_last_set_time,
+ NULL);
+
+ if (pw == NULL) {
+ DEBUG(0,("cannot fetch own machine password ????"));
+ return false;
+ }
+
+ SAFE_FREE(pw);
+
+ timeout = get_machine_password_timeout();
+ if (timeout == 0) {
+ DEBUG(10,("machine password never expires\n"));
+ return false;
+ }
+
+ if (time(NULL) < (pass_last_set_time + timeout)) {
+ next_change = pass_last_set_time + timeout;
+ DEBUG(10,("machine password still valid until: %s\n",
+ http_timestring(next_change)));
+ *t = timeval_set(next_change, 0);
+ return true;
+ }
+
+ DEBUG(10,("machine password expired, needs immediate change\n"));
+
+ *t = timeval_zero();
+
+ return true;
+}
+
+static void machine_password_change_handler(struct event_context *ctx,
+ struct timed_event *te,
+ const struct timeval *now,
+ void *private_data)
+{
+ struct winbindd_child *child =
+ (struct winbindd_child *)private_data;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ TALLOC_CTX *frame;
+ NTSTATUS result;
+ struct timeval next_change;
+
+ DEBUG(10,("machine_password_change_handler called\n"));
+
+ TALLOC_FREE(child->machine_password_change_event);
+
+ if (!calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ return;
+ }
+
+ if (!winbindd_can_contact_domain(child->domain)) {
+ DEBUG(10,("machine_password_change_handler: Removing myself since I "
+ "do not have an incoming trust to domain %s\n",
+ child->domain->name));
+ return;
+ }
+
+ result = cm_connect_netlogon(child->domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("machine_password_change_handler: "
+ "failed to connect netlogon pipe: %s\n",
+ nt_errstr(result)));
+ return;
+ }
+
+ frame = talloc_stackframe();
+
+ result = trust_pw_find_change_and_store_it(netlogon_pipe,
+ frame,
+ child->domain->name);
+ TALLOC_FREE(frame);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("machine_password_change_handler: "
+ "failed to change machine password: %s\n",
+ nt_errstr(result)));
+ } else {
+ DEBUG(10,("machine_password_change_handler: "
+ "successfully changed machine password\n"));
+ }
+
+ child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL,
+ next_change,
+ "machine_password_change_handler",
+ machine_password_change_handler,
+ child);
+}
+
/* Deal with a request to go offline. */
static void child_msg_offline(struct messaging_context *msg,
@@ -1138,6 +1243,21 @@ static bool fork_domain_child(struct winbindd_child *child)
child);
}
+ if (child->domain && child->domain->primary &&
+ lp_server_role() == ROLE_DOMAIN_MEMBER) {
+
+ struct timeval next_change;
+
+ if (calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ child->machine_password_change_event = event_add_timed(
+ winbind_event_context(), NULL, next_change,
+ "machine_password_change_handler",
+ machine_password_change_handler,
+ child);
+ }
+ }
+
while (1) {
int ret;
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index 01a4054d44..50936c01a3 100644
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -86,10 +86,7 @@ enum winbindd_result winbindd_dual_check_machine_acct(struct winbindd_domain *do
"good" : "bad"));
done:
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
- fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ set_auth_errors(&state->response, result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n",
state->response.data.auth.nt_status_string));
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 0f9f1e1621..a7911f60aa 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -176,7 +176,7 @@ static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
}
fill_domain_username(state->response.data.auth.unix_username,
- nt_domain, nt_username, True);
+ nt_domain, nt_username, true);
DEBUG(5,("Setting unix username to [%s]\n",
state->response.data.auth.unix_username));
@@ -310,8 +310,8 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
TALLOC_FREE(frame);
- status = sid_array_from_info3(mem_ctx, info3,
- &token->user_sids,
+ status = sid_array_from_info3(mem_ctx, info3,
+ &token->user_sids,
&token->num_sids,
true, false);
if (!NT_STATUS_IS_OK(status)) {
@@ -338,13 +338,13 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
