r1383: sync from 3.0 tree

author: Gerald Carter <jerry@samba.org> 2004-07-07 19:18:31 +0000
committer: Gerald Carter <jerry@samba.org> 2004-07-07 19:18:31 +0000
commit: 0cf550c32aa0018ad834fc2d3cd90d9b2b146621 (patch)
tree: 687da224b86274ebc9c46591a812d206935c8efd /source/nsswitch
parent: 99c6d9bd34b106ae5109ffed4812b89ef0f3eaa8 (diff)
download: samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.tar.gz
samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.tar.xz
samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.zip
7 files changed, 98 insertions, 66 deletions
diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c
index a98bd294064..50b6f0a87fb 100644
--- a/source/nsswitch/winbindd.c
+++ b/source/nsswitch/winbindd.c
@@ -869,16 +869,13 @@ int main(int argc, char **argv)
 
 	ZERO_STRUCT(server_state);
 
-	if (!winbindd_param_init())
-		return 1;
-
 	/* Winbind daemon initialisation */
 
-	if (!winbindd_upgrade_idmap())
-		return 1;
-
-	if (!idmap_init(lp_idmap_backend()))
-		return 1;
+	if ( (!winbindd_param_init()) || (!winbindd_upgrade_idmap()) ||
+	     (!idmap_init(lp_idmap_backend())) ) {
+		DEBUG(1, ("Could not init idmap -- netlogon proxy only\n"));
+		idmap_proxyonly();
+	}
 
 	generate_wellknown_sids();
 
diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c
index 877fa2d995c..bbd98a620f6 100644
--- a/source/nsswitch/winbindd_cache.c
+++ b/source/nsswitch/winbindd_cache.c
@@ -363,6 +363,12 @@ static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
 	if ( NT_STATUS_IS_OK(status) )
 		goto done;	
 
+	/* important! make sure that we know if this is a native 
+	   mode domain or not */
+
+	if ( !domain->initialized )
+		set_dc_type_and_flags( domain );
+
 	status = domain->backend->sequence_number(domain, &domain->sequence_number);
 
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index eda962088d4..04f87fc1a2f 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -117,21 +117,40 @@ static void cm_get_ipc_userpass(char **username, char **domain, char **password)
 /*
   setup for schannel on any pipes opened on this connection
 */
-static NTSTATUS setup_schannel(struct cli_state *cli)
+static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
 {
 	NTSTATUS ret;
 	uchar trust_password[16];
 	uint32 sec_channel_type;
+	DOM_SID sid;
+	time_t lct;
 
-	if (!secrets_fetch_trust_account_password(lp_workgroup(),
-						  trust_password,
-						  NULL, &sec_channel_type)) {
-		return NT_STATUS_UNSUCCESSFUL;
+	/* use the domain trust password if we're on a DC 
+	   and this is not our domain */
+	
+	if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
+		char *pass = NULL;
+		
+		if ( !secrets_fetch_trusted_domain_password( domain, 
+			&pass, &sid, &lct) )
+		{
+			return NT_STATUS_UNSUCCESSFUL;
+		}	
+
+		sec_channel_type = SEC_CHAN_DOMAIN;
+		E_md4hash(pass, trust_password);
+		SAFE_FREE( pass );
+		
+	} else {
+		if (!secrets_fetch_trust_account_password(lp_workgroup(),
+			trust_password, NULL, &sec_channel_type)) 
+		{
+			return NT_STATUS_UNSUCCESSFUL;
+		}
 	}
 
 	ret = cli_nt_setup_netsec(cli, sec_channel_type, 
-				  AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, 
-				  trust_password);
+		AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
 
 	return ret;
 }
@@ -216,7 +235,8 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
 	/* Initialise SMB connection */
 	fstrcpy(new_conn->pipe_name, get_pipe_name_from_index(pipe_index));
 
