From d86b5fff06bdb899e1a197b534e2037792d09dc4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 18 Aug 2002 15:46:03 +0000 Subject: be a bit more paranoid about not getting duplicate domain names (can happen when the LDAP call to get the flatname for the primary domain fails) (This used to be commit 8d40f34e2f5188f15f414e807d023bfea7bd8c8e) --- source3/nsswitch/winbindd_util.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index daa3abb340..2016c27881 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -83,10 +83,16 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const /* We can't call domain_list() as this function is called from init_domain_list() and we'll get stuck in a loop. */ for (domain = _domain_list; domain; domain = domain->next) { - if (strcmp(domain_name, domain->name) == 0 || - strcmp(domain_name, domain->alt_name) == 0) { + if (strcasecmp(domain_name, domain->name) == 0 || + strcasecmp(domain_name, domain->alt_name) == 0) { return domain; } + if (alt_name && *alt_name) { + if (strcasecmp(alt_name, domain->name) == 0 || + strcasecmp(alt_name, domain->alt_name) == 0) { + return domain; + } + } } /* Create new domain entry */ -- cgit From d3aa76cef528a15571cade12ebdd10973f4ca579 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 21 Aug 2002 19:59:23 +0000 Subject: Patch from Paul Green to be more POSIX-compatible (This used to be commit addf29e6765393b25c35bd833d29e29e4581c233) --- source3/nsswitch/winbind_nss_config.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h index b9c738211e..00cd5c12e4 100644 --- a/source3/nsswitch/winbind_nss_config.h +++ b/source3/nsswitch/winbind_nss_config.h @@ -38,6 +38,10 @@ #include #endif +#ifdef HAVE_SYS_SELECT_H +#include +#endif + #ifdef HAVE_SYS_SOCKET_H #include #endif -- cgit From 55315b4b4e0f25ab9d77228219b8a4f8ceee6b29 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 23 Aug 2002 13:38:00 +0000 Subject: Moved calculation of secure channel type into a new function. (This used to be commit b8dba26978c281259e02b9d6ebacaa7cba4f7787) --- source3/nsswitch/winbindd_cm.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 2dec9f0558..ddab850cf0 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -870,8 +870,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, return result; } - result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ? - SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd); + result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("error connecting to domain password server: %s\n", @@ -884,8 +883,8 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, } /* Try again */ - result = cli_nt_setup_creds(conn->cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ? - SEC_CHAN_WKSTA : SEC_CHAN_BDC, trust_passwd); + result = cli_nt_setup_creds( + conn->cli, get_sec_chan(),trust_passwd); } if (!NT_STATUS_IS_OK(result)) { -- cgit From 4896421e30c15fa9d313c319e23275bb48e333fc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 27 Aug 2002 19:43:19 +0000 Subject: Fix typo in debug. (This used to be commit 86433a3492a3b70a051257940ae28ada8788a650) --- source3/nsswitch/winbindd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 256c0203c0..a3ffd1424b 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -628,7 +628,7 @@ static void process_loop(int accept_sock) if (state->read_buf_len >= sizeof(uint32) && *(uint32 *) &state->request != sizeof(state->request)) { - DEBUG(0,("process_loop: Invalid request size (%d) send, should be (%d)\n", + DEBUG(0,("process_loop: Invalid request size (%d) sent, should be (%d)\n", *(uint32 *) &state->request, sizeof(state->request))); remove_client(state); -- cgit From 1ddc80f1b920b5c36d2ac3e0b5b32bfb02caa782 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 29 Aug 2002 16:36:37 +0000 Subject: Use popt for --help (This used to be commit 073106ad25fba8c8aaa57c296ce8e7cb7b3e3e97) --- source3/nsswitch/wbinfo.c | 78 +++++++++++++++-------------------------------- 1 file changed, 24 insertions(+), 54 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 4d36acc51b..d7d70b9e52 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -619,32 +619,6 @@ static BOOL wbinfo_ping(void) return result == NSS_STATUS_SUCCESS; } -/* Print program usage */ - -static void usage(void) -{ - d_printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm " - "| -[aA] user%%password\n"); - d_printf("\t-u\t\t\tlists all domain users\n"); - d_printf("\t-g\t\t\tlists all domain groups\n"); - d_printf("\t-n name\t\t\tconverts name to sid\n"); - d_printf("\t-s sid\t\t\tconverts sid to name\n"); - d_printf("\t-N name\t\t\tconverts NetBIOS name to IP (WINS)\n"); - d_printf("\t-I name\t\t\tconverts IP address to NetBIOS name (WINS)\n"); - d_printf("\t-U uid\t\t\tconverts uid to sid\n"); - d_printf("\t-G gid\t\t\tconverts gid to sid\n"); - d_printf("\t-S sid\t\t\tconverts sid to uid\n"); - d_printf("\t-Y sid\t\t\tconverts sid to gid\n"); - d_printf("\t-t\t\t\tcheck shared secret\n"); - d_printf("\t-m\t\t\tlist trusted domains\n"); - d_printf("\t-r user\t\t\tget user groups\n"); - d_printf("\t-a user%%password\tauthenticate user\n"); - d_printf("\t-A user%%password\tstore user and password used by winbindd (root only)\n"); - d_printf("\t-p\t\t\t'ping' winbindd to see if it is