From d9553e8fd19a0832f3fbd19ffcc595a701d87e34 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Mon, 17 Dec 2007 17:33:48 -0600 Subject: Fix a segv in winbindd caused by trying to free an fstring. Make a copy of the machine_password and machine_account strings in all conditional paths so that SAFE_FREE() will always be valid. (This used to be commit 194c4640b158457a6d0d5ea91e28d41d619c77de) --- source3/winbindd/winbindd_cm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index cb366a293c..6c5633c2b2 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2005,11 +2005,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, domain_name = domain->name; goto schannel; } else { - machine_password = conn_pwd; - machine_account = conn->cli->user_name; + machine_password = SMB_STRDUP(conn_pwd); + machine_account = SMB_STRDUP(conn->cli->user_name); domain_name = conn->cli->domain; } + if (!machine_password || !machine_account) { + result = NT_STATUS_NO_MEMORY; + goto done; + } /* We have an authenticated connection. Use a NTLMSSP SPNEGO authenticated SAMR pipe with sign & seal. */ -- cgit From a62cc944435fb9964c765cb9495f18308823ac8f Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 18 Dec 2007 01:55:48 +0100 Subject: Fix logic error in cm_connect_sam(). Don't fall back to schannel when trust creds could be obtained. This is still not complete, but I am getting closer. Michael (This used to be commit 7c9fa597d684a25822b4db6615f28336f2d64ef3) --- source3/winbindd/winbindd_cm.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 6c5633c2b2..8ea815535f 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2003,7 +2003,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto schannel; } domain_name = domain->name; - goto schannel; } else { machine_password = SMB_STRDUP(conn_pwd); machine_account = SMB_STRDUP(conn->cli->user_name); -- cgit From e518e19bc0000019f131354f55e9f5b55f6a2c5e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Dec 2007 15:02:59 +0100 Subject: Remove Get_Pwnam and its associated static variable All callers are replaced by Get_Pwnam_alloc (This used to be commit 735f59315497113aebadcf9ad387e3dbfffa284a) --- source3/winbindd/idmap_nss.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c index fa9f2c9681..46c24d7fcb 100644 --- a/source3/winbindd/idmap_nss.c +++ b/source3/winbindd/idmap_nss.c @@ -145,7 +145,6 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma } for (i = 0; ids[i]; i++) { - struct passwd *pw; struct group *gr; enum lsa_SidType type; const char *dom_name = NULL; @@ -166,17 +165,20 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma } switch (type) { - case SID_NAME_USER: + case SID_NAME_USER: { + struct passwd *pw; /* this will find also all lower case name and use username level */ - - pw = Get_Pwnam(name); + + pw = Get_Pwnam_alloc(talloc_tos(), name); if (pw) { ids[i]->xid.id = pw->pw_uid; ids[i]->xid.type = ID_TYPE_UID; ids[i]->status = ID_MAPPED; } + TALLOC_FREE(pw); break; + } case SID_NAME_DOM_GRP: case SID_NAME_ALIAS: -- cgit From e3bb148b941e67b5caea3db2c8ef9efc984598fa Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 19 Dec 2007 17:53:14 +0100 Subject: Only retrieve password policies in pam_auth when WBFLAG_PAM_GET_PWD_POLICY is set. This essentially re-establishes r14496 (2155bb0535656f294bd054d6a0a7d16a9a71c31b) which was undone in r17723 (43bd8c00abb38eb23a1497a255d194fb1bbffffb) for reasons that are unclear to me. Maybe I am being too naive. Now we do again only retrieve the password policy when called from the pam_winbind module. This fixes logons delegated to AD trusted domain controllers: We need to connect to the sam to retrieve the password policy. But auhtenticated session setup is not possible when contacting the trusted domain dc and afterwards, SamrConnect also fails with whatever credentials and method used. Michael (This used to be commit 6d765e0de523211a2d0b43a2c4c4117f5f0c662f) --- source3/winbindd/winbindd_pam.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5133239258..7a9014a82f 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1593,13 +1593,16 @@ process_result: } } - result = fillup_password_policy(domain, state); - if (!NT_STATUS_IS_OK(result) - && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) - { - DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); - goto done; + if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) { + result = fillup_password_policy(domain, state); + + if (!NT_STATUS_IS_OK(result) + && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) + { + DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result))); + goto done; + } } result = NT_STATUS_OK; -- cgit From 8ded1df76739363259edce0515b097510e342595 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 21 Dec 2007 15:12:40 +0100 Subject: Kill fstring in getdcname & getanydcname return. Guenther (This used to be commit b7383818168863a7ba43c2456f8c44e96e76707a) --- source3/winbindd/winbindd_cm.c | 4 ++-- source3/winbindd/winbindd_misc.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 8ea815535f..7fb42a6dca 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -570,7 +570,7 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, WERROR werr; TALLOC_CTX *mem_ctx; unsigned int orig_timeout; - fstring tmp; + char *tmp = NULL; char *p; /* Hmmmm. We can only open one connection to the NETLOGON pipe at the @@ -602,7 +602,7 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000); werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname, - domain->name, tmp); + domain->name, &tmp); /* And restore our original timeout. */ cli_set_timeout(netlogon_pipe->cli, orig_timeout); diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c index 8c3ef5bb6f..76f2554122 100644 --- a/source3/winbindd/winbindd_misc.c +++ b/source3/winbindd/winbindd_misc.c @@ -231,7 +231,7 @@ void winbindd_getdcname(struct winbindd_cli_state *state) enum winbindd_result winbindd_dual_getdcname(struct winbindd_domain *domain, struct winbindd_cli_state *state) { - fstring dcname_slash; + char *dcname_slash = NULL; char *p; struct rpc_pipe_client *netlogon_pipe; NTSTATUS result; @@ -262,12 +262,12 @@ enum winbindd_result winbindd_dual_getdcname(struct winbindd_domain *domain, werr = rpccli_netlogon_getdcname(netlogon_pipe, state->mem_ctx, domain->dcname, state->request.domain_name, - dcname_slash); + &dcname_slash); } else { werr = rpccli_netlogon_getanydcname(netlogon_pipe, state->mem_ctx, domain->dcname, state->request.domain_name, - dcname_slash); + &dcname_slash); } /* And restore our original timeout. */ cli_set_timeout(netlogon_pipe->cli, orig_timeout); -- cgit From 98bc591c4fac3a26796c596b55b735739d96c76b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 Dec 2007 16:43:02 -0800 Subject: Add NT error to debug to try and track this down. Jermey. (This used to be commit a1482b09150f4d292965c77bc73d47fb14f5eb85) --- source3/winbindd/winbindd_group.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index 140943cc2c..fbd2fee692 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -1045,7 +1045,10 @@ static bool get_sam_group_entries(struct getent_state *ent) status = domain->methods->enum_local_groups(domain, mem_ctx, &num_entries, &sam_grp_entries); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(3,("get_sam_group_entries: Failed to enumerate domain local groups!\n")); + DEBUG(3,("get_sam_group_entries: " + "Failed to enumerate " + "domain local groups with error %s!\n", + nt_errstr(status))); num_entries = 0; } else -- cgit From a59280792cab616f5b269960ab68bc44ccc1fd38 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 29 Dec 2007 22:16:31 +0100 Subject: Remove tiny code duplication sid_size did the same as ndr_size_dom_sid (This used to be commit 8aec5d09ba023413bd8ecbdfbc7d23904df94389) --- source3/winbindd/winbindd_cm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 7fb42a6dca..6a4f531c5f 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -978,6 +978,7 @@ static bool send_getdc_request(struct sockaddr_storage *dc_ss, char *p; fstring my_acct_name; fstring my_mailslot; + size_t sid_size; if (dc_ss->ss_family != AF_INET) { return false; @@ -1019,7 +1020,9 @@ static bool send_getdc_request(struct sockaddr_storage *dc_ss, SIVAL(p, 0, 0x80); p+=4; - SIVAL(p, 0, sid_size(sid)); + sid_size = ndr_size_dom_sid(sid, 0); + + SIVAL(p, 0, sid_size); p+=4; p = ALIGN4(p, outbuf); @@ -1027,12 +1030,12 @@ static bool send_getdc_request(struct sockaddr_storage *dc_ss, return false; } - sid_linearize(p, sid_size(sid), sid); - if (sid_size(sid) + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { + sid_linearize(p, sid_size, sid); + if (sid_size + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { return false; } - p += sid_size(sid); + p += sid_size; SIVAL(p, 0, 1); SSVAL(p, 4, 0xffff); -- cgit From f10074e84b41d141958912c3fb9f2c6fdbba68b3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 29 Dec 2007 14:43:32 -0800 Subject: Use correct size value for linearize call. Jeremy. (This used to be commit a5df44f5b7887d10c1e1a0b7a3dd05bcf31015e1) --- source3/winbindd/winbindd_cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 6a4f531c5f..33674d2cf7 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1030,10 +1030,10 @@ static bool send_getdc_request(struct sockaddr_storage *dc_ss, return false; } - sid_linearize(p, sid_size, sid); if (sid_size + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { return false; } + sid_linearize(p, sizeof(outbuf) - PTR_DIFF(p, outbuf), sid); p += sid_size; -- cgit From 9a45dcef4d7c0f85d371afb2f7e09ae63bb7ae65 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 4 Jan 2008 13:31:07 -0600 Subject: When connecting to an AD DC, use the DsGetDCName variant. This allows us to deal with child domains in transitive forest trusts. It also allows us to fill in the forest name to the target domain to the struct winbindd_domain *. (This used to be commit ed30516bb0f55f9ba466debf91b6e33d1c28a484) --- source3/winbindd/winbindd_cm.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 33674d2cf7..99e401d53f 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -601,8 +601,34 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000); - werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname, + if (our_domain->active_directory) { + struct DS_DOMAIN_CONTROLLER_INFO *domain_info = NULL; + + werr = rpccli_netlogon_dsr_getdcname(netlogon_pipe, + mem_ctx, + our_domain->dcname, + domain->name, + NULL, + NULL, + DS_RETURN_DNS_NAME, + &domain_info); + if (W_ERROR_IS_OK(werr)) { + fstrcpy(tmp, domain_info->domain_controller_name); + if (strlen(domain->alt_name) == 0) { + fstrcpy(domain->alt_name, + CONST_DISCARD(char*, domain_info->domain_name)); + } + if (strlen(domain->forest_name) == 0) { + fstrcpy(domain->forest_name, + CONST_DISCARD(char*, domain_info->dns_forest_name)); + } + } + } else { + + werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, + our_domain->dcname, domain->name, &tmp); + } /* And restore our original timeout. */ cli_set_timeout(netlogon_pipe->cli, orig_timeout); @@ -1869,9 +1895,17 @@ no_lsarpc_ds: if (dns_name) fstrcpy(domain->alt_name, dns_name); - if ( forest_name ) + /* See if we can set some domain trust flags about + ourself */ + + if ( forest_name ) { fstrcpy(domain->forest_name, forest_name); + if (strequal(domain->forest_name, domain->alt_name)) { + domain->domain_flags = DS_DOMAIN_TREE_ROOT; + } + } + if (dom_sid) sid_copy(&domain->sid, dom_sid); } else { -- cgit From bcc2a6a9d759adc52ed9176bd1153da4b5a79722 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 4 Jan 2008 13:32:58 -0600 Subject: Ensure that winbindd_getgroups() can deal with a UPN name. A user logging in via GDM was not getting a complete list of supplementary groups in his/her token. This is because getgroup() was not able to find the winbindd_domain* using the DNS name. Fallback to matching the DNS name is the short name match failes. (This used to be commit 2030a8de19a2c7c735a8aa367dd953e4a5c447b8) --- source3/winbindd/winbindd_group.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index fbd2fee692..62e8d1c40b 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -1494,9 +1494,18 @@ void winbindd_getgroups(struct winbindd_cli_state *state) s->username = talloc_strdup( state->mem_ctx, state->request.data.username ); } - /* Get info for the domain */ + /* Get info for the domain (either by short domain name or + DNS name in the case of a UPN) */ s->domain = find_domain_from_name_noinit(s->domname); + if (!s->domain) { + char *p = strchr(s->username, '@'); + + if (p) { + s->domain = find_domain_from_name_noinit(p+1); + } + + } if (s->domain == NULL) { DEBUG(7, ("could not find domain entry for domain %s\n", -- cgit From 4093b0632cda821f331f9ff50c51aa63c799292f Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 4 Jan 2008 13:34:10 -0600 Subject: Add a missing check for dealing with a one-way trust in query_user(). (This used to be commit f89e356bdaa203ef0a3ce6b8bd52170afa68a2c9) --- source3/winbindd/winbindd_rpc.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index ffb47692cb..f5e1226447 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -456,6 +456,12 @@ static NTSTATUS query_user(struct winbindd_domain *domain, return NT_STATUS_OK; } + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user: No incoming trust for domain %s\n", + domain->name)); + return NT_STATUS_OK; + } + /* no cache; hit the wire */ result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); -- cgit From 84a50e21541e4c3a0bfb70d5d501dc4b7e6f9714 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 4 Jan 2008 13:35:41 -0600 Subject: Fix the inherited trust flags when spidering the trust heirarchy. Also *do not* clear the trust list when rescanning or else it is possible to suffer from a race condition where no trusted domains can be found. (This used to be commit e7164a252bf213a74d6eeac5aa04645eed5be241) --- source3/winbindd/winbindd_ads.c | 12 ++++++++++++ source3/winbindd/winbindd_util.c | 10 +++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index c9b2a52388..3aba824b0b 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1270,12 +1270,24 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, d.domain_type = domains[i].trust_type; d.domain_trust_attribs = domains[i].trust_attributes; } else { + /* Look up the record in the cache */ + struct winbindd_tdc_domain *parent; + DEBUG(10,("trusted_domains(ads): Inheriting trust " "flags for domain %s\n", d.alt_name)); + + parent = wcache_tdc_fetch_domain(NULL, domain->name); + if (parent) { + d.domain_flags = parent->trust_flags; + d.domain_type = parent->trust_type; + d.domain_trust_attribs = parent->trust_attribs; + } else { d.domain_flags = domain->domain_flags; d.domain_type = domain->domain_type; d.domain_trust_attribs = domain->domain_trust_attribs; } + TALLOC_FREE(parent); + } wcache_tdc_add_domain( &d ); diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 70468b6bcd..cc12d4b7ea 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -500,9 +500,13 @@ void rescan_trusted_domains( void ) ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) ) return; - /* clear the TRUSTDOM cache first */ - - wcache_tdc_clear(); + /* I use to clear the cache here and start over but that + caused problems in child processes that needed the + trust dom list early on. Removing it means we + could have some trusted domains listed that have been + removed from our primary domain's DC until a full + restart. This should be ok since I think this is what + Windows does as well. */ /* this will only add new domains we didn't already know about in the domain_list()*/ -- cgit From 18699d003b1d4460ffb36db61860e6c31acbf1cb Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 26 Nov 2007 