}
-
+
/* Do not distinguish this error from a wrong username/pw */
return NT_STATUS_LOGON_FAILURE;
}
-struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
+struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
const char *domain_name)
{
struct winbindd_domain *domain;
@@ -353,7 +353,7 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
DEBUG(3, ("Authentication for domain [%s] refused "
- "as it is not a trusted domain\n",
+ "as it is not a trusted domain\n",
domain_name));
}
return domain;
@@ -370,27 +370,30 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
- DEBUG(3, ("Authentication for domain [%s] skipped "
- "as it is not a trusted domain\n",
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
domain_name));
} else {
return domain;
- }
+ }
}
return find_our_domain();
}
-static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
+static void fill_in_password_policy(struct winbindd_response *r,
+ const struct samr_DomInfo1 *p)
{
- resp->data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
-
- /* we might have given a more useful error above */
- if (*resp->data.auth.error_string == '\0')
- fstrcpy(resp->data.auth.error_string,
- get_friendly_nt_error_msg(result));
- resp->data.auth.pam_error = nt_status_to_pam(result);
+ r->data.auth.policy.min_length_password =
+ p->min_password_length;
+ r->data.auth.policy.password_history =
+ p->password_history_length;
+ r->data.auth.policy.password_properties =
+ p->password_properties;
+ r->data.auth.policy.expire =
+ nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
+ r->data.auth.policy.min_passwordage =
+ nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
}
static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
@@ -402,9 +405,9 @@ static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(5,("fillup_password_policy: No inbound trust to "
- "contact domain %s\n", domain->name));
+ "contact domain %s\n", domain->name));
return NT_STATUS_NOT_SUPPORTED;
- }
+ }
methods = domain->methods;
@@ -413,22 +416,13 @@ static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
return status;
}
- state->response.data.auth.policy.min_length_password =
- password_policy.min_password_length;
- state->response.data.auth.policy.password_history =
- password_policy.password_history_length;
- state->response.data.auth.policy.password_properties =
- password_policy.password_properties;
- state->response.data.auth.policy.expire =
- nt_time_to_unix_abs((NTTIME *)&(password_policy.max_password_age));
- state->response.data.auth.policy.min_passwordage =
- nt_time_to_unix_abs((NTTIME *)&(password_policy.min_password_age));
+ fill_in_password_policy(&state->response, &password_policy);
return NT_STATUS_OK;
}
-static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
+static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
uint16 *lockout_threshold)
{
struct winbindd_methods *methods;
@@ -449,8 +443,8 @@ static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain
return NT_STATUS_OK;
}
-static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
+static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
uint32 *password_properties)
{
struct winbindd_methods *methods;
@@ -473,7 +467,7 @@ static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
#ifdef HAVE_KRB5
-static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
+static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
const char *type,
uid_t uid,
bool *internal_ccache)
@@ -484,7 +478,7 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
const char *gen_cc = NULL;
- *internal_ccache = True;
+ *internal_ccache = true;
if (uid == -1) {
goto memory_ccache;
@@ -503,7 +497,7 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
goto memory_ccache;
}
- *internal_ccache = False;
+ *internal_ccache = false;
goto done;
memory_ccache:
@@ -532,11 +526,11 @@ static void setup_return_cc_name(struct winbindd_cli_state *state, const char *c
if (!strequal(type, "FILE") &&
!strequal(type, "WRFILE")) {
- DEBUG(10,("won't return krbccname for a %s type ccache\n",