alive\n"); - d_printf("\t--sequence\t\tshow sequence numbers of all domains\n"); - d_printf("\t--set-auth-user DOMAIN\\user%%password\tset password for restrict anonymous\n"); -} - /* Main program */ enum { @@ -664,28 +638,28 @@ int main(int argc, char **argv) int result = 1; struct poptOption long_options[] = { + POPT_AUTOHELP /* longName, shortName, argInfo, argPtr, value, descrip, argDesc */ - { "help", 'h', POPT_ARG_NONE, 0, 'h' }, - { "domain-users", 'u', POPT_ARG_NONE, 0, 'u' }, - { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g' }, - { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N' }, - { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I' }, - { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n' }, - { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's' }, - { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U' }, - { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G' }, - { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S' }, - { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y' }, - { "check-secret", 't', POPT_ARG_NONE, 0, 't' }, - { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm' }, - { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE }, - { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' }, - { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' }, - { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER }, - { "ping", 'p', POPT_ARG_NONE, 0, 'p' }, + { "domain-users", 'u', POPT_ARG_NONE, 0, 'u', "Lists all domain users"}, + { "domain-groups", 'g', POPT_ARG_NONE, 0, 'g', "Lists all domain groups" }, + { "WINS-by-name", 'N', POPT_ARG_STRING, &string_arg, 'N', "Converts NetBIOS name to IP (WINS)" }, + { "WINS-by-ip", 'I', POPT_ARG_STRING, &string_arg, 'I', "Converts IP address to NetBIOS name (WINS)" }, + { "name-to-sid", 'n', POPT_ARG_STRING, &string_arg, 'n', "Converts name to sid" }, + { "sid-to-name", 's', POPT_ARG_STRING, &string_arg, 's', "Converts sid to name" }, + { "uid-to-sid", 'U', POPT_ARG_INT, &int_arg, 'U', "Converts uid to sid" }, + { "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G', "Converts gid to sid" }, + { "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S', "Converts sid to uid" }, + { "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y', "Converts sid to gid" }, + { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" }, + { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" }, + { "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "show sequence numbers of all domains" }, + { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r', "Get user groups" }, + { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" }, + { "set-auth-user", 'A', POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" }, + { "ping", 'p', POPT_ARG_NONE, 0, 'p', "'ping' winbindd to see if it is alive" }, { 0, 0, 0, 0 } }; @@ -708,17 +682,17 @@ int main(int argc, char **argv) load_interfaces(); + /* Parse options */ + + pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0); + /* Parse command line options */ if (argc == 1) { - usage(); + poptPrintHelp(pc, stderr, 0); return 1; } - /* Parse options */ - - pc = poptGetContext("wbinfo", argc, (const char **)argv, long_options, 0); - while((opt = poptGetNextOpt(pc)) != -1) { if (got_command) { d_fprintf(stderr, "No more than one command may be specified at once.\n"); @@ -734,10 +708,6 @@ int main(int argc, char **argv) while((opt = poptGetNextOpt(pc)) != -1) { switch (opt) { - case 'h': - usage(); - result = 0; - goto done; case 'u': if (!print_domain_users()) { d_printf("Error looking up domain users\n"); @@ -859,7 +829,7 @@ int main(int argc, char **argv) break; default: d_fprintf(stderr, "Invalid option\n"); - usage(); + poptPrintHelp(pc, stderr, 0); goto done; } } -- cgit From 36df32553379bae515d4cebe4195cc2229660839 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 29 Aug 2002 23:16:45 +0000 Subject: fix connecting to a BDC when the PDC is down but in WINS and no bcast can be used to find a BDC (This used to be commit e95d8e2c9ee5cf22b628f3e0d99fb74bcc632ea0) --- source3/nsswitch/winbindd_cm.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index ddab850cf0..8c11bd3372 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -145,6 +145,13 @@ static BOOL cm_rpc_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr /* Lookup domain controller name. Try the real PDC first to avoid SAM sync delays */ + if (get_dc_list(True, domain, &ip_list, &count) && + name_status_find(domain, 0x1c, 0x20, ip_list[0], srv_name)) { + *dc_ip = ip_list[0]; + SAFE_FREE(ip_list); + return True; + } + if (!get_dc_list(True, domain, &ip_list, &count)) { if (!get_dc_list(False, domain, &ip_list, &count)) { DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); -- cgit From b2ee64955ac51e43d29c26590ea3b977343abdad Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 29 Aug 2002 23:23:42 +0000 Subject: fix connecting to a BDC when the PDC is down but in WINS and no bcast can be used to find a BDC 2nd try .... (This used to be commit f757223ebe88148b83e1a32b87c014c15c0a68dd) --- source3/nsswitch/winbindd_cm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 8c11bd3372..997d5b665f 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -152,11 +152,9 @@ static BOOL cm_rpc_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr return True; } - if (!get_dc_list(True, domain, &ip_list, &count)) { - if (!get_dc_list(False, domain, &ip_list, &count)) { - DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); - return False; - } + if (!get_dc_list(False, domain, &ip_list, &count)) { + DEBUG(3, ("Could not look up dc's for domain %s\n", domain)); + return False; } /* Pick a nice close server */ -- cgit From cfb5e91178eb8befdb00780a819f9c5cd3eee8e4 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Fri, 30 Aug 2002 10:46:59 +0000 Subject: added cli_net_auth_3 client code. changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e) --- source3/nsswitch/winbindd_cm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 997d5b665f..9ac392a6ba 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -864,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, { NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct winbindd_cm_conn *conn; + uint32 neg_flags = 0x000001ff; if (!cli) { return NT_STATUS_INVALID_PARAMETER; @@ -875,7 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, return result; } - result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd); + result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("error connecting to domain password server: %s\n", @@ -888,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd, } /* Try again */ - result = cli_nt_setup_creds( - conn->cli, get_sec_chan(),trust_passwd); + result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2); } if (!NT_STATUS_IS_OK(result)) { -- cgit From abff9f492a2a66a6e825ab4c73b8c83661df0f7e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 4 Sep 2002 02:57:16 +0000 Subject: Quietened some debugs. (This used to be commit ea26b3e8efcb83e16f7eb5add031a8df99046a69) --- source3/nsswitch/winbindd_rpc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index 5ec34f663d..58d9092940 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -419,7 +419,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; BOOL got_dom_pol = False, got_group_pol = False; - DEBUG(3,("rpc: lookup_groupmem rid=%u\n", group_rid)); + DEBUG(10,("rpc: lookup_groupmem %s rid=%u\n", domain->name, group_rid)); *num_names = 0; @@ -523,7 +523,7 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) BOOL got_dom_pol = False; uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; - DEBUG(3,("rpc: sequence_number\n")); + DEBUG(10,("rpc: fetch sequence_number for %s\n", domain->name)); *seq = DOM_SEQUENCE_NONE; -- cgit From eec38ee3bb4bceeaa82abf8df1cce92b6a5781ce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 6 Sep 2002 11:46:59 +0000 Subject: Patch from "Stefan (metze) Metzmacher" to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4) --- source3/nsswitch/winbindd_ads.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index b0b70178a4..4f91ed0f20 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -143,7 +143,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) /* if we get ECONNREFUSED then it might be a NT4 server, fall back to MSRPC */ if (status.error_type == ADS_ERROR_SYSTEM && - status.rc == ECONNREFUSED) { + status.err.rc == ECONNREFUSED) { DEBUG(1,("Trying MSRPC methods\n")); domain->methods = &msrpc_methods; } @@ -170,9 +170,9 @@ static void sid_from_rid(struct winbindd_domain *domain, uint32 rid, DOM_SID *si static enum SID_NAME_USE ads_atype_map(uint32 atype) { switch (atype & 0xF0000000) { - case ATYPE_GROUP: + case ATYPE_GLOBAL_GROUP: return SID_NAME_DOM_GRP; - case ATYPE_USER: + case ATYPE_ACCOUNT: return SID_NAME_USER; default: DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); @@ -339,7 +339,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, if (!ads_pull_uint32(ads, msg, "sAMAccountType", &account_type) || - !(account_type & ATYPE_GROUP)) continue; + !(account_type & ATYPE_GLOBAL_GROUP)) continue; name = pull_username(ads, mem_ctx, msg); gecos = ads_pull_string(ads, mem_ctx, msg, "name"); -- cgit From 885f4f9379b48e74de132d6e6c24f11e8b06ce26 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 7 Sep 2002 05:41:23 +0000 Subject: Winbind client-side cleanups. The global winbind file descriptor can cause havoc in some situations - particulary when it becomes 0, 1 or 2. This patch (based on some very nice work by Hannes Schmidt ) starts to recitfy the problem by ensuring that the close-on-exec flag is set, and that we move above 3 in the file descriptor table. I've also decided that the PAM module can close it's pipe handle on every request - this isn't performance-critical code. The next step is to do the same for nss_winbind. (But things like getent() might get in our way there). This also cleans up some function prototypes, puts them in just one place. Andrew Bartlett (This used to be commit 442eb39657b98f67cd229ed3110b63aae8bf4e3c) --- source3/nsswitch/pam_winbind.c | 21 +++++----- source3/nsswitch/pam_winbind.h | 3 +- source3/nsswitch/wb_common.c | 73 +++++++++++++++++++++++++++++++++-- source3/nsswitch/wbinfo.c | 12 ++---- source3/nsswitch/winbind_nss.c | 14 +------ source3/nsswitch/winbind_nss_config.h | 8 ++++ 6 files changed, 94 insertions(+), 37 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 29ceca4e79..f95caefb4c 