11:44:30 +0100 Subject: Prevent winbindd from segfaulting due to corrupted cache tdb. If we try to flush the caches and due to a corrupted tdb we and have no tdb context close the tdb and validate it. Initialize the cache afterwards again. (This used to be commit d0c0f91fb9f3438a18c6f47ed894f525beb75cbf) --- source3/winbindd/winbindd.c | 18 +++++++++++++++++- source3/winbindd/winbindd_cache.c | 22 +++++++++++++++++++--- 2 files changed, 36 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 07cf22618e..dfad50bf96 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -121,7 +121,23 @@ static void flush_caches(void) otherwise cached access denied errors due to restrict anonymous hang around until the sequence number changes. */ - wcache_invalidate_cache(); + if (wcache_invalidate_cache() < 0) { + DEBUG(0, ("invalidating the cache failed; revalidate the cache\n")); + /* Close the cache to be able to valdite the cache */ + close_winbindd_cache(); + /* + * Ensure all cache and idmap caches are consistent + * before we initialize the cache again. + */ + if (winbindd_validate_cache() < 0) { + DEBUG(0, ("corrupted tdb found, trying to restore backup\n")); + } + + /* Initialize cache again. */ + if (!initialize_winbindd_cache()) { + exit(1); + } + } } /* Handle the signal by unlinking socket and exiting */ diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index f63c7a5b2f..62a68aa8aa 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -2261,7 +2261,7 @@ void wcache_invalidate_samlogon(struct winbindd_domain *domain, netsamlogon_clear_cached_user(cache->tdb, info3); } -void wcache_invalidate_cache(void) +int wcache_invalidate_cache(void) { struct winbindd_domain *domain; @@ -2270,9 +2270,15 @@ void wcache_invalidate_cache(void) DEBUG(10, ("wcache_invalidate_cache: invalidating cache " "entries for %s\n", domain->name)); - if (cache) - tdb_traverse(cache->tdb, traverse_fn, NULL); + if (cache) { + if (cache->tdb) { + tdb_traverse(cache->tdb, traverse_fn, NULL); + } else { + return -1; + } + } } + return 0; } bool init_wcache(void) @@ -2354,6 +2360,16 @@ bool initialize_winbindd_cache(void) return True; } +void close_winbindd_cache() +{ + if (!wcache) + return; + if (wcache->tdb) { + tdb_close(wcache->tdb); + wcache->tdb = NULL; + } +} + void cache_store_response(pid_t pid, struct winbindd_response *response) { fstring key_str; -- cgit From c4d3f1b0f5345086e18cb4740e7a0c4fa222089a Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 7 Jan 2008 10:41:09 +0100 Subject: Add some braces to if statement. Michael (This used to be commit 66fc1db1d19d11792d9506b06ad914d88b7e0663) --- source3/winbindd/winbindd_cache.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 62a68aa8aa..9602a128a6 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -2362,8 +2362,9 @@ bool initialize_winbindd_cache(void) void close_winbindd_cache() { - if (!wcache) + if (!wcache) { return; + } if (wcache->tdb) { tdb_close(wcache->tdb); wcache->tdb = NULL; -- cgit From 696cf4d3c013f99d034c19c6762bf71c7c1ee8a6 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 7 Jan 2008 10:59:14 +0100 Subject: Make wcache_invalidate_cache() return bool, not int. Michael (This used to be commit dba24ceae78ffc49200b647838b6bf3657275add) --- source3/winbindd/winbindd.c | 2 +- source3/winbindd/winbindd_cache.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index dfad50bf96..8ebae3f16d 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -121,7 +121,7 @@ static void flush_caches(void) otherwise cached access denied errors due to restrict anonymous hang around until the sequence number changes. */ - if (wcache_invalidate_cache() < 0) { + if (!wcache_invalidate_cache()) { DEBUG(0, ("invalidating the cache failed; revalidate the cache\n")); /* Close the cache to be able to valdite the cache */ close_winbindd_cache(); diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 9602a128a6..19becab1a6 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -2261,7 +2261,7 @@ void wcache_invalidate_samlogon(struct winbindd_domain *domain, netsamlogon_clear_cached_user(cache->tdb, info3); } -int wcache_invalidate_cache(void) +bool wcache_invalidate_cache(void) { struct winbindd_domain *domain; @@ -2274,11 +2274,11 @@ int wcache_invalidate_cache(void) if (cache->tdb) { tdb_traverse(cache->tdb, traverse_fn, NULL); } else { - return -1; + return false; } } } - return 0; + return true; } bool init_wcache(void) -- cgit From 0818d41697e839741b642efb8377f43686c33b7b Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 7 Jan 2008 11:19:27 +0100 Subject: Fix a comment. Michael (This used to be commit 62d6d4fff2edcce04e793d2a2f877cb3f4fedbdb) --- source3/winbindd/winbindd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 8ebae3f16d..5e9900d1d6 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -130,7 +130,8 @@ static void flush_caches(void) * before we initialize the cache again. */ if (winbindd_validate_cache() < 0) { - DEBUG(0, ("corrupted tdb found, trying to restore backup\n")); + DEBUG(0, ("winbindd cache tdb corrupt and no backup " + "could be restore.\n")); } /* Initialize cache again. */ -- cgit From d82702c21881120726065240af6db0fac3c4fef6 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 7 Jan 2008 11:27:54 +0100 Subject: Use the proper boolean constants. Michael (This used to be commit 6f673b7f10c145d88e6a6d3072b5f8cd98837304) --- source3/winbindd/winbindd_cache.c | 186 +++++++++++++++++++------------------- 1 file changed, 93 insertions(+), 93 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 19becab1a6..fc71868517 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -62,7 +62,7 @@ static bool is_non_centry_key(TDB_DATA kbuf) int i; if (kbuf.dptr == NULL || kbuf.dsize == 0) { - return False; + return false; } for (i = 0; non_centry_keys[i] != NULL; i++) { size_t namelen = strlen(non_centry_keys[i]); @@ -70,10 +70,10 @@ static bool is_non_centry_key(TDB_DATA kbuf) continue; } if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) { - return True; + return true; } } - return False; + return false; } /* Global online/offline state - False when online. winbindd starts up online @@ -210,9 +210,9 @@ static bool centry_check_bytes(struct cache_entry *centry, size_t nbytes) DEBUG(0,("centry corruption? needed %u bytes, have %d\n", (unsigned int)nbytes, centry->len - centry->ofs)); - return False; + return false; } - return True; + return true; } /* @@ -348,9 +348,9 @@ static bool centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID char *sid_string; sid_string = centry_string(centry, mem_ctx); if ((sid_string == NULL) || (!string_to_sid(sid, sid_string))) { - return False; + return false; } - return True; + return true; } @@ -372,7 +372,7 @@ static bool wcache_server_down(struct winbindd_domain *domain) bool ret; if (!wcache->tdb) - return False; + return false; ret = (domain->sequence_number == DOM_SEQUENCE_NONE); @@ -454,7 +454,7 @@ static NTSTATUS store_cache_seqnum( struct winbindd_domain *domain ) } /* - refresh the domain sequence number. If force is True + refresh the domain sequence number. If force is true then always refresh it, no matter how recently we fetched it */ @@ -538,7 +538,7 @@ static bool centry_expired(struct winbindd_domain *domain, const char *keystr, s if (lp_winbind_offline_logon() && global_winbindd_offline_state) { DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n", keystr, domain->name )); - return False; + return false; } /* when the domain is offline return the cached entry. @@ -547,7 +547,7 @@ static bool centry_expired(struct winbindd_domain *domain, const char *keystr, s if (!domain->online) { DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n", keystr, domain->name )); - return False; + return false; } /* if the server is OK and our cache entry came from when it was down then @@ -556,7 +556,7 @@ static bool centry_expired(struct winbindd_domain *domain, const char *keystr, s (centry->sequence_number == DOM_SEQUENCE_NONE)) { DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n", keystr, domain->name )); - return True; + return true; } /* if the server is down or the cache entry is not older than the @@ -565,14 +565,14 @@ static bool centry_expired(struct winbindd_domain *domain, const char *keystr, s centry->sequence_number == domain->sequence_number) { DEBUG(10,("centry_expired: Key %s for domain %s is good.\n", keystr, domain->name )); - return False; + return false; } DEBUG(10,("centry_expired: Key %s for domain %s expired\n", keystr, domain->name )); /* it's expired */ - return True; + return true; } static struct cache_entry *wcache_fetch_raw(char *kstr) @@ -625,7 +625,7 @@ static struct cache_entry *wcache_fetch(struct winbind_cache *cache, return NULL; } - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); va_start(ap, format); smb_xvasprintf(&kstr, format, ap); @@ -1189,7 +1189,7 @@ do_query: (retry++ < 5)); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -1280,7 +1280,7 @@ do_query: status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -1364,7 +1364,7 @@ do_query: status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -1437,7 +1437,7 @@ do_query: domain_name, name, sid, type); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); if (domain->online && (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) { @@ -1510,7 +1510,7 @@ do_query: status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type); /* We can't save the name to sid mapping here, as with sid history a @@ -1554,7 +1554,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, goto error; } - have_mapped = have_unmapped = False; + have_mapped = have_unmapped = false; for (i=0; istatus)) { char *dom; - have_mapped = True; + have_mapped = true; (*types)[i] = (enum lsa_SidType)centry_uint32(centry); dom = centry_string(centry, mem_ctx); @@ -1590,7 +1590,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, (*names)[i] = centry_string(centry, *names); } else if (NT_STATUS_EQUAL(centry->status, NT_STATUS_NONE_MAPPED)) { - have_unmapped = True; + have_unmapped = true; } else { /* something's definitely wrong */ @@ -1647,7 +1647,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, return result; } - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); for (i=0; ibackend->query_user(domain, mem_ctx, user_sid, info); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); wcache_save_user(domain, status, info); return status; @@ -1819,7 +1819,7 @@ do_query: goto skip_save; /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -1912,7 +1912,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, num_aliases, alias_rids); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -1993,7 +1993,7 @@ do_query: sid_mem, names, name_types); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) goto skip_save; @@ -2013,7 +2013,7 @@ skip_save: /* find the sequence number for a domain */ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) { - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); *seq = domain->sequence_number; @@ -2104,7 +2104,7 @@ do_query: the main parent and always to make the query. --jerry */ /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); centry = centry_start(domain, status); if (!centry) @@ -2170,7 +2170,7 @@ do_query: status = domain->backend->lockout_policy(domain, mem_ctx, policy); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); wcache_save_lockout_policy(domain, status, policy); return status; @@ -2221,7 +2221,7 @@ do_query: status = domain->backend->password_policy(domain, mem_ctx, policy); /* and save it */ - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); wcache_save_password_policy(domain, status, policy); return status; @@ -2289,7 +2289,7 @@ bool init_wcache(void) } if (wcache->tdb != NULL) - return True; + return true; /* when working offline we must not clear the cache on restart */ wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), @@ -2299,10 +2299,10 @@ bool init_wcache(void) if (wcache->tdb == NULL) { DEBUG(0,("Failed to open winbindd_cache.tdb!\n")); - return False; + return false; } - return True; + return true; } /************************************************************************ @@ -2313,18 +2313,18 @@ bool init_wcache(void) bool initialize_winbindd_cache(void) { - bool cache_bad = True; + bool cache_bad = true; uint32 vers; if (!init_wcache()) { DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n")); - return False; + return false; } /* Check version number. */ if (tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers) && vers == WINBINDD_CACHE_VERSION) { - cache_bad = False; + cache_bad = false; } if (cache_bad) { @@ -2339,25 +2339,25 @@ bool initialize_winbindd_cache(void) DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ", lock_path("winbindd_cache.tdb"), strerror(errno) )); - return False; + return false; } if (!init_wcache()) { DEBUG(0,("initialize_winbindd_cache: re-initialization " "init_wcache failed.\n")); - return False; + return false; } /* Write the version. */ if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) { DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n", tdb_errorstr(wcache->tdb) )); - return False; + return false; } } tdb_close(wcache->tdb); wcache->tdb = NULL; - return True; + return true; } void close_winbindd_cache() @@ -2417,7 +2417,7 @@ bool cache_retrieve_response(pid_t pid, struct winbindd_response * response) fstring key_str; if (!init_wcache()) - return False; + return false; DEBUG(10, ("Retrieving response for pid %d\n", pid)); @@ -2425,17 +2425,17 @@ bool cache_retrieve_response(pid_t pid, struct winbindd_response * response) data = tdb_fetch(wcache->tdb, string_tdb_data(key_str)); if (data.dptr == NULL) - return False; + return false; if (data.dsize != sizeof(*response)) - return False; + return false; memcpy(response, data.dptr, data.dsize); SAFE_FREE(data.dptr); if (response->length == sizeof(*response)) { response->extra_data.data = NULL; - return True; + return true; } /* There's extra data */ @@ -2448,19 +2448,19 @@ bool cache_retrieve_response(pid_t pid, struct winbindd_response * response) if (data.dptr == NULL) { DEBUG(0, ("Did not find extra data\n")); - return False; + return false; } if (data.dsize != (response->length - sizeof(*response))) { DEBUG(0, ("Invalid extra data length: %d\n", (int)data.dsize)); SAFE_FREE(data.dptr); - return False; + return false; } dump_data(11, (uint8 *)data.dptr, data.dsize); response->extra_data.data = data.dptr; - return True; + return true; } void cache_cleanup_response(pid_t pid) @@ -2492,19 +2492,19 @@ bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid, domain = find_lookup_domain_from_sid(sid); if (domain == NULL) { - return False; + return false; } cache = get_cache(domain); if (cache->tdb == NULL) { - return False; + return false; } centry = wcache_fetch(cache, domain, "SN/%s", sid_to_fstring(tmp, sid)); if (centry == NULL) { - return False; + return false; } if (NT_STATUS_IS_OK(centry->status)) { @@ -2533,13 +2533,13 @@ bool lookup_cached_name(TALLOC_CTX *mem_ctx, domain = find_lookup_domain_from_name(domain_name); if (domain == NULL) { - return False; + return false; } cache = get_cache(domain); if (cache->tdb == NULL) { - return False; + return false; } fstrcpy(uname, name); @@ -2549,12 +2549,12 @@ bool lookup_cached_name(TALLOC_CTX *mem_ctx, offline so the cache won't expire the entry */ original_online_state = domain->online; - domain->online = False; + domain->online = false; centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname); domain->online = original_online_state; if (centry == NULL) { - return False; + return false; } if (NT_STATUS_IS_OK(centry->status)) { @@ -2572,7 +2572,7 @@ void cache_name2sid(struct winbindd_domain *domain, const char *domain_name, const char *name, enum lsa_SidType type, const DOM_SID *sid) { - refresh_sequence_number(domain, False); + refresh_sequence_number(domain, false); wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name, sid, type); } @@ -2786,17 +2786,17 @@ bool set_global_winbindd_state_offline(void) if (wcache == NULL || wcache->tdb == NULL) { DEBUG(10,("set_global_winbindd_state_offline: wcache not open yet.