+ DEBUG(10,("won't return krbccname for a %s type ccache\n",
type));
return;
}
-
+
fstrcpy(state->response.data.auth.krb5ccname, cc);
}
@@ -577,13 +571,13 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
uid_t uid = -1;
ADS_STRUCT *ads;
time_t time_offset = 0;
- bool internal_ccache = True;
+ bool internal_ccache = true;
ZERO_STRUCTP(info3);
*info3 = NULL;
-
- /* 1st step:
+
+ /* 1st step:
* prepare a krb5_cc_cache string for the user */
uid = get_uid_from_state(state);
@@ -593,31 +587,31 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
cc = generate_krb5_ccache(state->mem_ctx,
state->request.data.auth.krb5_cc_type,
- state->request.data.auth.uid,
+ state->request.data.auth.uid,
&internal_ccache);
if (cc == NULL) {
return NT_STATUS_NO_MEMORY;
}
- /* 2nd step:
+ /* 2nd step:
* get kerberos properties */
-
+
if (domain->private_data) {
ads = (ADS_STRUCT *)domain->private_data;
- time_offset = ads->auth.time_offset;
+ time_offset = ads->auth.time_offset;
}
- /* 3rd step:
+ /* 3rd step:
* do kerberos auth and setup ccache as the user */
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
realm = domain->alt_name;
strupper_m(realm);
-
- principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
+
+ principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
if (principal_s == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -644,8 +638,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
&ticket_lifetime,
&renewal_until,
cc,
- True,
- True,
+ true,
+ true,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
info3);
if (!internal_ccache) {
@@ -665,7 +659,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
* environment */
if (!internal_ccache) {
-
+
setup_return_cc_name(state, cc);
result = add_ccache_to_list(principal_s,
@@ -676,11 +670,11 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
uid,
time(NULL),
ticket_lifetime,
- renewal_until,
- False);
+ renewal_until,
+ false);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
+ DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
nt_errstr(result)));
}
} else {
@@ -737,12 +731,12 @@ static bool check_request_flags(uint32_t flags)
( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
!(flags & flags_edata) ) {
- return True;
+ return true;
}
DEBUG(1,("check_request_flags: invalid request flags[0x%08X]\n",flags));
- return False;
+ return false;
}
/****************************************************************
@@ -836,7 +830,7 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
}
/* Parse domain and username */
-
+
ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
if (!canonicalize_username(state->request.data.auth.user,
@@ -869,7 +863,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
struct netr_SamInfo3 **info3)
{
NTSTATUS result = NT_STATUS_LOGON_FAILURE;
- uint16 max_allowed_bad_attempts;
+ uint16 max_allowed_bad_attempts;
fstring name_domain, name_user;
DOM_SID sid;
enum lsa_SidType type;
@@ -878,7 +872,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
const uint8 *cached_salt;
struct netr_SamInfo3 *my_info3;
time_t kickoff_time, must_change_time;
- bool password_good = False;
+ bool password_good = false;
#ifdef HAVE_KRB5
struct winbindd_tdc_domain *tdc_domain = NULL;
#endif
@@ -890,7 +884,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
/* Parse domain and username */
-
+
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
@@ -908,10 +902,10 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
return NT_STATUS_LOGON_FAILURE;
}
- result = winbindd_get_creds(domain,
- state->mem_ctx,
- &sid,
- &my_info3,
+ result = winbindd_get_creds(domain,
+ state->mem_ctx,
+ &sid,
+ &my_info3,
&cached_nt_pass,
&cached_salt);
if (!NT_STATUS_IS_OK(result)) {
@@ -936,42 +930,42 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
E_md5hash(cached_salt, new_nt_pass, salted_hash);
password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ?
- True : False;
+ true : false;
} else {
/* Old cached cred - direct store of nt_hash (bad bad bad !). */
password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ?