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -11,11 +11,6 @@ #include "pam_winbind.h" -/* prototypes from common.c */ -void init_request(struct winbindd_request *req,int rq_type); -int write_sock(void *buffer, int count); -int read_reply(struct winbindd_response *response); - /* data tokens */ #define MAX_PASSWD_TRIES 3 @@ -99,24 +94,30 @@ static int _make_remark(pam_handle_t * pamh, int type, const char *text) return retval; } -static int winbind_request(enum winbindd_cmd req_type, - struct winbindd_request *request, - struct winbindd_response *response) +static int pam_winbind_request(enum winbindd_cmd req_type, + struct winbindd_request *request, + struct winbindd_response *response) { + /* Fill in request and send down pipe */ init_request(request, req_type); if (write_sock(request, sizeof(*request)) == -1) { _pam_log(LOG_ERR, "write to socket failed!"); + close_sock(); return PAM_SERVICE_ERR; } /* Wait for reply */ if (read_reply(response) == -1) { _pam_log(LOG_ERR, "read from socket failed!"); + close_sock(); return PAM_SERVICE_ERR; } + /* We are done with the socket - close it and avoid mischeif */ + close_sock(); + /* Copy reply data from socket */ if (response->result != WINBINDD_OK) { if (response->data.auth.pam_error != PAM_SUCCESS) { @@ -148,7 +149,7 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl) strncpy(request.data.auth.pass, pass, sizeof(request.data.auth.pass)-1); - retval = winbind_request(WINBINDD_PAM_AUTH, &request, &response); + retval = pam_winbind_request(WINBINDD_PAM_AUTH, &request, &response); switch (retval) { case PAM_AUTH_ERR: @@ -217,7 +218,7 @@ static int winbind_chauthtok_request(const char *user, const char *oldpass, request.data.chauthtok.newpass[0] = '\0'; } - return winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response); + return pam_winbind_request(WINBINDD_PAM_CHAUTHTOK, &request, &response); } /* diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 9897249e16..fae635d806 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -90,5 +90,4 @@ do { \ #define on(x, y) (x & y) #define off(x, y) (!(x & y)) -#include "winbind_nss_config.h" -#include "winbindd_nss.h" +#include "winbind_client.h" diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index 9bc9faafb5..0d1be4d5d1 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -5,6 +5,8 @@ Copyright (C) Tim Potter 2000 Copyright (C) Andrew Tridgell 2000 + Copyright (C) Andrew Bartlett 2002 + This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public @@ -75,7 +77,7 @@ void init_response(struct winbindd_response *response) /* Close established socket */ -static void close_sock(void) +void close_sock(void) { if (winbindd_fd != -1) { close(winbindd_fd); @@ -83,6 +85,64 @@ static void close_sock(void) } } +/* Make sure socket handle isn't stdin, stdout or stderr */ +#define RECURSION_LIMIT 3 + +static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */) +{ + int new_fd; + if (fd >= 0 && fd <= 2) { +#ifdef F_DUPFD + if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) { + return -1; + } + /* Parinoia */ + if (new_fd < 3) { + return -1; + } + close(fd); + return new_fd; +#else + if (limit <= 0) + return -1; + + new_fd = dup(fd); + if (new_fd == -1) + return -1; + + /* use the program stack to hold our list of FDs to close */ + new_fd = make_nonstd_fd_internals(new_fd, limit - 1); + close(fd); + return new_fd; +#endif + } + return fd; +} + +static int make_safe_fd(int fd) +{ + int result, flags; + int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT); + if (new_fd == -1) { + close(fd); + return -1; + } + /* Socket should be closed on exec() */ + +#ifdef FD_CLOEXEC + result = flags = fcntl(new_fd, F_GETFD, 0); + if (flags >= 0) { + flags |= FD_CLOEXEC; + result = fcntl( new_fd, F_SETFD, flags ); + } + if (result < 0) { + close(new_fd); + return -1; + } +#endif + return new_fd; +} + /* Connect to winbindd socket */ int winbind_open_pipe_sock(void) @@ -91,6 +151,7 @@ int winbind_open_pipe_sock(void) static pid_t our_pid; struct stat st; pstring path; + int fd; if (our_pid != getpid()) { close_sock(); @@ -144,9 +205,13 @@ int winbind_open_pipe_sock(void) /* Connect to socket */ - if ((winbindd_fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { + if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { return -1; } + + if ((winbindd_fd = make_safe_fd( fd)) == -1) { + return winbindd_fd; + } if (connect(winbindd_fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) { @@ -366,8 +431,8 @@ NSS_STATUS winbindd_get_response(struct winbindd_response *response) /* Handle simple types of requests */ NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response) + struct winbindd_request *request, + struct winbindd_response *response) { NSS_STATUS status; diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index d7d70b9e52..a0fdd033d7 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -28,11 +28,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -/* Prototypes from common.h */ - -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); +extern int winbindd_fd; static char winbind_separator(void) { @@ -608,13 +604,13 @@ static BOOL wbinfo_set_auth_user(char *username) static BOOL wbinfo_ping(void) { NSS_STATUS result; - + result = winbindd_request(WINBINDD_PING, NULL, NULL); /* Display