\n")); - return False; + return false; } if (!lp_winbind_offline_logon()) { DEBUG(10,("set_global_winbindd_state_offline: rejecting.\n")); - return False; + return false; } if (global_winbindd_offline_state) { /* Already offline. */ - return True; + return true; } data = tdb_fetch_bystring( wcache->tdb, "WINBINDD_OFFLINE" ); @@ -2804,12 +2804,12 @@ bool set_global_winbindd_state_offline(void) if (!data.dptr || data.dsize != 4) { DEBUG(10,("set_global_winbindd_state_offline: offline state not set.\n")); SAFE_FREE(data.dptr); - return False; + return false; } else { DEBUG(10,("set_global_winbindd_state_offline: offline state set.\n")); - global_winbindd_offline_state = True; + global_winbindd_offline_state = true; SAFE_FREE(data.dptr); - return True; + return true; } } @@ -2826,7 +2826,7 @@ void set_global_winbindd_state_online(void) /* Already online. */ return; } - global_winbindd_offline_state = False; + global_winbindd_offline_state = false; if (!wcache->tdb) { return; @@ -2863,8 +2863,8 @@ static struct cache_entry *create_centry_validate(const char *kstr, TDB_DATA dat /* huh? corrupt cache? */ DEBUG(0,("create_centry_validate: Corrupt cache for key %s (len < 8) ?\n", kstr)); centry_free(centry); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return NULL; } @@ -2879,7 +2879,7 @@ static int validate_seqnum(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbu if (dbuf.dsize != 8) { DEBUG(0,("validate_seqnum: Corrupt cache for key %s (len %u != 8) ?\n", keystr, (unsigned int)dbuf.dsize )); - state->bad_entry = True; + state->bad_entry = true; return 1; } return 0; @@ -3174,8 +3174,8 @@ static int validate_dr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, if (dbuf.dsize == 0) { DEBUG(0,("validate_dr: Corrupt cache for key %s (len == 0) ?\n", keystr)); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return 1; } @@ -3190,8 +3190,8 @@ static int validate_de(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, if (dbuf.dsize == 0) { DEBUG(0,("validate_de: Corrupt cache for key %s (len == 0) ?\n", keystr)); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return 1; } @@ -3234,8 +3234,8 @@ static int validate_trustdomcache(TALLOC_CTX *mem_ctx, const char *keystr, if (dbuf.dsize == 0) { DEBUG(0, ("validate_trustdomcache: Corrupt cache for " "key %s (len ==0) ?\n", keystr)); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return 1; } @@ -3250,8 +3250,8 @@ static int validate_offline(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA db if (dbuf.dsize != 4) { DEBUG(0,("validate_offline: Corrupt cache for key %s (len %u != 4) ?\n", keystr, (unsigned int)dbuf.dsize )); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return 1; } DEBUG(10,("validate_offline: %s ok\n", keystr)); @@ -3265,8 +3265,8 @@ static int validate_cache_version(TALLOC_CTX *mem_ctx, const char *keystr, TDB_D DEBUG(0, ("validate_cache_version: Corrupt cache for " "key %s (len %u != 4) ?\n", keystr, (unsigned int)dbuf.dsize)); - state->bad_entry = True; - state->success = False; + state->bad_entry = true; + state->success = false; return 1; } @@ -3355,8 +3355,8 @@ static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_D dump_data(0, (uint8 *)kbuf.dptr, kbuf.dsize); DEBUG(0,("data :\n")); dump_data(0, (uint8 *)dbuf.dptr, dbuf.dsize); - v_state->unknown_key = True; - v_state->success = False; + v_state->unknown_key = true; + v_state->success = false; return 1; /* terminate. */ } @@ -3450,7 +3450,7 @@ static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom, struct winbindd_tdc_domain *list = NULL; size_t idx; int i; - bool set_only = False; + bool set_only = false; /* don't allow duplicates */ @@ -3462,7 +3462,7 @@ static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom, DEBUG(10,("add_wbdomain_to_tdc_array: Found existing record for %s\n", new_dom->name)); idx = i; - set_only = True; + set_only = true; break; } @@ -3483,7 +3483,7 @@ static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom, } if ( !list ) - return False; + return false; list[idx].domain_name = talloc_strdup( list, new_dom->name ); list[idx].dns_name = talloc_strdup( list, new_dom->alt_name ); @@ -3505,7 +3505,7 @@ static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom, *num_domains = idx + 1; } - return True; + return true; } /********************************************************************* @@ -3661,7 +3661,7 @@ static bool wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t n int ret; if ( !key.dptr ) - return False; + return false; /* See if we were asked to delete the cache entry */ @@ -3698,23 +3698,23 @@ bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_do *num_domains = 0; if ( !key.dptr ) - return False; + return false; data = tdb_fetch( wcache->tdb, key ); SAFE_FREE( key.dptr ); if ( !data.dptr ) - return False; + return false; *num_domains = unpack_tdc_domains( data.dptr, data.dsize, domains ); SAFE_FREE( data.dptr ); if ( !*domains ) - return False; + return false; - return True; + return true; } /********************************************************************* @@ -3724,7 +3724,7 @@ bool wcache_tdc_add_domain( struct winbindd_domain *domain ) { struct winbindd_tdc_domain *dom_list = NULL; size_t num_domains = 0; - bool ret = False; + bool ret = false; DEBUG(10,("wcache_tdc_add_domain: Adding domain %s (%s), SID %s, " "flags = 0x%x, attributes = 0x%x, type = 0x%x\n", @@ -3735,7 +3735,7 @@ bool wcache_tdc_add_domain( struct winbindd_domain *domain ) domain->domain_type)); if ( !init_wcache() ) { - return False; + return false; } /* fetch the list */ @@ -3756,7 +3756,7 @@ bool wcache_tdc_add_domain( struct winbindd_domain *domain ) /* Success */ - ret = True; + ret = true; done: TALLOC_FREE( dom_list ); @@ -3776,7 +3776,7 @@ struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const cha DEBUG(10,("wcache_tdc_fetch_domain: Searching for domain %s\n", name)); if ( !init_wcache() ) { - return False; + return false; } /* fetch the list */ @@ -3909,7 +3909,7 @@ do_query: /* the cache backend methods are exposed via this structure */ struct winbindd_methods cache_methods = { - True, + true, query_user_list, enum_dom_groups, enum_local_groups, -- cgit From cab9aa525dbbf4ba65acb43763298bfb30d4fca4 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 7 Jan 2008 14:51:11 +0100 Subject: Fix build warning. Guenther (This used to be commit 73233a06d6f0f1346c48b465750af4b532cd7306) --- source3/winbindd/winbindd_cm.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 99e401d53f..a9155a5763 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -74,7 +74,7 @@ extern bool override_logfile; static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain); static void set_dc_type_and_flags( struct winbindd_domain *domain ); -static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain, +static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, struct dc_name_ip **dcs, int *num_dcs); /**************************************************************** @@ -560,7 +560,7 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password) } } -static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, +static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, fstring dcname, struct sockaddr_storage *dc_ss) { @@ -600,12 +600,12 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, 35 seconds should do it. */ orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000); - + if (our_domain->active_directory) { struct DS_DOMAIN_CONTROLLER_INFO *domain_info = NULL; - - werr = rpccli_netlogon_dsr_getdcname(netlogon_pipe, - mem_ctx, + + werr = rpccli_netlogon_dsr_getdcname(netlogon_pipe, + mem_ctx, our_domain->dcname, domain->name, NULL, @@ -615,19 +615,21 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain, if (W_ERROR_IS_OK(werr)) { fstrcpy(tmp, domain_info->domain_controller_name); if (strlen(domain->alt_name) == 0) { - fstrcpy(domain->alt_name, - CONST_DISCARD(char*, domain_info->domain_name)); + fstrcpy(domain->alt_name, + domain_info->domain_name); } if (strlen(domain->forest_name) == 0) { - fstrcpy(domain->forest_name, - CONST_DISCARD(char*, domain_info->dns_forest_name)); + fstrcpy(domain->forest_name, + domain_info->dns_forest_name); } - } + } } else { - - werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, + + werr = rpccli_netlogon_getanydcname(netlogon_pipe, + mem_ctx, our_domain->dcname, - domain->name, &tmp); + domain->name, + &tmp); } /* And restore our original timeout. */ @@ -1245,7 +1247,7 @@ static bool dcip_to_name(const struct winbindd_domain *domain, the dcs[] with results. *******************************************************************/ -static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain, +static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, struct dc_name_ip **dcs, int *num_dcs) { fstring dcname; @@ -1348,7 +1350,7 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, const struct winbindd_domain *domain, } static bool find_new_dc(TALLOC_CTX *mem_ctx, - const struct winbindd_domain *domain, + struct winbindd_domain *domain, fstring dcname, struct sockaddr_storage *pss, int *fd) { struct dc_name_ip *dcs = NULL; -- cgit From de53e47c76cc6dfdc8056be1e376549b9e8a94a4 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 8 Jan 2008 23:02:50 +0100 Subject: Fix prototype: Add a void to an empty function parameter list. Michael (This used to be commit 3f89aea8e4df3a2de8c5e4c6f4e417567adb2d67) --- source3/winbindd/winbindd_cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index fc71868517..c293861492 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -2360,7 +2360,7 @@ bool initialize_winbindd_cache(void) return true; } -void close_winbindd_cache() +void close_winbindd_cache(void) { if (!wcache) { return; -- cgit From f3603d5a5ab878d45b67bf0f33e2beca50d0af2d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 9 Jan 2008 00:11:31 +0100 Subject: Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a) --- source3/winbindd/winbindd_ads.c | 39 +++++++++++++++++++++------------------ source3/winbindd/winbindd_async.c | 20 ++++++++++++++------ source3/winbindd/winbindd_group.c | 15 ++++++--------- source3/winbindd/winbindd_pam.c | 9 +++++---- source3/winbindd/winbindd_util.c | 21 ++++++++++++--------- 5 files changed, 58 insertions(+), 46 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 3aba824b0b..f963669825 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -596,8 +596,9 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, num_groups = 0; /* always add the primary group to the sid array */ - if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; + status = add_sid_to_array(mem_ctx, primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -615,10 +616,10 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, if (sid_check_is_in_builtin(&group_sid)) { continue; } - - if (!add_sid_to_array(mem_ctx, &group_sid, user_sids, - &num_groups)) { - status = NT_STATUS_NO_MEMORY; + + status = add_sid_to_array(mem_ctx, &group_sid, + user_sids, &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } } @@ -684,8 +685,9 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, num_groups = 0; /* always add the primary group to the sid array */ - if (!add_sid_to_array(mem_ctx, primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; + status = add_sid_to_array(mem_ctx, primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -720,10 +722,10 @@ static NTSTATUS lookup_usergroups_memberof(struct winbindd_domain *domain, if (sid_check_is_in_builtin(&group_sids[i])) { continue; } - - if (!add_sid_to_array(mem_ctx, &group_sids[i], user_sids, - &num_groups)) { - status = NT_STATUS_NO_MEMORY; + + status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -861,8 +863,9 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, *user_sids = NULL; num_groups = 0; - if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; + status = add_sid_to_array(mem_ctx, &primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -872,10 +875,10 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, if (sid_check_is_in_builtin(&sids[i])) { continue; } - - if (!add_sid_to_array_unique(mem_ctx, &sids[i], - user_sids, &num_groups)) { - status = NT_STATUS_NO_MEMORY; + + status = add_sid_to_array_unique(mem_ctx, &sids[i], + user_sids, &num_groups); + if (!NT_STATUS_IS_OK(status)) { goto done; } } diff --git a/source3/winbindd/winbindd_async.c b/source3/winbindd/winbindd_async.c index 76724582a1..ab32ee0c76 100644 --- a/source3/winbindd/winbindd_async.c +++ b/source3/winbindd/winbindd_async.c @@ -492,7 +492,9 @@ static bool parse_sidlist(TALLOC_CTX *mem_ctx, char *sidstr, DEBUG(0, ("Could not parse sid %s\n", p)); return False; } - if (!add_sid_to_array(mem_ctx, &sid, sids, num_sids)) { + if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &sid, sids, + num_sids))) + { return False; } p = q; @@ -714,7 +716,9 @@ enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain, DEBUGADD(10, (" rid %d\n", alias_rids[i])); sid_copy(&sid, &domain->sid); sid_append_rid(&sid, alias_rids[i]); - if (!add_sid_to_array(state->mem_ctx, &sid, &sids, &num_sids)) { + result = add_sid_to_array(state->mem_ctx, &sid, &sids, + &num_sids); + if (!NT_STATUS_IS_OK(result)) { return WINBINDD_ERROR; } } @@ -832,8 +836,9 @@ static void gettoken_recvdomgroups(TALLOC_CTX *mem_ctx, bool success, state->sids = NULL; state->num_sids = 0; - if (!add_sid_to_array(mem_ctx, &state->user_sid, &state->sids, - &state->num_sids)) { + if (!NT_STATUS_IS_OK(add_sid_to_array(mem_ctx, &state->user_sid, + &state->sids, &state->num_sids))) + { DEBUG(0, ("Out of memory\n")); state->cont(state->private_data, False, NULL, 0); return; @@ -874,8 +879,11 @@ static void gettoken_recvaliases(void *private_data, bool success, } for (i=0; imem_ctx, &aliases[i], - &state->sids, &state->num_sids)) { + if (!NT_STATUS_IS_OK(add_sid_to_array(state->mem_ctx, + &aliases[i], + &state->sids, + &state->num_sids))) + { DEBUG(0, ("Out of memory\n")); state->cont(state->private_data, False, NULL, 0); return; diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index 62e8d1c40b..6a704cf290 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -438,18 +438,15 @@ static NTSTATUS expand_groups( TALLOC_CTX *ctx, if ( name_types[j] == SID_NAME_DOM_GRP || name_types[j] == SID_NAME_ALIAS ) { - bool ret; - - ret = add_sid_to_array_unique( ctx, - &sid_mem[j], - &new_groups, - &new_groups_size ); - if ( !ret ) { - status = NT_STATUS_NO_MEMORY; + status = add_sid_to_array_unique(ctx, + &sid_mem[j], + &new_groups, + &new_groups_size); + if (NT_STATUS_IS_OK(status)) { goto out; } - continue; + continue; } } diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 7a9014a82f..525096b0a2 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -273,12 +273,13 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if (!add_sid_to_array(mem_ctx, &sid, - &require_membership_of_sid, - &num_require_membership_of_sid)) { + status = add_sid_to_array(mem_ctx, &sid, + &require_membership_of_sid, + &num_require_membership_of_sid); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("add_sid_to_array failed\n")); TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; + return status; } } diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index cc12d4b7ea..dc48fdef8b 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1304,19 +1304,22 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, /* always add the primary group to the sid array */ sid_compose(&primary_group, &info3->dom_sid.sid, info3->user_rid); - if (!add_sid_to_array(mem_ctx, &primary_group, user_sids, &num_groups)) { + status = add_sid_to_array(mem_ctx, &primary_group, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; + return status; } for (i=0; inum_groups; i++) { sid_copy(&group_sid, &info3->dom_sid.sid); sid_append_rid(&group_sid, info3->gids[i].g_rid); - if (!add_sid_to_array(mem_ctx, &group_sid, user_sids, - &num_groups)) { + status = add_sid_to_array(mem_ctx, &group_sid, user_sids, + &num_groups); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; + return status; } } @@ -1328,11 +1331,11 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, if (info3->other_sids_attrib[i] & SE_GROUP_RESOURCE) continue; - if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, - user_sids, &num_groups)) - { + status = add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + user_sids, &num_groups); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info3); - return NT_STATUS_NO_MEMORY; + return status; } } -- cgit From c79ce2ffa3f7d00ce6a2cd6008c203e3042b0b02 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 11 Jan 2008 15:32:20 +0100 Subject: As long as DsGetDcName is not part of libnetapi, lowercase the fn name. Guenther (This used to be commit 19a980f52044a170618629e5b0484c1f6b586e5f) --- source3/winbindd/winbindd_locator.