- True : False;
+ true : false;
}
if (password_good) {
/* User *DOES* know the password, update logon_time and reset
* bad_pw_count */
-
+
my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
-
+
if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
-
+
if (my_info3->base.acct_flags & ACB_DISABLED) {
return NT_STATUS_ACCOUNT_DISABLED;
}
-
+
if (my_info3->base.acct_flags & ACB_WSTRUST) {
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
-
+
if (my_info3->base.acct_flags & ACB_SVRTRUST) {
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
-
+
if (my_info3->base.acct_flags & ACB_DOMTRUST) {
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
- DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
+ DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->base.acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
@@ -988,7 +982,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
/* return NT_STATUS_PASSWORD_EXPIRED; */
goto success;
}
-
+
#ifdef HAVE_KRB5
if ((state->request.flags & WBFLAG_PAM_KRB5) &&
((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
@@ -999,7 +993,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
char *realm = NULL;
const char *principal_s = NULL;
const char *service = NULL;
- bool internal_ccache = False;
+ bool internal_ccache = false;
uid = get_uid_from_state(state);
if (uid == -1) {
@@ -1041,7 +1035,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- True);
+ true);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
@@ -1113,7 +1107,7 @@ failed:
my_info3);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
+ DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
nt_errstr(result)));
}
@@ -1121,7 +1115,7 @@ failed:
}
NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
- struct winbindd_cli_state *state,
+ struct winbindd_cli_state *state,
struct netr_SamInfo3 **info3)
{
struct winbindd_domain *contact_domain;
@@ -1129,38 +1123,38 @@ NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
NTSTATUS result;
DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
-
+
/* Parse domain and username */
-
+
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
/* what domain should we contact? */
-
+
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
- state->request.data.auth.user, name_domain, name_user, name_domain));
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
-
+
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
-
+
contact_domain = find_domain_from_name(name_domain);
if (contact_domain == NULL) {
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
- state->request.data.auth.user, name_domain, name_user, name_domain));
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
contact_domain = find_our_domain();
}
}
- if (contact_domain->initialized &&
+ if (contact_domain->initialized &&
contact_domain->active_directory) {
goto try_login;
}
@@ -1212,13 +1206,13 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
*info3 = NULL;
DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
-
+
/* Parse domain and username */
-
+
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
/* do password magic */
-
+
generate_random_buffer(chal, 8);
if (lp_client_ntlmv2_auth()) {
@@ -1226,17 +1220,17 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
DATA_BLOB names_blob;
DATA_BLOB nt_response;
DATA_BLOB lm_response;
- server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
-
+ server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
+
/* note that the 'workgroup' here is a best guess - we don't know
the server's domain at this point. The 'server name' is also
- dodgy...
+ dodgy...
*/
names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
-
- if (!SMBNTLMv2encrypt(name_user, name_domain,
- state->request.data.auth.pass,
- &server_chal,
+
+ if (!SMBNTLMv2encrypt(name_user, name_domain,
+ state->request.data.auth.pass,
+ &server_chal,
&names_blob,
&lm_response, &nt_response, NULL)) {
data_blob_free(&names_blob);
@@ -1255,35 +1249,35 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
data_blob_free(&nt_response);
} else {
- if (lp_client_lanman_auth()
- && SMBencrypt(state->request.data.auth.pass,
- chal,
+ if (lp_client_lanman_auth()
+ && SMBencrypt(state->request.data.auth.pass,
+ chal,
local_lm_response)) {
- lm_resp = data_blob_talloc(state->mem_ctx,
- local_lm_response,
+ lm_resp = data_blob_talloc(state->mem_ctx,
+ local_lm_response,
sizeof(local_lm_response));
} else {
lm_resp = data_blob_null;
}
- SMBNTencrypt(state->request.data.auth.pass,
+ SMBNTencrypt(state->request.data.auth.pass,
chal,
local_nt_response);
- nt_resp = data_blob_talloc(state->mem_ctx,
- local_nt_response,
+ nt_resp = data_blob_talloc(state->mem_ctx,
+ local_nt_response,
sizeof(local_nt_response));
}
-
+
/* what domain should we contact? */
-
+
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
- state->request.data.auth.user, name_domain, name_user, name_domain));
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+ state->request.data.auth.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
-
+
} else {
if (is_myname(name_domain)) {
DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
@@ -1300,7 +1294,7 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
netlogon_fn_t logon_fn;
ZERO_STRUCTP(my_info3);
- retry = False;
+ retry = false;
result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
@@ -1312,7 +1306,7 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
/* It is really important to try SamLogonEx here,
* because in a clustered environment, we want to use
* one machine account from multiple physical
- * computers.