response */ - d_printf("'ping' to winbindd %s\n", - (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); + d_printf("'ping' to winbindd %s on fd %d\n", + (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed", winbindd_fd); return result == NSS_STATUS_SUCCESS; } diff --git a/source3/nsswitch/winbind_nss.c b/source3/nsswitch/winbind_nss.c index 594b5fbadb..0b4c0ce1d0 100644 --- a/source3/nsswitch/winbind_nss.c +++ b/source3/nsswitch/winbind_nss.c @@ -21,8 +21,7 @@ Boston, MA 02111-1307, USA. */ -#include "winbind_nss_config.h" -#include "winbindd_nss.h" +#include "winbind_client.h" #ifdef HAVE_NS_API_H #undef VOLATILE @@ -37,17 +36,6 @@ extern int winbindd_fd; -void init_request(struct winbindd_request *req,int rq_type); -NSS_STATUS winbindd_send_request(int req_type, - struct winbindd_request *request); -NSS_STATUS winbindd_get_response(struct winbindd_response *response); -NSS_STATUS winbindd_request(int req_type, - struct winbindd_request *request, - struct winbindd_response *response); -int winbind_open_pipe_sock(void); -int write_sock(void *buffer, int count); -int read_reply(struct winbindd_response *response); -void free_response(struct winbindd_response *response); #ifdef HAVE_NS_API_H /* IRIX version */ diff --git a/source3/nsswitch/winbind_nss_config.h b/source3/nsswitch/winbind_nss_config.h index 00cd5c12e4..d9a9b8aaae 100644 --- a/source3/nsswitch/winbind_nss_config.h +++ b/source3/nsswitch/winbind_nss_config.h @@ -62,6 +62,14 @@ #include #endif +#ifdef HAVE_FCNTL_H +#include +#else +#ifdef HAVE_SYS_FCNTL_H +#include +#endif +#endif + #include #include #include -- cgit From 9378cbb019f9b28cf94d877faa0430ee989f8798 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 7 Sep 2002 06:04:28 +0000 Subject: Don't leak file desciptors in this (impossible?) error case. (This used to be commit b440418f13b840860be42690bf475c1ee3cb3647) --- source3/nsswitch/wb_common.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index 0d1be4d5d1..88bda4eabe 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -98,6 +98,7 @@ static int make_nonstd_fd_internals(int fd, int limit /* Recursion limiter */) } /* Parinoia */ if (new_fd < 3) { + close(new_fd); return -1; } close(fd); -- cgit From 8352336ad03b543522aa10340c18c74a58cdf874 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 7 Sep 2002 09:25:36 +0000 Subject: This is the 'main' inclue for for winbind clients - all clients should include only this file, and not any others. It includes the function prototypes. (Forgot to commit with earlier patch) Andrew Bartlett (This used to be commit 3ec3861445e7da1347c3b5ba180b33441f59640c) --- source3/nsswitch/winbind_client.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 source3/nsswitch/winbind_client.h (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbind_client.h b/source3/nsswitch/winbind_client.h new file mode 100644 index 0000000000..4de2d57cc7 --- /dev/null +++ b/source3/nsswitch/winbind_client.h @@ -0,0 +1,16 @@ +#include "winbind_nss_config.h" +#include "winbindd_nss.h" + +void init_request(struct winbindd_request *req,int rq_type); +NSS_STATUS winbindd_send_request(int req_type, + struct winbindd_request *request); +NSS_STATUS winbindd_get_response(struct winbindd_response *response); +NSS_STATUS winbindd_request(int req_type, + struct winbindd_request *request, + struct winbindd_response *response); +int winbind_open_pipe_sock(void); +int write_sock(void *buffer, int count); +int read_reply(struct winbindd_response *response); +void close_sock(void); +void free_response(struct winbindd_response *response); + -- cgit From 7c152afe1606b1737a79a4d1f08e046286cb02ee Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 11 Sep 2002 03:53:41 +0000 Subject: Bugfix merge: >Initialise user_rid value in WINBIND_USERINFO structure returned by >the rpc version of query_user(). This fixes a caching bug found by >Gavrie Philipson from disksite. (This used to be commit 77bde1fa33cc387accda8f38bf654377310f5dbe) --- source3/nsswitch/winbindd_rpc.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index 58d9092940..047280e21e 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -315,6 +315,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, cli_samr_close(hnd->cli, mem_ctx, &user_pol); got_user_pol = False; + user_info->user_rid = user_rid; user_info->group_rid = ctr->info.id21->group_rid; user_info->acct_name = unistr2_tdup(mem_ctx, &ctr->info.id21->uni_user_name); -- cgit From 6b694ec39c2085fd26176a4bbf0fa4ce38002837 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 11 Sep 2002 03:57:19 +0000 Subject: Put pid number in invalid request size debug. (This used to be commit e63afabf98350353fac79ffc2ae2ddf88d61260f) --- source3/nsswitch/winbindd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index a3ffd1424b..58b0f5943c 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -628,8 +628,8 @@ static void process_loop(int accept_sock) if (state->read_buf_len >= sizeof(uint32) && *(uint32 *) &state->request != sizeof(state->request)) { - DEBUG(0,("process_loop: Invalid request size (%d) sent, should be (%d)\n", - *(uint32 *) &state->request, sizeof(state->request))); + DEBUG(0,("process_loop: Invalid request size from pid %d: %d bytes sent, should