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_locator.c b/source3/winbindd/winbindd_locator.c index ee497ebf32..05bd74af25 100644 --- a/source3/winbindd/winbindd_locator.c +++ b/source3/winbindd/winbindd_locator.c @@ -48,7 +48,7 @@ void winbindd_dsgetdcname(struct winbindd_cli_state *state) state->request.domain_name [sizeof(state->request.domain_name)-1] = '\0'; - DEBUG(3, ("[%5lu]: DsGetDcName for %s\n", (unsigned long)state->pid, + DEBUG(3, ("[%5lu]: dsgetdcname for %s\n", (unsigned long)state->pid, state->request.domain_name)); sendto_child(state, locator_child()); @@ -64,10 +64,10 @@ static enum winbindd_result dual_dsgetdcname(struct winbindd_domain *domain, state->request.domain_name [sizeof(state->request.domain_name)-1] = '\0'; - DEBUG(3, ("[%5lu]: DsGetDcName for %s\n", (unsigned long)state->pid, + DEBUG(3, ("[%5lu]: dsgetdcname for %s\n", (unsigned long)state->pid, state->request.domain_name)); - result = DsGetDcName(state->mem_ctx, NULL, state->request.domain_name, + result = dsgetdcname(state->mem_ctx, NULL, state->request.domain_name, NULL, NULL, state->request.flags, &info); if (!NT_STATUS_IS_OK(result)) { -- cgit From 6fa81523f86c5e136bf3ab2c5b0c9032570d3b96 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Jan 2008 22:44:33 -0800 Subject: Ensure we don't access an uninitialized variable (CID 535 - actually false but easy to shut up :-). Jeremy. (This used to be commit 4038bb3a9485943db58d9fe30947e11522ce283d) --- source3/winbindd/winbindd_rpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index f5e1226447..34ba0498e0 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -308,7 +308,7 @@ NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, { char **domains; char **names; - enum lsa_SidType *types; + enum lsa_SidType *types = NULL; NTSTATUS result; struct rpc_pipe_client *cli; POLICY_HND lsa_policy; -- cgit From c920764b1960f86482a24d4b4462664b07d4f1a9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 15 Jan 2008 16:40:02 +0100 Subject: Apply const to rpccli_lsa_query_info_policy() and rpccli_lsa_query_info_policy2(). Guenther (This used to be commit 7a3fe68bef7acde9d9f8a7a44ce7e9432f3c5a95) --- source3/winbindd/winbindd_cm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index a9155a5763..908228717e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1799,9 +1799,9 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) struct rpc_pipe_client *cli; POLICY_HND pol; - char *domain_name = NULL; - char *dns_name = NULL; - char *forest_name = NULL; + const char *domain_name = NULL; + const char *dns_name = NULL; + const char *forest_name = NULL; DOM_SID *dom_sid = NULL; ZERO_STRUCT( ctr ); -- cgit From 3bd3483fab4b55c36c276ccaf607a5ed3f1c6f29 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 16 Jan 2008 12:27:29 +0300 Subject: idmap TDB2 backend, used for clustered Samba setups. This uses 2 tdb files. One is permanent, and is in shared storage on the cluster (using "tdb:idmap2.tdb =" in smb.conf). The other is a temporary cache tdb on local storage. Signed-off-by: Alexander Bokovoy (This used to be commit b6df7e7709365fb620867ad8954bc5bf24496775) --- source3/winbindd/idmap_tdb2.c | 1014 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1014 insertions(+) create mode 100644 source3/winbindd/idmap_tdb2.c (limited to 'source3/winbindd') diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c new file mode 100644 index 0000000000..fa106aa134 --- /dev/null +++ b/source3/winbindd/idmap_tdb2.c @@ -0,0 +1,1014 @@ +/* + Unix SMB/CIFS implementation. + + idmap TDB2 backend, used for clustered Samba setups. + + This uses 2 tdb files. One is permanent, and is in shared storage + on the cluster (using "tdb:idmap2.tdb =" in smb.conf). The other is a + temporary cache tdb on local storage. + + Copyright (C) Andrew Tridgell 2007 + + This is heavily based upon idmap_tdb.c, which is: + + Copyright (C) Tim Potter 2000 + Copyright (C) Jim McDonough 2003 + Copyright (C) Jeremy Allison 2006 + Copyright (C) Simo Sorce 2003-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "winbindd.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_IDMAP + +/* High water mark keys */ +#define HWM_GROUP "GROUP HWM" +#define HWM_USER "USER HWM" + +static struct idmap_tdb2_state { + /* User and group id pool */ + uid_t low_uid, high_uid; /* Range of uids to allocate */ + gid_t low_gid, high_gid; /* Range of gids to allocate */ + const char *idmap_script; +} idmap_tdb2_state; + + + +/* tdb context for the local cache tdb */ +static TDB_CONTEXT *idmap_tdb2_tmp; + +/* handle to the permanent tdb */ +static struct db_context *idmap_tdb2_perm; + +/* + open the cache tdb + */ +static NTSTATUS idmap_tdb2_open_cache_db(void) +{ + const char *db_path; + + if (idmap_tdb2_tmp) { + /* its already open */ + return NT_STATUS_OK; + } + + db_path = lock_path("idmap2_cache.tdb"); + + /* Open idmap repository */ + if (!(idmap_tdb2_tmp = tdb_open_log(db_path, 0, TDB_CLEAR_IF_FIRST, O_RDWR|O_CREAT, 0644))) { + DEBUG(0, ("Unable to open cache idmap database '%s'\n", db_path)); + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + + +static NTSTATUS idmap_tdb2_alloc_load(void); + +/* + open the permanent tdb + */ +static NTSTATUS idmap_tdb2_open_perm_db(void) +{ + char *db_path; + + if (idmap_tdb2_perm) { + /* its already open */ + return NT_STATUS_OK; + } + + db_path = lp_parm_talloc_string(-1, "tdb", "idmap2.tdb", NULL); + if (db_path == NULL) { + /* fall back to the private directory, which, despite + its name, is usually on shared storage */ + db_path = talloc_asprintf(NULL, "%s/idmap2.tdb", lp_private_dir()); + } + NT_STATUS_HAVE_NO_MEMORY(db_path); + + /* Open idmap repository */ + idmap_tdb2_perm = db_open(NULL, db_path, 0, TDB_DEFAULT, + O_RDWR|O_CREAT, 0644); + TALLOC_FREE(db_path); + + if (idmap_tdb2_perm == NULL) { + DEBUG(0, ("Unable to open permanent idmap database '%s'\n", + db_path)); + return NT_STATUS_UNSUCCESSFUL; + } + + /* load the ranges and high/low water marks */ + return idmap_tdb2_alloc_load(); +} + + +/* + load the idmap allocation ranges and high/low water marks +*/ +static NTSTATUS idmap_tdb2_alloc_load(void) +{ + const char *range; + uid_t low_uid = 0; + uid_t high_uid = 0; + gid_t low_gid = 0; + gid_t high_gid = 0; + + /* load ranges */ + idmap_tdb2_state.low_uid = 0; + idmap_tdb2_state.high_uid = 0; + idmap_tdb2_state.low_gid = 0; + idmap_tdb2_state.high_gid = 0; + + /* see if a idmap script is configured */ + idmap_tdb2_state.idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); + + if (idmap_tdb2_state.idmap_script) { + DEBUG(1, ("using idmap script '%s'\n", idmap_tdb2_state.idmap_script)); + } + + range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL); + if (range && range[0]) { + unsigned low_id, high_id; + if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { + if (low_id < high_id) { + idmap_tdb2_state.low_gid = idmap_tdb2_state.low_uid = low_id; + idmap_tdb2_state.high_gid = idmap_tdb2_state.high_uid = high_id; + } else { + DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range)); + } + } else { + DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range)); + } + } + + /* Create high water marks for group and user id */ + if (lp_idmap_uid(&low_uid, &high_uid)) { + idmap_tdb2_state.low_uid = low_uid; + idmap_tdb2_state.high_uid = high_uid; + } + + if (lp_idmap_gid(&low_gid, &high_gid)) { + idmap_tdb2_state.low_gid = low_gid; + idmap_tdb2_state.high_gid = high_gid; + } + + if (idmap_tdb2_state.high_uid <= idmap_tdb2_state.low_uid) { + DEBUG(1, ("idmap uid range missing or invalid\n")); + DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); + return NT_STATUS_UNSUCCESSFUL; + } else { + uint32 low_id; + + if (((low_id = dbwrap_fetch_int32(idmap_tdb2_perm, + HWM_USER)) == -1) || + (low_id < idmap_tdb2_state.low_uid)) { + if (dbwrap_store_int32( + idmap_tdb2_perm, HWM_USER, + idmap_tdb2_state.low_uid) == -1) { + DEBUG(0, ("Unable to initialise user hwm in idmap database\n")); + return NT_STATUS_INTERNAL_DB_ERROR; + } + } + } + + if (idmap_tdb2_state.high_gid <= idmap_tdb2_state.low_gid) { + DEBUG(1, ("idmap gid range missing or invalid\n")); + DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); + return NT_STATUS_UNSUCCESSFUL; + } else { + uint32 low_id; + + if (((low_id = dbwrap_fetch_int32(idmap_tdb2_perm, + HWM_GROUP)) == -1) || + (low_id < idmap_tdb2_state.low_gid)) { + if (dbwrap_store_int32( + idmap_tdb2_perm, HWM_GROUP, + idmap_tdb2_state.low_gid) == -1) { + DEBUG(0, ("Unable to initialise group hwm in idmap database\n")); + return NT_STATUS_INTERNAL_DB_ERROR; + } + } + } + + return NT_STATUS_OK; +} + + +/* + Initialise idmap alloc database. +*/ +static NTSTATUS idmap_tdb2_alloc_init(const char *params) +{ + /* nothing to do - we want to avoid opening the permanent + database if possible. Instead we load the params when we + first need it. */ + return NT_STATUS_OK; +} + + +/* + Allocate a new id. +*/ +static NTSTATUS idmap_tdb2_allocate_id(struct unixid *xid) +{ + bool ret; + const char *hwmkey; + const char *hwmtype; + uint32_t high_hwm; + uint32_t hwm; + NTSTATUS status; + + status = idmap_tdb2_open_perm_db(); + NT_STATUS_NOT_OK_RETURN(status); + + /* Get current high water mark */ + switch (xid->type) { + + case ID_TYPE_UID: + hwmkey = HWM_USER; + hwmtype = "UID"; + high_hwm = idmap_tdb2_state.high_uid; + break; + + case ID_TYPE_GID: + hwmkey = HWM_GROUP; + hwmtype = "GID"; + high_hwm = idmap_tdb2_state.high_gid; + break; + + default: + DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type)); + return NT_STATUS_INVALID_PARAMETER; + } + + if ((hwm = dbwrap_fetch_int32(idmap_tdb2_perm, hwmkey)) == -1) { + return NT_STATUS_INTERNAL_DB_ERROR; + } + + /* check it is in the range */ + if (hwm > high_hwm) { + DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n", + hwmtype, (unsigned long)high_hwm)); + return NT_STATUS_UNSUCCESSFUL; + } + + /* fetch a new id and increment it */ + ret = dbwrap_change_uint32_atomic(idmap_tdb2_perm, hwmkey, &hwm, 1); + if (ret == -1) { + DEBUG(1, ("Fatal error while fetching a new %s value\n!", hwmtype)); + return NT_STATUS_UNSUCCESSFUL; + } + + /* recheck it is in the range */ + if (hwm > high_hwm) { + DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n", + hwmtype, (unsigned long)high_hwm)); + return NT_STATUS_UNSUCCESSFUL; + } + + xid->id = hwm; + DEBUG(10,("New %s = %d\n", hwmtype, hwm)); + + return NT_STATUS_OK; +} + +/* + Get current highest id. +*/ +static NTSTATUS idmap_tdb2_get_hwm(struct unixid *xid) +{ + const char *hwmkey; + const char *hwmtype; + uint32_t hwm; + uint32_t high_hwm; + + /* Get current high water mark */ + switch (xid->type) { + + case ID_TYPE_UID: + hwmkey = HWM_USER; + hwmtype = "UID"; + high_hwm = idmap_tdb2_state.high_uid; + break; + + case ID_TYPE_GID: + hwmkey = HWM_GROUP; + hwmtype = "GID"; + high_hwm = idmap_tdb2_state.high_gid; + break; + + default: + return NT_STATUS_INVALID_PARAMETER; + } + + if ((hwm = dbwrap_fetch_int32(idmap_tdb2_perm, hwmkey)) == -1) { + return NT_STATUS_INTERNAL_DB_ERROR; + } + + xid->id = hwm; + + /* Warn if it is out of range */ + if (hwm >= high_hwm) { + DEBUG(0, ("Warning: %s range full!! (max: %lu)\n", + hwmtype, (unsigned long)high_hwm)); + } + + return NT_STATUS_OK; +} + +/* + Set high id. +*/ +static NTSTATUS idmap_tdb2_set_hwm(struct unixid *xid) +{ + /* not supported, or we would invalidate the cache tdb on + other nodes */ + DEBUG(0,("idmap_tdb2_set_hwm not supported\n")); + return NT_STATUS_NOT_SUPPORTED; +} + +/* + Close the alloc tdb +*/ +static NTSTATUS idmap_tdb2_alloc_close(void) +{ + /* don't actually close it */ + return NT_STATUS_OK; +} + +/* + IDMAP MAPPING TDB BACKEND +*/ +struct idmap_tdb2_context { + uint32_t filter_low_id; + uint32_t filter_high_id; +}; + +/* + try fetching from the cache tdb, and if that fails then + fetch from the permanent tdb + */ +static TDB_DATA tdb2_fetch_bystring(TALLOC_CTX *mem_ctx, const char *keystr) +{ + TDB_DATA ret; + NTSTATUS status; + + ret = tdb_fetch_bystring(idmap_tdb2_tmp, keystr); + if (ret.dptr != NULL) { + /* got it from cache */ + unsigned char *tmp; + + tmp = (unsigned char *)talloc_memdup(mem_ctx, ret.dptr, + ret.dsize); + SAFE_FREE(ret.dptr); + ret.dptr = tmp; + + if (ret.dptr == NULL) { + return make_tdb_data(NULL, 0); + } + return ret; + } + + status = idmap_tdb2_open_perm_db(); + if (!NT_STATUS_IS_OK(status)) { + return ret; + } + + /* fetch from the permanent tdb */ + return dbwrap_fetch_bystring(idmap_tdb2_perm, mem_ctx, keystr); +} + +/* + store into both databases + */ +static NTSTATUS tdb2_store_bystring(const char *keystr, TDB_DATA data, int flags) +{ + NTSTATUS ret; + NTSTATUS status = idmap_tdb2_open_perm_db(); + if (!NT_STATUS_IS_OK(status)) { + return NT_STATUS_UNSUCCESSFUL; + } + ret = dbwrap_store_bystring(idmap_tdb2_perm, keystr, data, flags); + if (!NT_STATUS_IS_OK(ret)) { + ret = tdb_store_bystring(idmap_tdb2_tmp, keystr, data, flags) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; + } + return ret; +} + +/* + delete from both databases + */ +static NTSTATUS tdb2_delete_bystring(const char *keystr) +{ + NTSTATUS ret; + NTSTATUS status = idmap_tdb2_open_perm_db(); + if (!NT_STATUS_IS_OK(status)) { + return NT_STATUS_UNSUCCESSFUL; + } + ret = dbwrap_delete_bystring(idmap_tdb2_perm, keystr); + if (!NT_STATUS_IS_OK(ret)) { + ret = tdb_delete_bystring(idmap_tdb2_tmp, keystr) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; + } + return ret; +} + +/* + Initialise idmap database. +*/ +static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) +{ + NTSTATUS ret; + struct idmap_tdb2_context *ctx; + char *config_option = NULL; + const char *range; + NTSTATUS status; + + status = idmap_tdb2_open_cache_db(); + NT_STATUS_NOT_OK_RETURN(status); + + ctx = talloc(dom, struct idmap_tdb2_context); + if ( ! ctx) { + DEBUG(0, ("Out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + + config_option = talloc_asprintf(ctx, "idmap config %s", dom->name); + if ( ! config_option) { + DEBUG(0, ("Out of memory!