+ * computers.
*
* With a normal SamLogon call, we must keep the
* credentials chain updated and intact between all
@@ -1326,7 +1320,7 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
* When using SamLogonEx, the credentials are not
* supplied, but the session key is implied by the
* wrapping SamLogon context.
- *
+ *
* -- abartlet 21 April 2008
*/
@@ -1351,8 +1345,8 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
&& contact_domain->can_do_samlogon_ex) {
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
"retrying with NetSamLogon\n"));
- contact_domain->can_do_samlogon_ex = False;
- retry = True;
+ contact_domain->can_do_samlogon_ex = false;
+ retry = true;
continue;
}
@@ -1361,15 +1355,15 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
our connection. */
if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
- retry = True;
+ retry = true;
continue;
}
-
+
/* if we get access denied, a possible cause was that we had
and open connection to the DC, but someone changed our
machine account password out from underneath us using 'net
rpc changetrustpw' */
-
+
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth: sam_logon returned "
"ACCESS_DENIED. Maybe the trust account "
@@ -1377,16 +1371,16 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
"Killing connections to domain %s\n",
name_domain));
invalidate_cm_connection(&contact_domain->conn);
- retry = True;
- }
-
+ retry = true;
+ }
+
} while ( (attempts < 2) && retry );
/* handle the case where a NT4 DC does not fill in the acct_flags in
* the samlogon reply info3. When accurate info3 is required by the
* caller, we look up the account flags ourselve - gd */
- if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
+ if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
struct rpc_pipe_client *samr_pipe;
@@ -1395,11 +1389,11 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
NTSTATUS status_tmp;
uint32 acct_flags;
- status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
+ status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
&samr_pipe, &samr_domain_handle);
if (!NT_STATUS_IS_OK(status_tmp)) {
- DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
+ DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
nt_errstr(status_tmp)));
goto done;
}
@@ -1448,10 +1442,10 @@ done:
}
enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
+ struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_LOGON_FAILURE;
- NTSTATUS krb5_result = NT_STATUS_OK;
+ NTSTATUS krb5_result = NT_STATUS_OK;
fstring name_domain, name_user;
struct netr_SamInfo3 *info3 = NULL;
@@ -1470,12 +1464,12 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
}
/* Parse domain and username */
-
+
ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
parse_domain_user(state->request.data.auth.user, name_domain, name_user);
- if (domain->online == False) {
+ if (domain->online == false) {
result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
if (domain->startup) {
/* Logons are very important to users. If we're offline and
@@ -1494,11 +1488,11 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
/* Check for Kerberos authentication */
if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
-
+
result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
/* save for later */
krb5_result = result;
-
+
if (NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
@@ -1512,7 +1506,7 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
set_domain_offline( domain );
- goto cached_logon;
+ goto cached_logon;
}
/* there are quite some NT_STATUS errors where there is no
@@ -1531,7 +1525,7 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
goto process_result;
}
-
+
if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
DEBUG(3,("falling back to samlogon\n"));
goto sam_logon;
@@ -1544,7 +1538,7 @@ sam_logon:
/* Check for Samlogon authentication */
if (domain->online) {
result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
-
+
if (NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
/* add the Krb5 err if we have one */
@@ -1552,18 +1546,18 @@ sam_logon:
info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
}
goto process_result;
- }
+ }
- DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
+ DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
nt_errstr(result)));
if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
- NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
+ NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
{
DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
set_domain_offline( domain );
- goto cached_logon;
+ goto cached_logon;
}
if (domain->online) {
@@ -1574,9 +1568,9 @@ sam_logon:
cached_logon:
/* Check for Cached logons */
- if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
+ if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
lp_winbind_offline_logon()) {
-
+
result = winbindd_dual_pam_auth_cached(domain, state, &info3);
if (NT_STATUS_IS_OK(result)) {
@@ -1591,7 +1585,7 @@ cached_logon:
process_result:
if (NT_STATUS_IS_OK(result)) {
-
+
DOM_SID user_sid;
/* In all codepaths where result == NT_STATUS_OK info3 must have
@@ -1608,19 +1602,19 @@ process_result:
this is our primary domain so we don't invalidate
the cache entry by storing the seq_num for the wrong
domain). */
- if ( domain->primary ) {
+ if ( domain->primary ) {
sid_compose(&user_sid, info3->base.domain_sid,
info3->base.rid);
- cache_name2sid(domain, name_domain, name_user,
+ cache_name2sid(domain, name_domain, name_user,
SID_NAME_USER, &user_sid);
}
-
+
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
state->request.data.auth.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
- state->request.data.auth.user,
+ state->request.data.auth.user,
state->request.data.auth.require_membership_of_sid));
goto done;
}
@@ -1665,8 +1659,8 @@ process_result:
/* This is not entirely correct I believe, but it is
consistent. Only apply the password policy settings
- too warn users for our own domain. Cannot obtain these
- from trusted DCs all the time so don't do it at all.