-/* grab stored passwords */
+	/* grab stored passwords */
+	
 	machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 	
 	if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) {
@@ -335,9 +355,13 @@ static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const i
 	/* try and use schannel if possible, but continue anyway if it
 	   failed. This allows existing setups to continue working,
 	   while solving the win2003 '100 user' limit for systems that
-	   are joined properly */
-	if (NT_STATUS_IS_OK(result) && (domain->primary)) {
-		NTSTATUS status = setup_schannel(new_conn->cli);
+	   are joined properly.
+	
+	   Only do this for our own domain or perhaps a trusted domain
+	   if we are on a Samba DC */
+
+	if (NT_STATUS_IS_OK(result) && (domain->primary || IS_DC) ) {
+		NTSTATUS status = setup_schannel( new_conn->cli, domain->name );
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3,("schannel refused - continuing without schannel (%s)\n", 
 				 nt_errstr(status)));
diff --git a/source/nsswitch/winbindd_group.c b/source/nsswitch/winbindd_group.c
index 7b4529144e2..346a2711b6c 100644
--- a/source/nsswitch/winbindd_group.c
+++ b/source/nsswitch/winbindd_group.c
@@ -942,16 +942,14 @@ static void add_gid_to_array_unique(gid_t gid, gid_t **gids, int *num)
 	*num += 1;
 }
 
-static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
+static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
 {
 	gid_t gid;
 	DOM_SID *aliases;
 	int j, num_aliases;
 
-	DEBUG(10, ("Adding gids from SID: %s\n", sid_string_static(sid)));
-
-	if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
-		add_gid_to_array_unique(gid, gids, num);
+	DEBUG(10, ("Adding local gids from SID: %s\n",
+		   sid_string_static(sid)));
 
 	/* Don't expand aliases if not explicitly activated -- for now
 	   -- jerry */
@@ -965,15 +963,44 @@ static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
 		return;
 
 	for (j=0; j<num_aliases; j++) {
+		enum SID_NAME_USE type;
+
+		if (!local_sid_to_gid(&gid, &aliases[j], &type)) {
+			DEBUG(1, ("Got an alias membership with no alias\n"));
+			continue;
+		}
 
-		if (!NT_STATUS_IS_OK(sid_to_gid(&aliases[j], &gid)))
+		if ((type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) {
+			DEBUG(1, ("Got an alias membership in a non-alias\n"));
 			continue;
+		}
 
 		add_gid_to_array_unique(gid, gids, num);
 	}
 	SAFE_FREE(aliases);
 }
 
+static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num)
+{
+	DEBUG(10, ("Adding gids from user SID: %s\n",
+		   sid_string_static(sid)));
+
+	add_local_gids_from_sid(sid, gids, num);
+}
+
+static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num)
+{
+	gid_t gid;
+
+	DEBUG(10, ("Adding gids from group SID: %s\n",
+		   sid_string_static(sid)));
+
+	if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
+		add_gid_to_array_unique(gid, gids, num);
+
+	add_local_gids_from_sid(sid, gids, num);
+}
+
 /* Get user supplementary groups.  This is much quicker than trying to
    invert the groups database.  We merge the groups from the gids and
    other_sids info3 fields as trusted domain, universal group
@@ -1039,7 +1066,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	add_gids_from_sid(&user_sid, &gid_list, &num_gids);
+	add_gids_from_user_sid(&user_sid, &gid_list, &num_gids);
 
 	/* Treat the info3 cache as authoritative as the
 	   lookup_usergroups() function may return cached data. */
@@ -1083,8 +1110,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 				continue;
 			}
 
-			add_gids_from_sid(&info3->other_sids[i].sid,
-					  &gid_list, &num_gids);
+			add_gids_from_group_sid(&info3->other_sids[i].sid,
+						&gid_list, &num_gids);
 
 			if (gid_list == NULL)
 				goto done;
@@ -1097,7 +1124,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 			sid_copy( &group_sid, &domain->sid );
 			sid_append_rid( &group_sid, info3->gids[i].g_rid );
 
-			add_gids_from_sid(&group_sid, &gid_list, &num_gids);
+			add_gids_from_group_sid(&group_sid, &gid_list,
+						&num_gids);
 
 			if (gid_list == NULL)
 				goto done;
@@ -1116,8 +1144,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 			goto done;
 
 		for (i = 0; i < num_groups; i++) {
-			add_gids_from_sid(user_grpsids[i],
-					  &gid_list, &num_gids);
+			add_gids_from_group_sid(user_grpsids[i],
+						&gid_list, &num_gids);
 
 			if (gid_list == NULL)
 				goto done;
diff --git a/source/nsswitch/winbindd_passdb.c b/source/nsswitch/winbindd_passdb.c
index 12f5e0bae2e..3adb81caa35 100644
--- a/source/nsswitch/winbindd_passdb.c
+++ b/source/nsswitch/winbindd_passdb.c
@@ -240,7 +240,11 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
 	if (!pdb_find_alias(name, sid))
 		return NT_STATUS_NONE_MAPPED;
 