be %d\n", + state->request.pid, *(uint32 *) &state->request, sizeof(state->request))); remove_client(state); break; -- cgit From bb6d5bfce25dc22a1a2628ab7479d5014b71da71 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 12 Sep 2002 01:25:50 +0000 Subject: Spelling fix. (This used to be commit d9fa865e5ce8ba0b7539f9a218fc7dd132eb3d38) --- source3/nsswitch/winbindd_pam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index a8b508a49c..5d754d7ca5 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -147,7 +147,7 @@ done: fstrcpy(state->response.data.auth.error_string, nt_errstr(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authenticaion for user %s returned %s (PAM: %d)\n", + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", state->request.data.auth.user, state->response.data.auth.nt_status_string, state->response.data.auth.pam_error)); @@ -292,7 +292,7 @@ done: state->response.data.auth.pam_error = nt_status_to_pam(result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n", + ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", domain, user, state->response.data.auth.nt_status_string, -- cgit From b060593287f6344a147da95e5179170335ad78d1 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 12 Sep 2002 01:44:53 +0000 Subject: Merge of cut&paste fix from appliance. (This used to be commit f75d61b03a3377f3a791b56fc307dc7e56e4707a) --- source3/nsswitch/winbindd_pam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 5d754d7ca5..3e7a8ad971 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -183,7 +183,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* Ensure null termination */ state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0'; - if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth.user))) { + if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); result = NT_STATUS_NO_MEMORY; goto done; -- cgit From a9b450cba82b0788590a0a2a0a56e256ba83144d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 12 Sep 2002 04:30:23 +0000 Subject: Merge of winbind auth cleanups from appliance. (This used to be commit 26d486aa740e283f546efc1f2ca40af3452a4f52) --- source3/nsswitch/wbinfo.c | 32 +++++++++++++++++++++----------- source3/nsswitch/winbindd_nss.h | 1 + source3/nsswitch/winbindd_pam.c | 31 ++++++++++++------------------- 3 files changed, 34 insertions(+), 30 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index a0fdd033d7..7a1aee44cd 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -422,6 +422,7 @@ static BOOL wbinfo_auth(char *username) struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; + fstring name_user, name_domain; char *p; /* Send off request */ @@ -433,11 +434,16 @@ static BOOL wbinfo_auth(char *username) if (p) { *p = 0; - fstrcpy(request.data.auth.user, username); fstrcpy(request.data.auth.pass, p + 1); - *p = '%'; - } else - fstrcpy(request.data.auth.user, username); + } + + parse_wbinfo_domain_user(username, name_domain, name_user); + + if (p) + *p = '%'; + + fstrcpy(request.data.auth.user, name_user); + fstrcpy(request.data.auth.domain, name_domain); result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response); @@ -446,9 +452,10 @@ static BOOL wbinfo_auth(char *username) d_printf("plaintext password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); - d_printf("error code was %s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); + if (response.data.auth.nt_status) + d_printf("error code was %s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); return result == NSS_STATUS_SUCCESS; } @@ -479,8 +486,10 @@ static BOOL wbinfo_auth_crap(char *username) parse_wbinfo_domain_user(username, name_domain, name_user); - fstrcpy(request.data.auth_crap.user, name_user); + if (p) + *p = '%'; + fstrcpy(request.data.auth_crap.user, name_user); fstrcpy(request.data.auth_crap.domain, name_domain); generate_random_buffer(request.data.auth_crap.chal, 8, False); @@ -500,9 +509,10 @@ static BOOL wbinfo_auth_crap(char *username) d_printf("challenge/response password authentication %s\n", (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed"); - d_printf("error code was %s (0x%x)\n", - response.data.auth.nt_status_string, - response.data.auth.nt_status); + if (response.data.auth.nt_status) + d_printf("error code was %s (0x%x)\n", + response.data.auth.nt_status_string, + response.data.auth.nt_status); return result == NSS_STATUS_SUCCESS; } diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 9eea94e7c0..21081cb09c 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -128,6 +128,7 @@ struct winbindd_request { gid_t gid; /* getgrgid, gid_to_sid */ struct { fstring user; + fstring domain; fstring pass; } auth; /* pam_winbind auth module */ struct { diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 3e7a8ad971..c3ab6615f6 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -57,7 +57,6 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { NTSTATUS result; - fstring name_domain, name_user; unsigned char trust_passwd[16]; time_t last_change_time; uint32 smb_uid_low; @@ -76,8 +75,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Ensure null termination */ state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0'; - DEBUG(3, ("[%5d]: pam auth %s\n", state->pid, - state->request.data.auth.user)); + DEBUG(3, ("[%5d]: pam auth domain: %s user: %s\n", state->pid, + state->request.data.auth.domain, state->request.data.auth.user)); if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) { DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n")); @@ -87,13 +86,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ - if (!parse_domain_user(state->request.data.auth.user, name_domain, - name_user)) { - DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } - { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; @@ -133,11 +125,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) goto done; } - result = cli_netlogon_sam_network_logon(cli, mem_ctx, - name_user, name_domain, - global_myname, chal, - lm_resp, nt_resp, - &info3); + result = cli_netlogon_sam_network_logon( + cli, mem_ctx, state->request.data.auth.user, + state->request.data.auth.domain, + global_myname, chal, lm_resp, nt_resp, &info3); uni_group_cache_store_netlogon(mem_ctx, &info3); done: @@ -147,10 +138,12 @@ done: fstrcpy(state->response.data.auth.error_string, nt_errstr(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, + ("Plain-text authentication for user %s/%s returned %s (PAM: %d)\n", + state->request.data.auth.domain, + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); if (mem_ctx) talloc_destroy(mem_ctx); -- cgit From 21a738b8d08da7581b7ce7d498d89a6c5d651d2b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 12 Sep 2002 05:39:55 +0000 Subject: Merge undone cleanups. (This used to be commit d87c1f507d38444e627bce59b6c765d9c9479ac6) --- source3/nsswitch/wbinfo.c | 18 +++++------------- source3/nsswitch/winbindd_nss.h | 4 +++- source3/nsswitch/winbindd_pam.c | 31 +++++++++++++++++++------------ 3 files changed, 27 insertions(+), 26 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 7a1aee44cd..875df231dc 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -422,7 +422,6 @@ static BOOL wbinfo_auth(char *username) struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; - fstring name_user, name_domain; char *p; /* Send off request */ @@ -434,16 +433,11 @@ static BOOL wbinfo_auth(char *username) if (p) { *p = 0; + fstrcpy(request.data.auth.user, username); fstrcpy(request.data.auth.pass, p + 1); - } - - parse_wbinfo_domain_user(username, name_domain, name_user); - - if (p) - *p = '%'; - - fstrcpy(request.data.auth.user, name_user); - fstrcpy(request.data.auth.domain, name_domain); + *p = '%'; + } else + fstrcpy(request.data.auth.user, username); result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response); @@ -486,10 +480,8 @@ static BOOL wbinfo_auth_crap(char *username) parse_wbinfo_domain_user(username, name_domain, name_user); - if (p) - *p = '%'; - fstrcpy(request.data.auth_crap.user, name_user); + fstrcpy(request.data.auth_crap.domain, name_domain); generate_random_buffer(request.data.auth_crap.chal, 8, False); diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 21081cb09c..368bf10cea 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -127,8 +127,10 @@ struct winbindd_request { uid_t uid; /* getpwuid, uid_to_sid */ gid_t gid; /* getgrgid, gid_to_sid */ struct { + /* We deliberatedly don't split into domain/user to + avoid having the client know what the separator + character is. */ fstring user; - fstring domain; fstring pass; } auth; /* pam_winbind auth module */ struct { diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index c3ab6615f6..3e7a8ad971 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -57,6 +57,7 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { NTSTATUS result; + fstring name_domain, name_user; unsigned char trust_passwd[16]; time_t last_change_time; uint32 smb_uid_low; @@ -75,8 +76,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Ensure null termination */ state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0'; - DEBUG(3, ("[%5d]: pam auth domain: %s user: %s\n", state->pid, - state->request.data.auth.domain, state->request.data.auth.user)); + DEBUG(3, ("[%5d]: pam auth %s\n", state->pid, + state->request.data.auth.user)); if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) { DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n")); @@ -86,6 +87,13 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Parse domain and username */ + if (!parse_domain_user(state->request.data.auth.user, name_domain, + name_user)) { + DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user)); + result = NT_STATUS_INVALID_PARAMETER; + goto done; + } + { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; @@ -125,10 +133,11 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) goto done; } - result = cli_netlogon_sam_network_logon( - cli, mem_ctx, state->request.data.auth.user, - state->request.data.auth.domain, - global_myname, chal, lm_resp, nt_resp, &info3); + result = cli_netlogon_sam_network_logon(cli, mem_ctx, + name_user, name_domain, + global_myname, chal, + lm_resp, nt_resp, + &info3); uni_group_cache_store_netlogon(mem_ctx, &info3); done: @@ -138,12 +147,10 @@ done: fstrcpy(state->response.data.auth.error_string, nt_errstr(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, - ("Plain-text authentication for user %s/%s returned %s (PAM: %d)\n", - state->request.data.auth.domain, - state->request.data.auth.user, - state->response.data.auth.nt_status_string, - state->response.data.auth.pam_error)); + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", + state->request.data.auth.user, + state->response.data.auth.nt_status_string, + state->response.data.auth.pam_error)); if (mem_ctx) talloc_destroy(mem_ctx); -- cgit From 479e82b8d8413c88989dfb091c21a0ba003ed005 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 15 Sep 2002 17:49:53 +0000 Subject: Put unixsocket calls between #ifdef HAVE_UNIXSOCKET's - required for Stratus VOS (Double checked) (This used to be commit dc3c14fc2b661a62a1876149e96af6de07a2c4a6) --- source3/nsswitch/wb_common.