+ too warn users for our own domain. Cannot obtain these
+ from trusted DCs all the time so don't do it at all.
-- jerry */
result = NT_STATUS_NOT_SUPPORTED;
@@ -1674,16 +1668,16 @@ process_result:
result = fillup_password_policy(our_domain, state);
}
- if (!NT_STATUS_IS_OK(result)
- && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
+ if (!NT_STATUS_IS_OK(result)
+ && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
{
- DEBUG(10,("Failed to get password policies for domain %s: %s\n",
+ DEBUG(10,("Failed to get password policies for domain %s: %s\n",
domain->name, nt_errstr(result)));
goto done;
}
}
- result = NT_STATUS_OK;
+ result = NT_STATUS_OK;
}
done:
@@ -1692,26 +1686,20 @@ done:
(NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
result = NT_STATUS_NO_LOGON_SERVERS;
}
-
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
- /* we might have given a more useful error above */
- if (!*state->response.data.auth.error_string)
- fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ set_auth_errors(&state->response, result);
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
- state->request.data.auth.user,
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
+ state->request.data.auth.user,
state->response.data.auth.nt_status_string,
- state->response.data.auth.pam_error));
+ state->response.data.auth.pam_error));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
/**********************************************************************
- Challenge Response Authentication Protocol
+ Challenge Response Authentication Protocol
**********************************************************************/
void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
@@ -1775,7 +1763,7 @@ void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
set_auth_errors(&state->response, result);
DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
state->request.data.auth_crap.domain,
- state->request.data.auth_crap.user,
+ state->request.data.auth_crap.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
request_error(state);
@@ -1784,7 +1772,7 @@ void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
+ struct winbindd_cli_state *state)
{
NTSTATUS result;
struct netr_SamInfo3 *info3 = NULL;
@@ -1817,7 +1805,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
- DEBUG(5,("no domain specified with username (%s) - failing auth\n",
+ DEBUG(5,("no domain specified with username (%s) - failing auth\n",
name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
@@ -1825,7 +1813,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
name_domain, name_user));
-
+
if (*state->request.data.auth_crap.workstation) {
workstation = state->request.data.auth_crap.workstation;
} else {
@@ -1834,8 +1822,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
|| state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
- state->request.data.auth_crap.lm_resp_len,
+ DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
+ state->request.data.auth_crap.lm_resp_len,
state->request.data.auth_crap.nt_resp_len));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
@@ -1847,11 +1835,11 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request.data.auth_crap.nt_resp_len);
/* what domain should we contact? */
-
+
if ( IS_DC ) {
if (!(contact_domain = find_domain_from_name(name_domain))) {
- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
- state->request.data.auth_crap.user, name_domain, name_user, name_domain));
+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+ state->request.data.auth_crap.user, name_domain, name_user, name_domain));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
@@ -1867,7 +1855,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
do {
netlogon_fn_t logon_fn;
- retry = False;
+ retry = false;
netlogon_pipe = NULL;
result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
@@ -1887,7 +1875,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request.data.auth_crap.logon_parameters,
contact_domain->dcname,
name_user,
- name_domain,
+ name_domain,
/* Bug #3248 - found by Stefan Burkei. */
workstation, /* We carefully set this above so use it... */
state->request.data.auth_crap.chal,
@@ -1899,8 +1887,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
&& contact_domain->can_do_samlogon_ex) {
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
"retrying with NetSamLogon\n"));
- contact_domain->can_do_samlogon_ex = False;
- retry = True;
+ contact_domain->can_do_samlogon_ex = false;
+ retry = true;
continue;
}
@@ -1911,14 +1899,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
our connection. */
if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
- retry = True;
+ retry = true;
continue;
}