-	*type = SID_NAME_ALIAS;
+	if (sid_check_is_in_builtin(sid))
+		*type = SID_NAME_WKN_GRP;
+	else
+		*type = SID_NAME_ALIAS;
+
 	return NT_STATUS_OK;
 }
 
@@ -263,7 +267,10 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
 
 	*domain_name = talloc_strdup(mem_ctx, domain->name);
 	*name = talloc_strdup(mem_ctx, info.acct_name);
-	*type = SID_NAME_ALIAS;
+	if (sid_check_is_in_builtin(sid))
+		*type = SID_NAME_WKN_GRP;
+	else
+		*type = SID_NAME_ALIAS;
 
 	return NT_STATUS_OK;
 }
diff --git a/source/nsswitch/winbindd_rpc.c b/source/nsswitch/winbindd_rpc.c
index 76688449209..ba24749fbef 100644
--- a/source/nsswitch/winbindd_rpc.c
+++ b/source/nsswitch/winbindd_rpc.c
@@ -707,36 +707,6 @@ done:
 
 #include <ldap.h>
 
-static SIG_ATOMIC_T gotalarm;
-
-/***************************************************************
- Signal function to tell us we timed out.
-****************************************************************/
-
-static void gotalarm_sig(void)
-{
-	gotalarm = 1;
-}
-
-static LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to)
-{
-	LDAP *ldp = NULL;
-
-	/* Setup timeout */
-	gotalarm = 0;
-	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
-	alarm(to);
-	/* End setup timeout. */
-
-	ldp = ldap_open(server, port);
-
-	/* Teardown timeout. */
-	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
-	alarm(0);
-
-	return ldp;
-}
-
 static int get_ldap_seq(const char *server, int port, uint32 *seq)
 {
 	int ret = -1;
@@ -749,11 +719,11 @@ static int get_ldap_seq(const char *server, int port, uint32 *seq)
 	*seq = DOM_SEQUENCE_NONE;
 
 	/*
-	 * 10 second timeout on open. This is needed as the search timeout
+	 * Parameterised (5) second timeout on open. This is needed as the search timeout
 	 * doesn't seem to apply to doing an open as well. JRA.
 	 */
 
-	if ((ldp = ldap_open_with_timeout(server, port, 10)) == NULL)
+	if ((ldp = ldap_open_with_timeout(server, port, lp_ldap_timeout())) == NULL)
 		return -1;
 
 	/* Timeout if no response within 20 seconds. */
diff --git a/source/nsswitch/winbindd_util.c b/source/nsswitch/winbindd_util.c
index 96b8ed8c938..faa6e8d8da4 100644
--- a/source/nsswitch/winbindd_util.c
+++ b/source/nsswitch/winbindd_util.c
@@ -175,7 +175,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 	/* Link to domain list */
 	DLIST_ADD(_domain_list, domain);
         
-	DEBUG(1,("Added domain %s %s %s\n", 
+	DEBUG(2,("Added domain %s %s %s\n", 
 		 domain->name, domain->alt_name,
 		 &domain->sid?sid_string_static(&domain->sid):""));
author	Gerald Carter <jerry@samba.org>	2004-07-07 19:18:31 +0000
committer	Gerald Carter <jerry@samba.org>	2004-07-07 19:18:31 +0000
commit	0cf550c32aa0018ad834fc2d3cd90d9b2b146621 (patch)
tree	687da224b86274ebc9c46591a812d206935c8efd /source/nsswitch
parent	99c6d9bd34b106ae5109ffed4812b89ef0f3eaa8 (diff)
download	samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.tar.gz samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.tar.xz samba-0cf550c32aa0018ad834fc2d3cd90d9b2b146621.zip