\n")); + ret = NT_STATUS_NO_MEMORY; + goto failed; + } + + range = lp_parm_const_string(-1, config_option, "range", NULL); + if (( ! range) || + (sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) || + (ctx->filter_low_id > ctx->filter_high_id)) { + ctx->filter_low_id = 0; + ctx->filter_high_id = 0; + } + + dom->private_data = ctx; + dom->initialized = True; + + talloc_free(config_option); + return NT_STATUS_OK; + +failed: + talloc_free(ctx); + return ret; +} + + +/* + run a script to perform a mapping + + The script should the following command lines: + + SIDTOID S-1-xxxx + IDTOSID UID xxxx + IDTOSID GID xxxx + + and should return one of the following as a single line of text + UID:xxxx + GID:xxxx + SID:xxxx + ERR:xxxx + */ +static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx, struct id_map *map, + const char *fmt, ...) +{ + va_list ap; + char *cmd; + FILE *p; + char line[64]; + unsigned long v; + + cmd = talloc_asprintf(ctx, "%s ", idmap_tdb2_state.idmap_script); + NT_STATUS_HAVE_NO_MEMORY(cmd); + + va_start(ap, fmt); + cmd = talloc_vasprintf_append(cmd, fmt, ap); + va_end(ap); + NT_STATUS_HAVE_NO_MEMORY(cmd); + + p = popen(cmd, "r"); + talloc_free(cmd); + if (p == NULL) { + return NT_STATUS_NONE_MAPPED; + } + + if (fgets(line, sizeof(line)-1, p) == NULL) { + pclose(p); + return NT_STATUS_NONE_MAPPED; + } + pclose(p); + + DEBUG(10,("idmap script gave: %s\n", line)); + + if (sscanf(line, "UID:%lu", &v) == 1) { + map->xid.id = v; + map->xid.type = ID_TYPE_UID; + } else if (sscanf(line, "GID:%lu", &v) == 1) { + map->xid.id = v; + map->xid.type = ID_TYPE_GID; + } else if (strncmp(line, "SID:S-", 6) == 0) { + if (!string_to_sid(map->sid, &line[4])) { + DEBUG(0,("Bad SID in '%s' from idmap script %s\n", + line, idmap_tdb2_state.idmap_script)); + return NT_STATUS_NONE_MAPPED; + } + } else { + DEBUG(0,("Bad reply '%s' from idmap script %s\n", + line, idmap_tdb2_state.idmap_script)); + return NT_STATUS_NONE_MAPPED; + } + + return NT_STATUS_OK; +} + + + +/* + Single id to sid lookup function. +*/ +static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_tdb2_context *ctx, struct id_map *map) +{ + NTSTATUS ret; + TDB_DATA data; + char *keystr; + + if (!ctx || !map) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* apply filters before checking */ + if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) || + (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) { + DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", + map->xid.id, ctx->filter_low_id, ctx->filter_high_id)); + return NT_STATUS_NONE_MAPPED; + } + + switch (map->xid.type) { + + case ID_TYPE_UID: + keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); + break; + + case ID_TYPE_GID: + keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); + break; + + default: + DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type)); + return NT_STATUS_INVALID_PARAMETER; + } + + /* final SAFE_FREE safe */ + data.dptr = NULL; + + if (keystr == NULL) { + DEBUG(0, ("Out of memory!\n")); + ret = NT_STATUS_NO_MEMORY; + goto done; + } + + DEBUG(10,("Fetching record %s\n", keystr)); + + /* Check if the mapping exists */ + data = tdb2_fetch_bystring(keystr, keystr); + + if (!data.dptr) { + fstring sidstr; + + DEBUG(10,("Record %s not found\n", keystr)); + if (idmap_tdb2_state.idmap_script == NULL) { + ret = NT_STATUS_NONE_MAPPED; + goto done; + } + + ret = idmap_tdb2_script(ctx, map, "IDTOSID %s", keystr); + + /* store it on shared storage */ + if (!NT_STATUS_IS_OK(ret)) { + goto done; + } + + if (sid_to_string(sidstr, map->sid)) { + /* both forward and reverse mappings */ + tdb2_store_bystring(keystr, + string_term_tdb_data(sidstr), + TDB_REPLACE); + tdb2_store_bystring(sidstr, + string_term_tdb_data(keystr), + TDB_REPLACE); + } + goto done; + } + + if (!string_to_sid(map->sid, (const char *)data.dptr)) { + DEBUG(10,("INVALID SID (%s) in record %s\n", + (const char *)data.dptr, keystr)); + ret = NT_STATUS_INTERNAL_DB_ERROR; + goto done; + } + + DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr)); + ret = NT_STATUS_OK; + +done: + talloc_free(keystr); + return ret; +} + + +/* + Single sid to id lookup function. +*/ +static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_map *map) +{ + NTSTATUS ret; + TDB_DATA data; + char *keystr; + unsigned long rec_id = 0; + + if ((keystr = talloc_asprintf(ctx, "%s", sid_string_static(map->sid))) == NULL) { + DEBUG(0, ("Out of memory!\n")); + ret = NT_STATUS_NO_MEMORY; + goto done; + } + + DEBUG(10,("Fetching record %s\n", keystr)); + + /* Check if sid is present in database */ + data = tdb2_fetch_bystring(keystr, keystr); + if (!data.dptr) { + fstring idstr; + + DEBUG(10,(__location__ " Record %s not found\n", keystr)); + + if (idmap_tdb2_state.idmap_script == NULL) { + ret = NT_STATUS_NONE_MAPPED; + goto done; + } + + ret = idmap_tdb2_script(ctx, map, "SIDTOID %s", keystr); + /* store it on shared storage */ + if (!NT_STATUS_IS_OK(ret)) { + goto done; + } + + snprintf(idstr, sizeof(idstr), "%cID %lu", + map->xid.type == ID_TYPE_UID?'U':'G', + (unsigned long)map->xid.id); + /* store both forward and reverse mappings */ + tdb2_store_bystring(keystr, string_term_tdb_data(idstr), + TDB_REPLACE); + tdb2_store_bystring(idstr, string_term_tdb_data(keystr), + TDB_REPLACE); + goto done; + } + + /* What type of record is this ? */ + if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */ + map->xid.id = rec_id; + map->xid.type = ID_TYPE_UID; + DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr )); + ret = NT_STATUS_OK; + + } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */ + map->xid.id = rec_id; + map->xid.type = ID_TYPE_GID; + DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr )); + ret = NT_STATUS_OK; + + } else { /* Unknown record type ! */ + DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr)); + ret = NT_STATUS_INTERNAL_DB_ERROR; + } + + /* apply filters before returning result */ + if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) || + (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) { + DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", + map->xid.id, ctx->filter_low_id, ctx->filter_high_id)); + ret = NT_STATUS_NONE_MAPPED; + } + +done: + talloc_free(keystr); + return ret; +} + +/* + lookup a set of unix ids. +*/ +static NTSTATUS idmap_tdb2_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) +{ + struct idmap_tdb2_context *ctx; + NTSTATUS ret; + int i; + + /* make sure we initialized */ + if ( ! dom->initialized) { + ret = idmap_tdb2_db_init(dom); + if ( ! NT_STATUS_IS_OK(ret)) { + return ret; + } + } + + ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context); + + for (i = 0; ids[i]; i++) { + ret = idmap_tdb2_id_to_sid(ctx, ids[i]); + if ( ! NT_STATUS_IS_OK(ret)) { + + /* if it is just a failed mapping continue */ + if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { + + /* make sure it is marked as unmapped */ + ids[i]->status = ID_UNMAPPED; + continue; + } + + /* some fatal error occurred, return immediately */ + goto done; + } + + /* all ok, id is mapped */ + ids[i]->status = ID_MAPPED; + } + + ret = NT_STATUS_OK; + +done: + return ret; +} + +/* + lookup a set of sids. +*/ +static NTSTATUS idmap_tdb2_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) +{ + struct idmap_tdb2_context *ctx; + NTSTATUS ret; + int i; + + /* make sure we initialized */ + if ( ! dom->initialized) { + ret = idmap_tdb2_db_init(dom); + if ( ! NT_STATUS_IS_OK(ret)) { + return ret; + } + } + + ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context); + + for (i = 0; ids[i]; i++) { + ret = idmap_tdb2_sid_to_id(ctx, ids[i]); + if ( ! NT_STATUS_IS_OK(ret)) { + + /* if it is just a failed mapping continue */ + if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { + + /* make sure it is marked as unmapped */ + ids[i]->status = ID_UNMAPPED; + continue; + } + + /* some fatal error occurred, return immediately */ + goto done; + } + + /* all ok, id is mapped */ + ids[i]->status = ID_MAPPED; + } + + ret = NT_STATUS_OK; + +done: + return ret; +} + + +/* + set a mapping. +*/ +static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id_map *map) +{ + struct idmap_tdb2_context *ctx; + NTSTATUS ret; + TDB_DATA data; + char *ksidstr, *kidstr; + struct db_record *update_lock = NULL; + struct db_record *rec = NULL; + + /* make sure we initialized */ + if ( ! dom->initialized) { + ret = idmap_tdb2_db_init(dom); + if ( ! NT_STATUS_IS_OK(ret)) { + return ret; + } + } + + if (!map || !map->sid) { + return NT_STATUS_INVALID_PARAMETER; + } + + ksidstr = kidstr = NULL; + data.dptr = NULL; + + /* TODO: should we filter a set_mapping using low/high filters ? */ + + ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context); + + switch (map->xid.type) { + + case ID_TYPE_UID: + kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id); + break; + + case ID_TYPE_GID: + kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id); + break; + + default: + DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (kidstr == NULL) { + DEBUG(0, ("ERROR: Out of memory!\n")); + ret = NT_STATUS_NO_MEMORY; + goto done; + } + + if (!(ksidstr = talloc_strdup(ctx, sid_string_static(map->sid)))) { + DEBUG(0, ("Out of memory!\n")); + ret = NT_STATUS_NO_MEMORY; + goto done; + } + + DEBUG(10, ("Storing %s <-> %s map\n", ksidstr, kidstr)); + + /* + * Get us the update lock. This is necessary to get the lock orders + * right, we need to deal with two records under a lock. + */ + + if (!(update_lock = idmap_tdb2_perm->fetch_locked( + idmap_tdb2_perm, ctx, + string_term_tdb_data("UPDATELOCK")))) { + DEBUG(10,("Failed to lock record %s\n", ksidstr)); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* + * *DELETE* previous mappings if any. * + */ + + /* First delete indexed on SID */ + + if (((rec = idmap_tdb2_perm->fetch_locked( + idmap_tdb2_perm, update_lock, + string_term_tdb_data(ksidstr))) != NULL) + && (rec->value.dsize != 0)) { + struct db_record *rec2; + + if ((rec2 = idmap_tdb2_perm->fetch_locked( + idmap_tdb2_perm, update_lock, rec->value)) + != NULL) { + rec2->delete_rec(rec2); + TALLOC_FREE(rec2); + } + + rec->delete_rec(rec); + + tdb_delete(idmap_tdb2_tmp, rec->key); + tdb_delete(idmap_tdb2_tmp, rec->value); + } + TALLOC_FREE(rec); + + /* Now delete indexed on unix ID */ + + if (((rec = idmap_tdb2_perm->fetch_locked( + idmap_tdb2_perm, update_lock, + string_term_tdb_data(kidstr))) != NULL) + && (rec->value.dsize != 0)) { + struct db_record *rec2; + + if ((rec2 = idmap_tdb2_perm->fetch_locked( + idmap_tdb2_perm, update_lock, rec->value)) + != NULL) { + rec2->delete_rec(rec2); + TALLOC_FREE(rec2); + } + + rec->delete_rec(rec); + + tdb_delete(idmap_tdb2_tmp, rec->key); + tdb_delete(idmap_tdb2_tmp, rec->value); + } + TALLOC_FREE(rec); + + if (!NT_STATUS_IS_OK(tdb2_store_bystring(ksidstr, string_term_tdb_data(kidstr), + TDB_INSERT))) { + DEBUG(0, ("Error storing SID -> ID\n")); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + if (!NT_STATUS_IS_OK(tdb2_store_bystring(kidstr, string_term_tdb_data(ksidstr), + TDB_INSERT))) { + DEBUG(0, ("Error storing ID -> SID\n")); + /* try to remove the previous stored SID -> ID map */ + tdb2_delete_bystring(ksidstr); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + DEBUG(10,("Stored %s <-> %s\n", ksidstr, kidstr)); + ret = NT_STATUS_OK; + +done: + talloc_free(ksidstr); + talloc_free(kidstr); + SAFE_FREE(data.dptr); + TALLOC_FREE(update_lock); + return ret; +} + +/* + remove a mapping. +*/ +static NTSTATUS idmap_tdb2_remove_mapping(struct idmap_domain *dom, const struct id_map *map) +{ + /* not supported as it would invalidate the cache tdb on other + nodes */ + DEBUG(0,("idmap_tdb2_remove_mapping not supported\n")); + return NT_STATUS_NOT_SUPPORTED; +} + +/* + Close the idmap tdb instance +*/ +static NTSTATUS idmap_tdb2_close(struct idmap_domain *dom) +{ + /* don't do anything */ + return NT_STATUS_OK; +} + + +/* + Dump all mappings out +*/ +static NTSTATUS idmap_tdb2_dump_data(struct idmap_domain *dom, struct id_map **maps, int *num_maps) +{ + DEBUG(0,("idmap_tdb2_dump_data not supported\n")); + return NT_STATUS_NOT_SUPPORTED; +} + +static struct idmap_methods db_methods = { + .init = idmap_tdb2_db_init, + .unixids_to_sids = idmap_tdb2_unixids_to_sids, + .sids_to_unixids = idmap_tdb2_sids_to_unixids, + .set_mapping = idmap_tdb2_set_mapping, + .remove_mapping = idmap_tdb2_remove_mapping, + .dump_data = idmap_tdb2_dump_data, + .close_fn = idmap_tdb2_close +}; + +static struct idmap_alloc_methods db_alloc_methods = { + .init = idmap_tdb2_alloc_init, + .allocate_id = idmap_tdb2_allocate_id, + .get_id_hwm = idmap_tdb2_get_hwm, + .set_id_hwm = idmap_tdb2_set_hwm, + .close_fn = idmap_tdb2_alloc_close +}; + +NTSTATUS idmap_tdb2_init(void) +{ + NTSTATUS ret; + + /* register both backends */ + ret = smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_alloc_methods); + NT_STATUS_NOT_OK_RETURN(ret); + + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods); +} -- cgit From 024741500abd30ac74adfdfa88694026792ba284 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 16 Jan 2008 16:50:46 +0300 Subject: Convert old sid-string handling in idmap_tdb2 to a new one (This used to be commit ee851730cef1eb506b47faf57e25789ad3c6aafa) --- source3/winbindd/idmap_tdb2.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c index fa106aa134..ab89e615f7 100644 --- a/source3/winbindd/idmap_tdb2.c +++ b/source3/winbindd/idmap_tdb2.c @@ -610,7 +610,7 @@ static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_tdb2_context *ctx, struct id_m goto done; } - if (sid_to_string(sidstr, map->sid)) { + if (sid_to_fstring(sidstr, map->sid)) { /* both forward and reverse mappings */ tdb2_store_bystring(keystr, string_term_tdb_data(sidstr), @@ -648,7 +648,7 @@ static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_m char *keystr; unsigned long rec_id = 0; - if ((keystr = talloc_asprintf(ctx, "%s", sid_string_static(map->sid))) == NULL) { + if ((keystr = sid_string_talloc(ctx, map->sid)) == NULL) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; @@ -859,7 +859,7 @@ static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id goto done; } - if (!(ksidstr = talloc_strdup(ctx, sid_string_static(map->sid)))) { + if (!(ksidstr = sid_string_talloc(ctx, map->sid))) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; @@ -1008,7 +1008,10 @@ NTSTATUS idmap_tdb2_init(void) /* register both backends */ ret = smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_alloc_methods); - NT_STATUS_NOT_OK_RETURN(ret); + if (! NT_STATUS_IS_OK(ret)) { + DEBUG(0, ("Unable to register idmap alloc tdb2 module: %s\n", get_friendly_nt_error_msg(ret))); + return ret; + } return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods); } -- cgit From a92eb76688600efbf4a4056c2543f348e2fee8aa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 17 Jan 2008 10:24:34 +0100 Subject: Finally enable pidl generated SAMR & NETLOGON headers and clients. Guenther (This used to be commit f7100156a7df7ac3ae84e45a47153b38d9375215) --- source3/winbindd/winbindd_creds.c | 2 +- source3/winbindd/winbindd_pam.