The Samba-Bugzilla – Attachment 3363 Details for
Bug 5551
winbind on PDC fails, even with patch for bug 5489
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Replacement patch
look (text/plain), 4.61 KB, created by
Jeremy Allison
on 2008-06-23 18:06:09 UTC
(
hide
)
Description:
Replacement patch
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2008-06-23 18:06:09 UTC
Size:
4.61 KB
patch
obsolete
>diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c >index b3a3d39..e543974 100644 >--- a/source/auth/auth_util.c >+++ b/source/auth/auth_util.c >@@ -546,24 +546,47 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) > } > > /*************************************************************************** >+ Is the incoming username our own machine account ? >+ If so, the connection is almost certainly from winbindd. >+***************************************************************************/ >+ >+static BOOL is_our_machine_account(const char *username) >+{ >+ BOOL ret; >+ char *truncname = NULL; >+ size_t ulen = strlen(username); >+ >+ if (ulen == 0 || username[ulen-1] != '$') { >+ return False; >+ } >+ truncname = SMB_STRDUP(username); >+ if (!truncname) { >+ return False; >+ } >+ truncname[ulen-1] = '\0'; >+ ret = strequal(truncname, global_myname()); >+ SAFE_FREE(truncname); >+ return ret; >+} >+ >+/*************************************************************************** > Make (and fill) a user_info struct from a struct samu > ***************************************************************************/ > > NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, > struct samu *sampass) > { >- NTSTATUS status; > struct passwd *pwd; > gid_t *gids; > auth_serversupplied_info *result; > int i; > size_t num_gids; > DOM_SID unix_group_sid; >- >+ const char *username = pdb_get_username(sampass); > >- if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { >+ if ( !(pwd = getpwnam_alloc(NULL, username)) ) { > DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", >- pdb_get_username(sampass))); >+ username)); > return NT_STATUS_NO_SUCH_USER; > } > >@@ -579,18 +602,34 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, > > TALLOC_FREE(pwd); > >- status = pdb_enum_group_memberships(result, sampass, >+ if (IS_DC && is_our_machine_account(username)) { >+ /* >+ * Ensure for a connection from our own >+ * machine account (from winbindd on a DC) >+ * there are no supplementary groups. >+ * Prevents loops in calling gid_to_sid(). >+ */ >+ result->sids = NULL; >+ gids = NULL; >+ result->num_sids = 0; >+ >+ DEBUG(10, ("make_server_info_sam: our machine account %s " >+ "setting supplementary group list empty.\n", >+ username)); >+ } else { >+ NTSTATUS status = pdb_enum_group_memberships(result, sampass, > &result->sids, &gids, > &result->num_sids); > >- if (!NT_STATUS_IS_OK(status)) { >- DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", >- nt_errstr(status))); >- result->sam_account = NULL; /* Don't free on error exit. */ >- TALLOC_FREE(result); >- return status; >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", >+ nt_errstr(status))); >+ result->sam_account = NULL; /* Don't free on error exit. */ >+ TALLOC_FREE(result); >+ return status; >+ } > } >- >+ > /* Add the "Unix Group" SID for each gid to catch mapped groups > and their Unix equivalent. This is to solve the backwards > compatibility problem of 'valid users = +ntadmin' where >diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c >index d1390fd..4713bc3 100644 >--- a/source/passdb/lookup_sid.c >+++ b/source/passdb/lookup_sid.c >@@ -1333,6 +1333,22 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) > if (fetch_sid_from_uid_cache(psid, uid)) > return; > >+ if (IS_DC) { >+ /* >+ * We're authoritative, ask ourselves first. >+ */ >+ BOOL ret; >+ >+ become_root(); >+ ret = pdb_uid_to_sid(uid, psid); >+ unbecome_root(); >+ if (ret) { >+ goto done; >+ } >+ >+ /* Fall through to asking winbindd. */ >+ } >+ > if (!winbind_uid_to_sid(psid, uid)) { > if (!winbind_ping()) { > legacy_uid_to_sid(psid, uid); >@@ -1343,7 +1359,9 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) > uid)); > return; > } >- >+ >+ done: >+ > DEBUG(10,("uid %u -> sid %s\n", > (unsigned int)uid, sid_string_static(psid))); > >@@ -1358,10 +1376,26 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) > void gid_to_sid(DOM_SID *psid, gid_t gid) > { > ZERO_STRUCTP(psid); >- >+ > if (fetch_sid_from_gid_cache(psid, gid)) > return; > >+ if (IS_DC) { >+ /* >+ * We're authoritative, ask ourselves first. >+ */ >+ BOOL ret; >+ >+ become_root(); >+ ret = pdb_gid_to_sid(gid, psid); >+ unbecome_root(); >+ if (ret) { >+ goto done; >+ } >+ >+ /* Fall through to asking winbindd. */ >+ } >+ > if (!winbind_gid_to_sid(psid, gid)) { > if (!winbind_ping()) { > legacy_gid_to_sid(psid, gid); >@@ -1373,9 +1407,11 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) > return; > } > >+ done: >+ > DEBUG(10,("gid %u -> sid %s\n", > (unsigned int)gid, sid_string_static(psid))); >- >+ > store_gid_sid_cache(psid, gid); > return; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3363">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 5551
:
3355
|
3363
|
3367
|
3369
|
3370
|
3371