From da70f8ab1ec840bbdcc73c22c4d4c54705c83980 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 24 Jun 2008 18:01:59 -0700 Subject: Fix for bug #5551, smbd recursing back into winbindd from a winbindd call. Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2) --- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 13 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f3fccb0a88..b1558bceac 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,27 +493,51 @@ static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username) return talloc_strdup(mem_ctx, tmp); } +/*************************************************************************** + Is the incoming username our own machine account ? + If so, the connection is almost certainly from winbindd. +***************************************************************************/ + +static bool is_our_machine_account(const char *username) +{ + bool ret; + char *truncname = NULL; + size_t ulen = strlen(username); + + if (ulen == 0 || username[ulen-1] != '$') { + return false; + } + truncname = SMB_STRDUP(username); + if (!truncname) { + return false; + } + truncname[ulen-1] = '\0'; + ret = strequal(truncname, global_myname()); + SAFE_FREE(truncname); + return ret; +} + /*************************************************************************** Make (and fill) a user_info struct from a struct samu ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct samu *sampass) { - NTSTATUS status; struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; int i; size_t num_gids; DOM_SID unix_group_sid; - + const char *username = pdb_get_username(sampass); + NTSTATUS status; if ( !(result = make_server_info(NULL)) ) { return NT_STATUS_NO_MEMORY; } - if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { + if ( !(pwd = getpwnam_alloc(result, username)) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); TALLOC_FREE(result); @@ -528,7 +552,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, talloc_steal(result, pwd->pw_name); result->utok.gid = pwd->pw_gid; result->utok.uid = pwd->pw_uid; - + TALLOC_FREE(pwd); result->sanitized_username = sanitize_username(result, @@ -538,18 +562,47 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - status = pdb_enum_group_memberships(result, sampass, + if (IS_DC && is_our_machine_account(username)) { + /* + * Ensure for a connection from our own + * machine account (from winbindd on a DC) + * there are no supplementary groups. + * Prevents loops in calling gid_to_sid(). + */ + result->sids = NULL; + gids = NULL; + result->num_sids = 0; + + /* + * This is a hack of monstrous proportions. + * If we know it's winbindd talking to us, + * we know we must never recurse into it, + * so turn off contacting winbindd for this + * entire process. This will get fixed when + * winbindd doesn't need to talk to smbd on + * a PDC. JRA. + */ + + winbind_off(); + + DEBUG(10, ("make_server_info_sam: our machine account %s " + "setting supplementary group list empty and " + "turning off winbindd requests.\n", + username)); + } else { + status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", - nt_errstr(status))); - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(result); - return status; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return status; + } } - + /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where -- cgit