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c index 88bda4eabe..51792f63fe 100644 --- a/source3/nsswitch/wb_common.c +++ b/source3/nsswitch/wb_common.c @@ -148,6 +148,7 @@ static int make_safe_fd(int fd) int winbind_open_pipe_sock(void) { +#ifdef HAVE_UNIXSOCKET struct sockaddr_un sunaddr; static pid_t our_pid; struct stat st; @@ -221,6 +222,9 @@ int winbind_open_pipe_sock(void) } return winbindd_fd; +#else + return -1; +#endif /* HAVE_UNIXSOCKET */ } /* Write data to winbindd socket */ -- cgit From b33681fc0b8ef7b9fa91c154f7c3117afafa349e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 17 Sep 2002 12:12:50 +0000 Subject: Add clock skew handling to our kerberos code. This allows us to cope with the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1) --- source3/nsswitch/winbindd_cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 9ac392a6ba..0b9e38eb1f 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -109,7 +109,7 @@ static BOOL cm_ads_find_dc(const char *domain, struct in_addr *dc_ip, fstring sr } /* we don't need to bind, just connect */ - ads->auth.no_bind = 1; + ads->auth.flags |= ADS_AUTH_NO_BIND; DEBUG(4,("cm_ads_find_dc: domain=%s\n", domain)); -- cgit From fa184ea1699fb5aebdc2eb0f3ca4e02749201729 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 17 Sep 2002 20:47:59 +0000 Subject: Only create the pidfile once we're ready to receive requests. This allows external programs to correctly synchronise with us. Jeremy. (This used to be commit ffb7632d05191342ecfc5f78fbfd7beacfe257ad) --- source3/nsswitch/winbindd.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 58b0f5943c..a937f06639 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -853,10 +853,8 @@ static void usage(void) fstrcpy(global_myworkgroup, lp_workgroup()); - if (!interactive) { + if (!interactive) become_daemon(); - pidfile_create("winbindd"); - } #if HAVE_SETPGID /* @@ -891,6 +889,10 @@ static void usage(void) return 1; } + /* Only create the pidfile when we're ready to receive requests. */ + if (!interactive) + pidfile_create("winbindd"); + /* Loop waiting for requests */ process_loop(accept_sock); -- cgit From fe92e9caedbb68756f9d4fcb8ee20c2573e9c4ae Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 17 Sep 2002 20:53:21 +0000 Subject: Reverted my earlier change. It was incorrect. We must be protected by pidfile before doing secrets_init(). Jeremy. (This used to be commit f8a0e6ad8b25d405ff2bcb492974d2f0bef81036) --- source3/nsswitch/winbindd.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index a937f06639..bb4a1b78ec 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -853,8 +853,11 @@ static void usage(void) fstrcpy(global_myworkgroup, lp_workgroup()); - if (!interactive) + if (!interactive) { become_daemon(); + pidfile_create("winbindd"); + } + #if HAVE_SETPGID /* @@ -889,10 +892,6 @@ static void usage(void) return 1; } - /* Only create the pidfile when we're ready to receive requests. */ - if (!interactive) - pidfile_create("winbindd"); - /* Loop waiting for requests */ process_loop(accept_sock); -- cgit From f63ed5295a230455394d3f441a257cce3468902f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 24 Sep 2002 22:56:59 +0000 Subject: Moved -ve cache check to correct place. Jeremy. (This used to be commit 38c67632ade40413c0cc2b91e04105e4065a18b7) --- source3/nsswitch/winbindd_cm.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 0b9e38eb1f..01f5569889 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -382,16 +382,6 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name, fstrcpy(new_conn->domain, domain); fstrcpy(new_conn->pipe_name, pipe_name); - /* Look for a domain controller for this domain. Negative results - are cached so don't bother applying the caching for this - function just yet. */ - - if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) { - result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; - add_failed_connection_entry(new_conn, result); - return result; - } - /* Return false if we have tried to look up this domain and netbios name before and failed. */ @@ -423,6 +413,16 @@ static NTSTATUS cm_open_connection(const char *domain,const char *pipe_name, return result; } + /* Look for a domain controller for this domain. Negative results + are cached so don't bother applying the caching for this + function just yet. */ + + if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) { + result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; + add_failed_connection_entry(new_conn, result); + return result; + } + /* Initialise SMB connection */ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); -- cgit