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c index 62facb6769..4dbace5bcc 100644 --- a/source3/winbindd/winbindd_creds.c +++ b/source3/winbindd/winbindd_creds.c @@ -69,7 +69,7 @@ NTSTATUS winbindd_store_creds(struct winbindd_domain *domain, sid_copy(&sid, &(info3->dom_sid.sid)); sid_append_rid(&sid, info3->user_rid); sid_copy(&cred_sid, &sid); - info3->user_flgs |= LOGON_CACHED_ACCOUNT; + info3->user_flgs |= NETLOGON_CACHED_ACCOUNT; } else if (user_sid != NULL) { diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 525096b0a2..0c75cb17a9 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -923,7 +923,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, /* User *DOES* know the password, update logon_time and reset * bad_pw_count */ - my_info3->user_flgs |= LOGON_CACHED_ACCOUNT; + my_info3->user_flgs |= NETLOGON_CACHED_ACCOUNT; if (my_info3->acct_flags & ACB_AUTOLOCK) { return NT_STATUS_ACCOUNT_LOCKED_OUT; @@ -959,7 +959,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, must_change_time = nt_time_to_unix(my_info3->pass_must_change_time); if (must_change_time != 0 && must_change_time < time(NULL)) { /* we allow grace logons when the password has expired */ - my_info3->user_flgs |= LOGON_GRACE_LOGON; + my_info3->user_flgs |= NETLOGON_GRACE_LOGON; /* return NT_STATUS_PASSWORD_EXPIRED; */ goto success; } @@ -1075,7 +1075,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, } if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) || - (password_properties & DOMAIN_LOCKOUT_ADMINS)) { + (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) { my_info3->acct_flags |= ACB_AUTOLOCK; } } -- cgit From 611609ee2584cc0703c0524ae712ee385ae006f4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jan 2008 09:03:32 +0100 Subject: Fix a segfault MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pointed out by Steven Danneman on irc, thanks! Jerry, Günther, please check! (This used to be commit 9e71c89ac648040739ef2161a2e6c4299be1e35b) --- source3/winbindd/winbindd_cm.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 908228717e..ef159f0670 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -613,7 +613,13 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, DS_RETURN_DNS_NAME, &domain_info); if (W_ERROR_IS_OK(werr)) { - fstrcpy(tmp, domain_info->domain_controller_name); + tmp = talloc_strdup( + mem_ctx, domain_info->domain_controller_name); + if (tmp == NULL) { + DEBUG(0, ("talloc_strdup failed\n")); + talloc_destroy(mem_ctx); + return false; + } if (strlen(domain->alt_name) == 0) { fstrcpy(domain->alt_name, domain_info->domain_name); @@ -635,11 +641,10 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, /* And restore our original timeout. */ cli_set_timeout(netlogon_pipe->cli, orig_timeout); - talloc_destroy(mem_ctx); - if (!W_ERROR_IS_OK(werr)) { DEBUG(10, ("rpccli_netlogon_getanydcname failed: %s\n", dos_errstr(werr))); + talloc_destroy(mem_ctx); return False; } @@ -654,6 +659,8 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, fstrcpy(dcname, p); + talloc_destroy(mem_ctx); + DEBUG(10, ("rpccli_netlogon_getanydcname returned %s\n", dcname)); if (!resolve_name(dcname, dc_ss, 0x20)) { -- cgit From 2b9ed4700ad42e627919dc372adcb5b5188e9fa0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 18 Jan 2008 08:39:47 +0100 Subject: winbindd: remove useless strcpy metze (This used to be commit df08708fc1e8fc8e15b36db29faf35ae5ae64b65) --- source3/winbindd/winbindd_pam.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 0c75cb17a9..98c9ae2ffe 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -31,8 +31,6 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx, struct winbindd_cli_state *state, NET_USER_INFO_3 *info3) { - fstring str_sid; - state->response.data.auth.info3.logon_time = nt_time_to_unix(info3->logon_time); state->response.data.auth.info3.logoff_time = @@ -51,8 +49,7 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx, state->response.data.auth.info3.user_rid = info3->user_rid; state->response.data.auth.info3.group_rid = info3->group_rid; - sid_to_fstring(str_sid, &(info3->dom_sid.sid)); - fstrcpy(state->response.data.auth.info3.dom_sid, str_sid); + sid_to_fstring(state->response.data.auth.info3.dom_sid, &(info3->dom_sid.sid)); state->response.data.auth.info3.num_groups = info3->num_groups; state->response.data.auth.info3.user_flgs = info3->user_flgs; -- cgit From 5f962d9b986e163bd3cceed6f9a9eebb61fdff27 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 23 Jan 2008 12:03:51 +0100 Subject: Fix get_trust_creds() to return always an upper-cased krb5 principal (this fixes winbind krb5 session at least with heimdal). Guenther (This used to be commit 9cf3a98eacea2dd07f89245f147e002b3f49482e) --- source3/winbindd/winbindd_cm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index ef159f0670..ac122fba41 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -694,11 +694,15 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain, /* this is at least correct when domain is our domain, * which is the only case, when this is currently used: */ - if ((machine_krb5_principal != NULL) && - (asprintf(machine_krb5_principal, "%s$@%s", account_name, - domain->alt_name) == -1)) + if (machine_krb5_principal != NULL) { - return NT_STATUS_NO_MEMORY; + if (asprintf(machine_krb5_principal, "%s$@%s", + account_name, domain->alt_name) == -1) + { + return NT_STATUS_NO_MEMORY; + } + + strupper_m(*machine_krb5_principal); } return NT_STATUS_OK; -- cgit From 3b83f4915885edfe8f01f4f68daad6b909fe473d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 23 Jan 2008 13:52:42 +0100 Subject: Initialize _domain_list to NULL. Just to be sure the "if (!_domain_list)" in domain_list() test always works. Michael (This used to be commit 1f49065d44dd7570d5a9928359751bd36f287952) --- source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index dc48fdef8b..0381053331 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -41,7 +41,7 @@ extern struct winbindd_methods passdb_methods; individual winbindd_domain structures cannot be made. Keep a copy of the domain name instead. */ -static struct winbindd_domain *_domain_list; +static struct winbindd_domain *_domain_list = NULL; /** When was the last scan of trusted domains done? -- cgit From 20512431321388cf293431b942cbbe9263d295c9 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 23 Jan 2008 14:33:22 +0100 Subject: Fix panic: Don't free the logfilename in winbind_child_died(). The child struct is immediately reused, and this results in a panic when child->logfilename == NULL. Michael (This used to be commit da131d089db98017632103aa9bbe38c98f7a3fc1) --- source3/winbindd/winbindd_dual.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 778886d8e2..e21524689b 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -480,7 +480,6 @@ void winbind_child_died(pid_t pid) child->event.fd = 0; child->event.flags = 0; child->pid = 0; - SAFE_FREE(child->logfilename); schedule_async_request(child); } -- cgit From 691c4b1a4175e3d4a073c396a2a7d8d315cd42bd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 10:11:11 +0100 Subject: Windows 2008 (Longhorn) auth2 flag fixes. Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f) --- source3/winbindd/winbindd_cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index ac122fba41..dbc664da8c 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2302,7 +2302,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, struct winbindd_cm_conn *conn; NTSTATUS result; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; uint8 mach_pwd[16]; uint32 sec_chan_type; const char *account_name; -- cgit From af7f24d97953a4d11435be963ee8fbcf993a6841 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 Jan 2008 16:10:18 +0100 Subject: Add winbindd debugging ndr_print helpers. Guenther (This used to be commit 4389e4dadbf07c176d9102b74c06e62ecfc242be) --- source3/winbindd/winbindd_ndr.c | 149 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 source3/winbindd/winbindd_ndr.c (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c new file mode 100644 index 0000000000..145d11913d --- /dev/null +++ b/source3/winbindd/winbindd_ndr.c @@ -0,0 +1,149 @@ +/* + * Unix SMB/CIFS implementation. + * winbindd debug helper + * Copyright (C) Guenther Deschner 2008 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "winbindd.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + +/**************************************************************** +****************************************************************/ + +void ndr_print_winbindd_child(struct ndr_print *ndr, + const char *name, + const struct winbindd_child *r) +{ + ndr_print_struct(ndr, name, "winbindd_child"); + ndr->depth++; + ndr_print_ptr(ndr, "next", r->next); + ndr_print_ptr(ndr, "prev", r->prev); + ndr_print_uint32(ndr, "pid", (uint32_t)r->pid); +#if 0 + ndr_print_winbindd_domain(ndr, "domain", r->domain); +#else + ndr_print_ptr(ndr, "domain", r->domain); +#endif + ndr_print_string(ndr, "logfilename", r->logfilename); + /* struct fd_event event; */ + ndr_print_ptr(ndr, "lockout_policy_event", r->lockout_policy_event); + ndr_print_ptr(ndr, "requests", r->requests); + ndr_print_ptr(ndr, "table", r->table); + ndr->depth--; +} + +/**************************************************************** +****************************************************************/ + +void ndr_print_winbindd_cm_conn(struct ndr_print *ndr, + const char *name, + const struct winbindd_cm_conn *r) +{ + ndr_print_struct(ndr, name, "winbindd_cm_conn"); + ndr->depth++; + ndr_print_ptr(ndr, "cli", r->cli); + ndr_print_ptr(ndr, "samr_pipe", r->samr_pipe); + ndr_print_policy_handle(ndr, "sam_connect_handle", &r->sam_connect_handle); + ndr_print_policy_handle(ndr, "sam_domain_handle", &r->sam_domain_handle); + ndr_print_ptr(ndr, "lsa_pipe", r->lsa_pipe); + ndr_print_policy_handle(ndr, "lsa_policy", &r->lsa_policy); + ndr_print_ptr(ndr, "netlogon_pipe", r->netlogon_pipe); + ndr->depth--; +} + +/**************************************************************** +****************************************************************/ + +void ndr_print_winbindd_methods(struct ndr_print *ndr, + const char *name, + const struct winbindd_methods *r) +{ + extern struct winbindd_methods ads_methods; + extern struct winbindd_methods msrpc_methods; + extern struct winbindd_methods passdb_methods; + extern struct winbindd_methods reconnect_methods; + extern struct winbindd_methods cache_methods; + + ndr_print_struct(ndr, name, "winbindd_methods"); + ndr->depth++; + + if (r == NULL) { + ndr_print_string(ndr, name, "(NULL)"); + ndr->depth--; + return; + } + + if (r == &ads_methods) { + ndr_print_string(ndr, name, "ads_methods"); + } else if (r == &msrpc_methods) { + ndr_print_string(ndr, name, "msrpc_methods"); + } else if (r == &passdb_methods) { + ndr_print_string(ndr, name, "passdb_methods"); + } else if (r == &reconnect_methods) { + ndr_print_string(ndr, name, "reconnect_methods"); + } else if (r == &cache_methods) { + ndr_print_string(ndr, name, "cache_methods"); + } else { + ndr_print_string(ndr, name, "UNKNOWN"); + } + ndr->depth--; +} + +/**************************************************************** +****************************************************************/ + +void ndr_print_winbindd_domain(struct ndr_print *ndr, + const char *name, + const struct winbindd_domain *r) +{ + if (!r) { + return; + } + + ndr_print_struct(ndr, name, "winbindd_domain"); + ndr->depth++; + ndr_print_string(ndr, "name", r->name); + ndr_print_string(ndr, "alt_name", r->alt_name); + ndr_print_string(ndr, "forest_name", r->forest_name); + ndr_print_dom_sid(ndr, "sid", &r->sid); + ndr_print_netr_TrustFlags(ndr, "domain_flags", r->domain_flags); + ndr_print_netr_TrustType(ndr, "domain_type", r->domain_type); + ndr_print_netr_TrustAttributes(ndr, "domain_trust_attribs", r->domain_trust_attribs); + ndr_print_bool(ndr, "initialized", r->initialized); + ndr_print_bool(ndr, "native_mode", r->native_mode); + ndr_print_bool(ndr, "active_directory", r->active_directory); + ndr_print_bool(ndr, "primary", r->primary); + ndr_print_bool(ndr, "internal", r->internal); + ndr_print_bool(ndr, "online", r->online); + ndr_print_time_t(ndr, "startup_time", r->startup_time); + ndr_print_bool(ndr, "startup", r->startup); + ndr_print_winbindd_methods(ndr, "methods", r->methods); + ndr_print_winbindd_methods(ndr, "backend", r->backend); + ndr_print_ptr(ndr, "private_data", r->private_data); + ndr_print_string(ndr, "dcname", r->dcname); + ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); + ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); + ndr_print_uint32(ndr, "sequence_number", r->sequence_number); + ndr_print_NTSTATUS(ndr, "last_status", r->last_status); + ndr_print_winbindd_cm_conn(ndr, "conn", &r->conn); + ndr_print_winbindd_child(ndr, "child", &r->child); + ndr_print_uint32(ndr, "check_online_timeout", r->check_online_timeout); + ndr_print_ptr(ndr, "check_online_event", r->check_online_event); + ndr->depth--; +} -- cgit From fcf42bb19c66fdf87a27354f0cd31b5aacd527d5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 Jan 2008 16:19:58 +0100 Subject: Add winbind_msg_dump_domain_list to winbindd. Guenther (This used to be commit 54ad97bd8364c393de2c9471a4c14ca5b880b318) --- source3/winbindd/winbindd.c | 4 ++ source3/winbindd/winbindd_dual.c | 84 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 5e9900d1d6..615f4a918e 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -1227,6 +1227,10 @@ int main(int argc, char **argv, char **envp) MSG_WINBIND_VALIDATE_CACHE, winbind_msg_validate_cache); + messaging_register(winbind_messaging_context(), NULL, + MSG_WINBIND_DUMP_DOMAIN_LIST, + winbind_msg_dump_domain_list); + netsamlogon_cache_init(); /* Non-critical */ /* clear the cached list of trusted domains */ diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index e21524689b..a9786d1ceb 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -676,6 +676,88 @@ void winbind_msg_dump_event_list(struct messaging_context *msg_ctx, } +void winbind_msg_dump_domain_list(struct messaging_context *msg_ctx, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + TALLOC_CTX *mem_ctx; + const char *message = NULL; + struct server_id *sender = NULL; + const char *domain = NULL; + char *s = NULL; + NTSTATUS status; + struct winbindd_domain *dom = NULL; + + DEBUG(5,("winbind_msg_dump_domain_list received.\n")); + + if (!data || !data->data) { + return; + } + + if (data->length < sizeof(struct server_id)) { + return; + } + + mem_ctx = talloc_init("winbind_msg_dump_domain_list"); + if (!mem_ctx) { + return; + } + + sender = (struct server_id *)data->data; + if (data->length > sizeof(struct server_id)) { + domain = (const char *)data->data+sizeof(struct server_id); + } + + if (domain) { + + DEBUG(5,("winbind_msg_dump_domain_list for domain: %s\n", + domain)); + + message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, + find_domain_from_name_noinit(domain)); + if (!message) { + talloc_destroy(mem_ctx); + return; + } + + messaging_send_buf(msg_ctx, *sender, + MSG_WINBIND_DUMP_DOMAIN_LIST, + (uint8_t *)message, strlen(message) + 1); + + talloc_destroy(mem_ctx); + + return; + } + + DEBUG(5,("winbind_msg_dump_domain_list all domains\n")); + + for (dom = domain_list(); dom; dom=dom->next) { + message = NDR_PRINT_STRUCT_STRING(mem_ctx, winbindd_domain, dom); + if (!message) { + talloc_destroy(mem_ctx); + return; + } + + s = talloc_asprintf_append(s, "%s\n", message); + if (!s) { + talloc_destroy(mem_ctx); + return; + } + } + + status = messaging_send_buf(msg_ctx, *sender, + MSG_WINBIND_DUMP_DOMAIN_LIST, + (uint8_t *)s, strlen(s) + 1); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("failed to send message: %s\n", + nt_errstr(status))); + } + + talloc_destroy(mem_ctx); +} + static void account_lockout_policy_handler(struct event_context *ctx, struct timed_event *te, const struct timeval *now, @@ -946,6 +1028,8 @@ static bool fork_domain_child(struct winbindd_child *child) MSG_WINBIND_ONLINESTATUS, NULL); messaging_deregister(winbind_messaging_context(), MSG_DUMP_EVENT_LIST, NULL); + messaging_deregister(winbind_messaging_context(), + MSG_WINBIND_DUMP_DOMAIN_LIST, NULL); /* Handle online/offline messages. */ messaging_register(winbind_messaging_context(), NULL, -- cgit From 6b1c45a5c2e5e3f0a3e2b7772cd55079ebe3133e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 24 Jan 2008 17:39:29 +0100 Subject: Fix winbindd build w/o ADS. Guenther (This used to be commit 40daef4c3d822a28467ff521efca6a55a0370050) --- source3/winbindd/winbindd_ndr.