/* if we get access denied, a possible cause was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */
-
+
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth: sam_logon returned "
"ACCESS_DENIED. Maybe the trust account "
@@ -1926,8 +1914,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
"Killing connections to domain %s\n",
name_domain));
invalidate_cm_connection(&contact_domain->conn);
- retry = True;
- }
+ retry = true;
+ }
} while ( (attempts < 2) && retry );
@@ -1942,7 +1930,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request.data.auth_crap.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so "
"crap authentication is rejected\n",
- state->request.data.auth_crap.user,
+ state->request.data.auth_crap.user,
state->request.data.auth_crap.require_membership_of_sid));
goto done;
}
@@ -1965,21 +1953,14 @@ done:
result = nt_status_squash(result);
}
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
-
- /* we might have given a more useful error above */
- if (!*state->response.data.auth.error_string) {
- fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
- }
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ set_auth_errors(&state->response, result);
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
- ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
name_domain,
name_user,
state->response.data.auth.nt_status_string,
- state->response.data.auth.pam_error));
+ state->response.data.auth.pam_error));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -2002,7 +1983,7 @@ void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
"(PAM: %d)\n",
- state->request.data.auth.user,
+ state->request.data.auth.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
request_error(state);
@@ -2012,8 +1993,8 @@ void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
contact_domain = find_domain_from_name(domain);
if (!contact_domain) {
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
- DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
- state->request.data.chauthtok.user, domain, user, domain));
+ DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
+ state->request.data.chauthtok.user, domain, user, domain));
request_error(state);
return;
}
@@ -2028,7 +2009,7 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
char *newpass = NULL;
POLICY_HND dom_pol;
struct rpc_pipe_client *cli;
- bool got_info = False;
+ bool got_info = false;
struct samr_DomInfo1 *info = NULL;
struct samr_ChangeReject *reject = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -2068,21 +2049,13 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
/* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
- state->response.data.auth.policy.min_length_password =
- info->min_password_length;
- state->response.data.auth.policy.password_history =
- info->password_history_length;
- state->response.data.auth.policy.password_properties =
- info->password_properties;
- state->response.data.auth.policy.expire =
- nt_time_to_unix_abs((NTTIME *)&info->max_password_age);
- state->response.data.auth.policy.min_passwordage =
- nt_time_to_unix_abs((NTTIME *)&info->min_password_age);
+
+ fill_in_password_policy(&state->response, info);
state->response.data.auth.reject_reason =
reject->reason;
- got_info = True;
+ got_info = true;
}
/* only fallback when the chgpasswd_user3 call is not supported */
@@ -2092,18 +2065,18 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
nt_errstr(result)));
-
+
result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
/* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
Map to the same status code as Windows 2003. */
if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
- result = NT_STATUS_PASSWORD_RESTRICTION;
+ result = NT_STATUS_PASSWORD_RESTRICTION;
}
}
-done:
+done:
if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
@@ -2151,7 +2124,7 @@ done:
if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
NTSTATUS policy_ret;
-
+
policy_ret = fillup_password_policy(contact_domain, state);
/* failure of this is non critical, it will just provide no
@@ -2166,17 +2139,14 @@ done:
process_result:
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
- fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ set_auth_errors(&state->response, result);
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
- ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
domain,
user,
state->response.data.auth.nt_status_string,
- state->response.data.auth.pam_error));
+ state->response.data.auth.pam_error));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -2211,7 +2181,7 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
}
if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
- DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
+ DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
strerror(errno)));
goto failed;
}
@@ -2247,7 +2217,7 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
}
enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
+ struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
@@ -2265,7 +2235,7 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
}
#ifdef HAVE_KRB5
-
+
if (state->request.data.logoff.uid < 0) {
DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
goto process_result;
@@ -2280,7 +2250,7 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
goto process_result;
}
- if (!ccache_entry_identical(state->request.data.logoff.user,
+ if (!ccache_entry_identical(state->request.data.logoff.user,
state->request.data.logoff.uid,
state->request.data.logoff.krb5ccname)) {
DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
@@ -2302,10 +2272,7 @@ process_result:
winbindd_delete_memory_creds(state->request.data.logoff.user);
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
- fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ set_auth_errors(&state->response, result);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -2322,12 +2289,12 @@ void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
state->request.data.chng_pswd_auth_crap.domain[
sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
-
+
DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
(unsigned long)state->pid,
state->request.data.chng_pswd_auth_crap.domain,
state->request.data.chng_pswd_auth_crap.user));
-
+
if (*state->request.data.chng_pswd_auth_crap.domain != '\0') {
domain_name = state->request.data.chng_pswd_auth_crap.domain;
} else if (lp_winbind_use_default_domain()) {
@@ -2347,7 +2314,7 @@ void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
state->request.data.chng_pswd_auth_crap.domain,
- state->request.data.chng_pswd_auth_crap.user,
+ state->request.data.chng_pswd_auth_crap.user,
state->response.data.auth.nt_status_string,
state->response.data.auth.pam_error));
request_error(state);
@@ -2373,7 +2340,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
*domain = 0;
*user = 0;
-
+
DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
(unsigned long)state->pid,
state->request.data.chng_pswd_auth_crap.domain,
@@ -2411,7 +2378,7 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
(unsigned long)state->pid, domain, user));
-
+
/* Change password */
new_nt_password = data_blob_talloc(
state->mem_ctx,
@@ -2450,18 +2417,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
new_lm_password, old_lm_hash_enc);
- done:
- state->response.data.auth.nt_status = NT_STATUS_V(result);
- fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
- fstrcpy(state->response.data.auth.error_string,
- get_friendly_nt_error_msg(result));
- state->response.data.auth.pam_error = nt_status_to_pam(result);
+ done:
+
+ set_auth_errors(&state->response, result);
- DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
- ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
+ ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
domain, user,
state->response.data.auth.nt_status_string,
- state->response.data.auth.pam_error));
+ state->response.data.auth.pam_error));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0e0db3e859..c5b7b07931 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -590,6 +590,7 @@ void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain);
void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain);
void winbindd_set_locator_kdc_envs(const struct winbindd_domain *domain);
void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain);
+void set_auth_errors(struct winbindd_response *resp, NTSTATUS result);
/* The following definitions come from winbindd/winbindd_wins.c */
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 77b17787c9..83c5053f78 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -180,11 +180,11 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
domain->initialized = False;
domain->online = is_internal_domain(sid);
domain->check_online_timeout = 0;
+ domain->dc_probe_pid = (pid_t)-1;
if (sid) {
sid_copy(&domain->sid, sid);
}
-
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
@@ -1544,3 +1544,15 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
}
#endif /* HAVE_KRB5_LOCATE_PLUGIN_H */
+
+void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
+{
+ resp->data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
+
+ /* we might have given a more useful error above */
+ if (*resp->data.auth.error_string == '\0')
+ fstrcpy(resp->data.auth.error_string,
+ get_friendly_nt_error_msg(result));
+ resp->data.auth.pam_error = nt_status_to_pam(result);
+}