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c index 145d11913d..842c915c5f 100644 --- a/source3/winbindd/winbindd_ndr.c +++ b/source3/winbindd/winbindd_ndr.c @@ -74,7 +74,9 @@ void ndr_print_winbindd_methods(struct ndr_print *ndr, const char *name, const struct winbindd_methods *r) { +#ifdef HAVE_ADS extern struct winbindd_methods ads_methods; +#endif extern struct winbindd_methods msrpc_methods; extern struct winbindd_methods passdb_methods; extern struct winbindd_methods reconnect_methods; @@ -89,10 +91,12 @@ void ndr_print_winbindd_methods(struct ndr_print *ndr, return; } - if (r == &ads_methods) { - ndr_print_string(ndr, name, "ads_methods"); - } else if (r == &msrpc_methods) { + if (r == &msrpc_methods) { ndr_print_string(ndr, name, "msrpc_methods"); +#ifdef HAVE_ADS + } else if (r == &ads_methods) { + ndr_print_string(ndr, name, "ads_methods"); +#endif } else if (r == &passdb_methods) { ndr_print_string(ndr, name, "passdb_methods"); } else if (r == &reconnect_methods) { -- cgit From 614ba32b221aee268b86033ee10da4dbdb087365 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 24 Jan 2008 22:47:49 +0100 Subject: Fix assignment to request->data.init_conn.is_primary in init_child_connection(). The present assignment "request->data.init_conn.is_primary = domain->internal ? False : True" simply feels wrong. This seems to be the thing right to do: "request->data.init_conn.is_primary = domain->primary ? true : false". The question is: Does this have any purpose at all? data.init_conn.is_primary seems to be used nowhere in the whole code at all. Is it (still) needed? Michael (This used to be commit 8bb21b8b3802e7b093a3c4fb41b8550033388878) --- source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 0381053331..724cce2512 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -571,7 +571,7 @@ enum winbindd_result init_child_connection(struct winbindd_domain *domain, /* The primary domain has to find the DC name itself */ request->cmd = WINBINDD_INIT_CONNECTION; fstrcpy(request->domain_name, domain->name); - request->data.init_conn.is_primary = domain->internal ? False : True; + request->data.init_conn.is_primary = domain->primary ? true : false; fstrcpy(request->data.init_conn.dcname, ""); async_request(mem_ctx, &domain->child, request, response, init_child_recv, state); -- cgit From 2a542ce7727cf3eb7f64d855c70d974f02185a2a Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 24 Jan 2008 22:15:33 +0100 Subject: Add a debug message winbindd_can_contact_domain() explaining the reason for failure. Michael (This used to be commit ba5373ed7f74d560a9de8620039b596b8938d1dc) --- source3/winbindd/winbindd_util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 724cce2512..3d9ede3cdf 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1404,6 +1404,8 @@ bool winbindd_can_contact_domain( struct winbindd_domain *domain ) if ( domain->active_directory && ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) { + DEBUG(10, ("Domain is an AD domain and we have no inbound " + "trust.\n")); return False; } -- cgit From 9912f82067a4cb2e393eb81504fa4312ebfa0cd5 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 25 Jan 2008 01:21:56 +0100 Subject: Add debug message: show which domain_child is being forked. Michael (This used to be commit 373a00ae0d667d257fa93ab14c773e841f2c4f1a) --- source3/winbindd/winbindd_dual.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index a9786d1ceb..15ca564c6a 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -959,6 +959,13 @@ static bool fork_domain_child(struct winbindd_child *child) struct winbindd_cli_state state; struct winbindd_domain *domain; + if (child->domain) { + DEBUG(10, ("fork_domain_child called for domain '%s'\n", + child->domain->name)); + } else { + DEBUG(10, ("fork_domain_child called without domain.\n")); + } + if (socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair) != 0) { DEBUG(0, ("Could not open child pipe: %s\n", strerror(errno))); -- cgit From 05ff7fd46e19d9c1aab8524495c9b926290927c7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 13:26:10 +0100 Subject: Use generated DSSETUP client & server rpc functions and remove the hand-written ones. Guenther (This used to be commit d5ebfccebb1f1b56b45673a506fcdb414103c43b) --- source3/winbindd/winbindd_cm.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index dbc664da8c..0c5fa0e48e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1805,17 +1805,17 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) { NTSTATUS result; - DS_DOMINFO_CTR ctr; + WERROR werr; TALLOC_CTX *mem_ctx = NULL; struct rpc_pipe_client *cli; POLICY_HND pol; + union dssetup_DsRoleInfo info; const char *domain_name = NULL; const char *dns_name = NULL; const char *forest_name = NULL; DOM_SID *dom_sid = NULL; - ZERO_STRUCT( ctr ); if (!connection_ok(domain)) { return; @@ -1830,24 +1830,25 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name )); - cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC_DS, + cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_DSSETUP, &result); if (cli == NULL) { DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " - "PI_LSARPC_DS on domain %s: (%s)\n", + "PI_DSSETUP on domain %s: (%s)\n", domain->name, nt_errstr(result))); /* if this is just a non-AD domain we need to continue * identifying so that we can in the end return with * domain->initialized = True - gd */ - goto no_lsarpc_ds; + goto no_dssetup; } - result = rpccli_ds_getprimarydominfo(cli, mem_ctx, - DsRolePrimaryDomainInfoBasic, - &ctr); + result = rpccli_dssetup_DsRoleGetPrimaryDomainInformation(cli, mem_ctx, + DS_ROLE_BASIC_INFORMATION, + &info, + &werr); cli_rpc_pipe_close(cli); if (!NT_STATUS_IS_OK(result)) { @@ -1856,26 +1857,26 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) domain->name, nt_errstr(result))); /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for - * every opcode on the LSARPC_DS pipe, continue with - * no_lsarpc_ds mode here as well to get domain->initialized + * every opcode on the DSSETUP pipe, continue with + * no_dssetup mode here as well to get domain->initialized * set - gd */ if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) { - goto no_lsarpc_ds; + goto no_dssetup; } TALLOC_FREE(mem_ctx); return; } - - if ((ctr.basic->flags & DSROLE_PRIMARY_DS_RUNNING) && - !(ctr.basic->flags & DSROLE_PRIMARY_DS_MIXED_MODE)) { + + if ((info.basic.flags & DS_ROLE_PRIMARY_DS_RUNNING) && + !(info.basic.flags & DS_ROLE_PRIMARY_DS_MIXED_MODE)) { domain->native_mode = True; } else { domain->native_mode = False; } -no_lsarpc_ds: +no_dssetup: cli = cli_rpc_pipe_open_noauth(domain->conn.cli, PI_LSARPC, &result); if (cli == NULL) { -- cgit From 3ca606731b99754493ab5a8d761225c637bc82dd Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 25 Jan 2008 16:40:17 +0100 Subject: Fix winbindd_can_contact_domain() on a samba DC. The check for inbound trusts is invalid when samba is a DC and has a trust with an active directory domain. This effectively prevented tusts with an AD domain on a samba DC from working (unless using "winbindd rpc only"), because an ads_connect() was never performed. Only the rpc-based winbindd methods were working properly. Jerry: Please check! Michael (This used to be commit dcd42a1e0642c69348adfaeecef7f7f2f074ac30) --- source3/winbindd/winbindd_util.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 3d9ede3cdf..d16b7423a1 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1398,10 +1398,13 @@ bool winbindd_can_contact_domain( struct winbindd_domain *domain ) if ( domain->domain_flags & DS_DOMAIN_IN_FOREST ) return True; - /* We cannot contact the domain if it is running AD and - we have no inbound trust */ + /* + * On a _member_ server, we cannot contact the domain if it + * is running AD and we have no inbound trust. + */ - if ( domain->active_directory && + if ( !IS_DC && + domain->active_directory && ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) { DEBUG(10, ("Domain is an AD domain and we have no inbound " -- cgit From fda9247770577a98606c91973f98a7e53123a40c Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Fri, 25 Jan 2008 12:18:05 -0600 Subject: Use the correct domain name when looking up the trust password. On a DC, we always use the domain name given. On a domain member, we use lp_workgroup(). This fixes a bug supporting trusted domains. (This used to be commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60) --- source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 0c5fa0e48e..94910072c3 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -679,8 +679,22 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain, char **machine_krb5_principal) { const char *account_name; + const char *name = NULL; + + /* If we are a DC and this is not our own domain */ + + if (IS_DC) { + name = domain->name; + } else { + struct winbindd_domain *our_domain = find_our_domain(); - if (!get_trust_pw_clear(domain->name, machine_password, + if (!our_domain) + return NT_STATUS_INVALID_SERVER_STATE; + + name = our_domain->name; + } + + if (!get_trust_pw_clear(name, machine_password, &account_name, NULL)) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; -- cgit From 235deb1b66ccfb4a264010e8ffe11a3a3682ac0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Fri, 25 Jan 2008 12:21:14 -0600 Subject: Always trust the domain flags in the wcache trusted domain cache. Use the flags stored in the tdb when determining if a domain can be contacted. The tdb should be considered authoratative anyways unless you know the flags in the winbindd_domain are correct (such as when first enumerating trusts). Original suggestion and patch from Steven Danneman . Manually rewritten by me for 3.2. (This used to be commit f53658a20de07a29abbe2e90917b328d00fc0024) --- source3/winbindd/winbindd_util.c | 46 ++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 13 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index d16b7423a1..f6bb5750ea 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1386,36 +1386,56 @@ void ws_name_return( char *name, char replace ) /********************************************************************* ********************************************************************/ -bool winbindd_can_contact_domain( struct winbindd_domain *domain ) +bool winbindd_can_contact_domain(struct winbindd_domain *domain) { + struct winbindd_tdc_domain *tdc = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + bool ret = false; + /* We can contact the domain if it is our primary domain */ - if ( domain->primary ) - return True; + if (domain->primary) { + return true; + } - /* Can always contact a domain that is in out forest */ + /* Trust the TDC cache and not the winbindd_domain flags */ - if ( domain->domain_flags & DS_DOMAIN_IN_FOREST ) - return True; + if ((tdc = wcache_tdc_fetch_domain(frame, domain->name)) == NULL) { + DEBUG(10,("winbindd_can_contact_domain: %s not found in cache\n", + domain->name)); + return false; + } + + /* Can always contact a domain that is in out forest */ + if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) { + ret = true; + goto done; + } + /* * On a _member_ server, we cannot contact the domain if it * is running AD and we have no inbound trust. */ - if ( !IS_DC && + if (!IS_DC && domain->active_directory && - ((domain->domain_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND) ) + ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND)) { - DEBUG(10, ("Domain is an AD domain and we have no inbound " - "trust.\n")); - return False; + DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain " + "and we have no inbound trust.\n", domain->name)); + goto done; } - + /* Assume everything else is ok (probably not true but what can you do?) */ + + ret = true; + +done: + talloc_destroy(frame); - return True; + return ret; } /********************************************************************* -- cgit From 5ab43ae0d8e66a1fd4c877089df52282367be7dd Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 26 Jan 2008 01:39:33 +0100 Subject: Eliminate remote tree of dsgetdcname (which will happen in libnetapi then). Guenther (This used to be commit fd490d236b1fb73a75c457b75128c9b98719418f) --- source3/winbindd/winbindd_locator.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_locator.c b/source3/winbindd/winbindd_locator.c index 05bd74af25..6b1cff99e0 100644 --- a/source3/winbindd/winbindd_locator.c +++ b/source3/winbindd/winbindd_locator.c @@ -67,7 +67,7 @@ static enum winbindd_result dual_dsgetdcname(struct winbindd_domain *domain, DEBUG(3, ("[%5lu]: dsgetdcname for %s\n", (unsigned long)state->pid, state->request.domain_name)); - result = dsgetdcname(state->mem_ctx, NULL, state->request.domain_name, + result = dsgetdcname(state->mem_ctx, state->request.domain_name, NULL, NULL, state->request.flags, &info); if (!NT_STATUS_IS_OK(result)) { -- cgit From 53c600992829a44b91d5be1cac7b1fe6ab31458e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 Jan 2008 14:20:20 +0100 Subject: Use pidl generated call to enumerate ds trusted domains in winbindd. Guenther (This used to be commit 3a3c1aed9bfc681457aa06f706fc6fe2d9b2e903) --- source3/winbindd/winbindd_cm.c | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 94910072c3..c22022d79a 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1716,8 +1716,7 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) { struct winbindd_domain *our_domain; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - struct ds_domain_trust *domains = NULL; - int count = 0; + struct netr_DomainTrustList trusts; int i; uint32 flags = (DS_DOMAIN_IN_FOREST | DS_DOMAIN_DIRECT_OUTBOUND | @@ -1763,19 +1762,27 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) return False; } - result = rpccli_ds_enum_domain_trusts(cli, mem_ctx, - cli->cli->desthost, - flags, &domains, - (unsigned int *)&count); + result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx, + cli->cli->desthost, + flags, + &trusts, + NULL); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0,("set_dc_type_and_flags_trustinfo: " + "failed to query trusted domain list: %s\n", + nt_errstr(result))); + talloc_destroy(mem_ctx); + return false; + } /* Now find the domain name and get the flags */ - for ( i=0; iname, domains[i].netbios_domain ) ) { - domain->domain_flags = domains[i].flags; - domain->domain_type = domains[i].trust_type; - domain->domain_trust_attribs = domains[i].trust_attributes; - + for ( i=0; iname, trusts.array[i].netbios_name) ) { + domain->domain_flags = trusts.array[i].trust_flags; + domain->domain_type = trusts.array[i].trust_type; + domain->domain_trust_attribs = trusts.array[i].trust_attributes; + if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL ) domain->active_directory = True; -- cgit From e629f50a51f60f9e9e6b8aa4e68c43faa0d4158e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 Jan 2008 14:59:20 +0100 Subject: Use another pidl generated call to enumerate ds trusted domains in winbindd. Guenther (This used to be commit f6397fbeae6668c6d0470f968cb1506b3ce34e4a) --- source3/winbindd/winbindd_ads.c | 49 +++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 26 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index f963669825..9bc310474c 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1157,8 +1157,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, DOM_SID **dom_sids) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - struct ds_domain_trust *domains = NULL; - int count = 0; + struct netr_DomainTrustList trusts; int i; uint32 flags; struct rpc_pipe_client *cli; @@ -1194,29 +1193,27 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, domain->name, nt_errstr(result))); return NT_STATUS_UNSUCCESSFUL; } - - if ( NT_STATUS_IS_OK(result) ) { - result = rpccli_ds_enum_domain_trusts(cli, mem_ctx, - cli->cli->desthost, - flags, &domains, - (unsigned int *)&count); - } - - if ( NT_STATUS_IS_OK(result) && count) { + + result = rpccli_netr_DsrEnumerateDomainTrusts(cli, mem_ctx, + cli->cli->desthost, + flags, + &trusts, + NULL); + if ( NT_STATUS_IS_OK(result) && trusts.count) { /* Allocate memory for trusted domain names and sids */ - if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, count)) ) { + if ( !(*names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) { DEBUG(0, ("trusted_domains: out of memory\n")); return NT_STATUS_NO_MEMORY; } - if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, count)) ) { + if ( !(*alt_names = TALLOC_ARRAY(mem_ctx, char *, trusts.count)) ) { DEBUG(0, ("trusted_domains: out of memory\n")); return NT_STATUS_NO_MEMORY; } - if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, count)) ) { + if ( !(*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, trusts.count)) ) { DEBUG(0, ("trusted_domains: out of memory\n")); return NT_STATUS_NO_MEMORY; } @@ -1225,7 +1222,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, ret_count = 0; - for (i = 0; i < count; i++) { + for (i = 0; i < trusts.count; i++) { struct winbindd_domain d; /* drop external trusts if this is not our primary @@ -1233,24 +1230,24 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, domains may be less that the ones actually trusted by the DC. */ - if ( (domains[i].trust_attributes == DS_DOMAIN_TRUST_ATTRIB_QUARANTINED_DOMAIN) && + if ( (trusts.array[i].trust_attributes == DS_DOMAIN_TRUST_ATTRIB_QUARANTINED_DOMAIN) && !domain->primary ) { DEBUG(10,("trusted_domains: Skipping external trusted domain " "%s because it is outside of our primary domain\n", - domains[i].netbios_domain)); + trusts.array[i].netbios_name)); continue; } - (*names)[ret_count] = domains[i].netbios_domain; - (*alt_names)[ret_count] = domains[i].dns_domain; - sid_copy(&(*dom_sids)[ret_count], &domains[i].sid); + (*names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].netbios_name); + (*alt_names)[ret_count] = CONST_DISCARD(char *, trusts.array[i].dns_name); + sid_copy(&(*dom_sids)[ret_count], trusts.array[i].sid); /* add to the trusted domain cache */ - fstrcpy( d.name, domains[i].netbios_domain ); - fstrcpy( d.alt_name, domains[i].dns_domain ); - sid_copy( &d.sid, &domains[i].sid ); + fstrcpy( d.name, trusts.array[i].netbios_name); + fstrcpy( d.alt_name, trusts.array[i].dns_name); + sid_copy( &d.sid, trusts.array[i].sid); /* This gets a little tricky. If we are following a transitive forest trust, then @@ -1269,9 +1266,9 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, we have the current trust flags and attributes */ - d.domain_flags = domains[i].flags; - d.domain_type = domains[i].trust_type; - d.domain_trust_attribs = domains[i].trust_attributes; + d.domain_flags = trusts.array[i].trust_flags; + d.domain_type = trusts.array[i].trust_type; + d.domain_trust_attribs = trusts.array[i].trust_attributes; } else { /* Look up the record in the cache */ struct winbindd_tdc_domain *parent; -- cgit From 80b2e330f939d9877352f8fbdbec3a4e0e395c7b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 Jan 2008 17:49:38 +0100 Subject: Remove include/rpc_ds.h and all references to it completly. Jerry, please have a look if you're fine with that. Guenther (This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c) --- source3/winbindd/winbindd.h | 6 +++--- source3/winbindd/winbindd_ads.c | 12 ++++++------ source3/winbindd/winbindd_cm.c | 12 ++++++------ source3/winbindd/winbindd_pam.c | 2 +- source3/winbindd/winbindd_util.c | 22 +++++++++++----------- 5 files changed, 27 insertions(+), 27 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index 6bf6e6c68f..c4c1278d73 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -164,9 +164,9 @@ struct winbindd_domain { fstring alt_name; /* alt Domain name, if any (FQDN for ADS) */ fstring forest_name; /* Name of the AD forest we're in */ DOM_SID sid; /* SID for this domain */ - uint32 domain_flags; /* Domain flags from rpc_ds.h */ - uint32 domain_type; /* Domain type from rpc_ds.h */ - uint32 domain_trust_attribs; /* Trust attribs from rpc_ds.h */ + uint32 domain_flags; /* Domain flags from netlogon.h */ + uint32 domain_type; /* Domain type from netlogon.h */ + uint32 domain_trust_attribs; /* Trust attribs from netlogon.h */ bool initialized; /* Did we already ask for the domain mode? */ bool native_mode; /* is this a win2k domain in native mode ? */ bool active_directory; /* is this a win2k active directory ? */ diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 9bc310474c..db7ceca04d 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1161,7 +1161,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, int i; uint32 flags; struct rpc_pipe_client *cli; - uint32 fr_flags = (DS_DOMAIN_IN_FOREST | DS_DOMAIN_TREE_ROOT); + uint32 fr_flags = (NETR_TRUST_FLAG_IN_FOREST | NETR_TRUST_FLAG_TREEROOT); int ret_count; DEBUG(3,("ads: trusted_domains\n")); @@ -1178,11 +1178,11 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, if ( domain->primary || ((domain->domain_flags&fr_flags) == fr_flags) ) { - flags = DS_DOMAIN_DIRECT_OUTBOUND | - DS_DOMAIN_DIRECT_INBOUND | - DS_DOMAIN_IN_FOREST; + flags = NETR_TRUST_FLAG_OUTBOUND | + NETR_TRUST_FLAG_INBOUND | + NETR_TRUST_FLAG_IN_FOREST; } else { - flags = DS_DOMAIN_IN_FOREST; + flags = NETR_TRUST_FLAG_IN_FOREST; } result = cm_connect_netlogon(domain, &cli); @@ -1230,7 +1230,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, domains may be less that the ones actually trusted by the DC. */ - if ( (trusts.array[i].trust_attributes == DS_DOMAIN_TRUST_ATTRIB_QUARANTINED_DOMAIN) && + if ( (trusts.array[i].trust_attributes == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && !domain->primary ) { DEBUG(10,("trusted_domains: Skipping external trusted domain " diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index c22022d79a..66787a0d6d 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1718,9 +1718,9 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) NTSTATUS result = NT_STATUS_UNSUCCESSFUL; struct netr_DomainTrustList trusts; int i; - uint32 flags = (DS_DOMAIN_IN_FOREST | - DS_DOMAIN_DIRECT_OUTBOUND | - DS_DOMAIN_DIRECT_INBOUND); + uint32 flags = (NETR_TRUST_FLAG_IN_FOREST | + NETR_TRUST_FLAG_OUTBOUND | + NETR_TRUST_FLAG_INBOUND); struct rpc_pipe_client *cli; TALLOC_CTX *mem_ctx = NULL; @@ -1783,14 +1783,14 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) domain->domain_type = trusts.array[i].trust_type; domain->domain_trust_attribs = trusts.array[i].trust_attributes; - if ( domain->domain_type == DS_DOMAIN_TRUST_TYPE_UPLEVEL ) + if ( domain->domain_type == NETR_TRUST_TYPE_UPLEVEL ) domain->active_directory = True; /* This flag is only set if the domain is *our* primary domain and the primary domain is in native mode */ - domain->native_mode = (domain->domain_flags & DS_DOMAIN_NATIVE_MODE); + domain->native_mode = (domain->domain_flags & NETR_TRUST_FLAG_NATIVE); DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s is %sin " "native mode.\n", domain->name, @@ -1937,7 +1937,7 @@ no_dssetup: fstrcpy(domain->forest_name, forest_name); if (strequal(domain->forest_name, domain->alt_name)) { - domain->domain_flags = DS_DOMAIN_TREE_ROOT; + domain->domain_flags = NETR_TRUST_FLAG_TREEROOT; } } diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 98c9ae2ffe..ea9a07d388 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -964,7 +964,7 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, #ifdef HAVE_KRB5 if ((state->request.flags & WBFLAG_PAM_KRB5) && ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) && - (tdc_domain->trust_type & DS_DOMAIN_TRUST_TYPE_UPLEVEL)) { + (tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL)) { uid_t uid = -1; const char *cc = NULL; diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index f6bb5750ea..10779cd60a 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -218,7 +218,7 @@ static void add_trusted_domains( struct winbindd_domain *domain ) TALLOC_CTX *mem_ctx; struct winbindd_request *request; struct winbindd_response *response; - uint32 fr_flags = (DS_DOMAIN_TREE_ROOT|DS_DOMAIN_IN_FOREST); + uint32 fr_flags = (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST); struct trustdom_state *state; @@ -391,8 +391,8 @@ static void rescan_forest_root_trusts( void ) the domain_list() as our primary domain may not have been initialized. */ - if ( !(dom_list[i].trust_flags & DS_DOMAIN_TREE_ROOT) ) { - continue; + if ( !(dom_list[i].trust_flags & NETR_TRUST_FLAG_TREEROOT) ) { + continue; } /* Here's the forest root */ @@ -456,10 +456,10 @@ static void rescan_forest_trusts( void ) if ( d && (d->internal || d->primary ) ) continue; - - if ( (flags & DS_DOMAIN_DIRECT_INBOUND) && - (type == DS_DOMAIN_TRUST_TYPE_UPLEVEL) && - (attribs == DS_DOMAIN_TRUST_ATTRIB_FOREST_TRANSITIVE) ) + + if ( (flags & NETR_TRUST_FLAG_INBOUND) && + (type == NETR_TRUST_TYPE_UPLEVEL) && + (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) { /* add the trusted domain if we don't know about it */ @@ -770,8 +770,8 @@ void check_domain_trusted( const char *name, const DOM_SID *user_sid ) forest trust */ domain->active_directory = True; - domain->domain_flags = DS_DOMAIN_DIRECT_OUTBOUND; - domain->domain_type = DS_DOMAIN_TRUST_TYPE_UPLEVEL; + domain->domain_flags = NETR_TRUST_FLAG_OUTBOUND; + domain->domain_type = NETR_TRUST_TYPE_UPLEVEL; domain->internal = False; domain->online = True; @@ -1408,7 +1408,7 @@ bool winbindd_can_contact_domain(struct winbindd_domain *domain) /* Can always contact a domain that is in out forest */ - if (tdc->trust_flags & DS_DOMAIN_IN_FOREST) { + if (tdc->trust_flags & NETR_TRUST_FLAG_IN_FOREST) { ret = true; goto done; } @@ -1420,7 +1420,7 @@ bool winbindd_can_contact_domain(struct winbindd_domain *domain) if (!IS_DC && domain->active_directory && - ((tdc->trust_flags&DS_DOMAIN_DIRECT_INBOUND) != DS_DOMAIN_DIRECT_INBOUND)) + ((tdc->trust_flags & NETR_TRUST_FLAG_INBOUND) != NETR_TRUST_FLAG_INBOUND)) { DEBUG(10, ("winbindd_can_contact_domain: %s is an AD domain " "and we have no inbound trust.\n", domain->name)); -- cgit From 5334b364c21599fe055b32bbbd1e8cf7488b1fa7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jan 2008 12:39:20 +0100 Subject: Remove rpccli_samr_close and use pidl generated function instead. Guenther (This used to be commit 64f0889401855ab76953bfae5db4fe4df19ad8a5) --- source3/winbindd/winbindd_pam.c | 6 +++--- source3/winbindd/winbindd_rpc.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index ea9a07d388..59ca15a623 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1356,14 +1356,14 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(status_tmp)) { DEBUG(3, ("could not query user info on SAMR pipe: %s\n", nt_errstr(status_tmp))); - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); + rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol); goto done; } acct_flags = user_ctr->info.id16->acb_info; if (acct_flags == 0) { - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); + rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol); goto done; } @@ -1371,7 +1371,7 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags)); - rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol); + rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol); } *info3 = my_info3; diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 34ba0498e0..47a8d430b2 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -480,7 +480,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, result = rpccli_samr_query_userinfo(cli, mem_ctx, &user_pol, 0x15, &ctr); - rpccli_samr_close(cli, mem_ctx, &user_pol); + rpccli_samr_Close(cli, mem_ctx, &user_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -555,7 +555,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, result = rpccli_samr_query_usergroups(cli, mem_ctx, &user_pol, num_groups, &user_groups); - rpccli_samr_close(cli, mem_ctx, &user_pol); + rpccli_samr_Close(cli, mem_ctx, &user_pol); if (!NT_STATUS_IS_OK(result) || (*num_groups) == 0) return result; @@ -721,7 +721,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, /* And restore our original timeout. */ cli_set_timeout(cli->cli, orig_timeout); - rpccli_samr_close(cli, mem_ctx, &group_pol); + rpccli_samr_Close(cli, mem_ctx, &group_pol); if (!NT_STATUS_IS_OK(result)) return result; -- cgit From 42960f817a9fd439557d1be2f3ca3603a35489ce Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:12:05 +0100 Subject: Use rpccli_samr_OpenDomain() all over the place. Guenther (This used to be commit e4e9d72724d547e1405b2ed4cec509d50ec88c8d) --- source3/winbindd/winbindd_cm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 66787a0d6d..d2a7663002 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2176,12 +2176,12 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, } open_domain: - result = rpccli_samr_open_domain(conn->samr_pipe, - mem_ctx, - &conn->sam_connect_handle, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &domain->sid, - &conn->sam_domain_handle); + result = rpccli_samr_OpenDomain(conn->samr_pipe, + mem_ctx, + &conn->sam_connect_handle, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &domain->sid, + &conn->sam_domain_handle); done: -- cgit From 482eaa8e5cccd716be07f5eb1536097452214790 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:24:01 +0100 Subject: Use rpccli_samr_OpenGroup() all over the place. Guenther (This used to be commit d019fc69a986937880121c2587d3fe37f995edae) --- source3/winbindd/winbindd_rpc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index 47a8d430b2..b8f1982868 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -700,8 +700,11 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) return result; - result = rpccli_samr_open_group(cli, mem_ctx, &dom_pol, - des_access, group_rid, &group_pol); + result = rpccli_samr_OpenGroup(cli, mem_ctx, + &dom_pol, + des_access, + group_rid, + &group_pol); if (!NT_STATUS_IS_OK(result)) return result; -- cgit From 37b56c0113263a741c62100cd4b13388cb2a83fa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:57:53 +0100 Subject: Use rpccli_samr_OpenUser() all over the place. Guenther (This used to be commit da90eb7653554d242da83ed98adae35ced3a2938) --- source3/winbindd/winbindd_pam.c | 9 +++++---- source3/winbindd/winbindd_rpc.c | 15 ++++++++++----- 2 files changed, 15 insertions(+), 9 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 59ca15a623..14b1621fc9 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1339,10 +1339,11 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, goto done; } - status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx, - &samr_domain_handle, - MAXIMUM_ALLOWED_ACCESS, - my_info3->user_rid, &user_pol); + status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx, + &samr_domain_handle, + MAXIMUM_ALLOWED_ACCESS, + my_info3->user_rid, + &user_pol); if (!NT_STATUS_IS_OK(status_tmp)) { DEBUG(3, ("could not open user handle on SAMR pipe: %s\n", diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c index b8f1982868..0d937ef30e 100644 --- a/source3/winbindd/winbindd_rpc.c +++ b/source3/winbindd/winbindd_rpc.c @@ -469,9 +469,11 @@ static NTSTATUS query_user(struct winbindd_domain *domain, return result; /* Get user handle */ - result = rpccli_samr_open_user(cli, mem_ctx, &dom_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, - &user_pol); + result = rpccli_samr_OpenUser(cli, mem_ctx, + &dom_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, + &user_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -545,8 +547,11 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, return result; /* Get user handle */ - result = rpccli_samr_open_user(cli, mem_ctx, &dom_pol, - des_access, user_rid, &user_pol); + result = rpccli_samr_OpenUser(cli, mem_ctx, + &dom_pol, + des_access, + user_rid, + &user_pol); if (!NT_STATUS_IS_OK(result)) return result; -- cgit