From 03984b463596cd654bef952d024b96252909c7c7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 1 Mar 2007 04:35:31 +0000 Subject: r21619: * Pickup latest changes from SAMBA_3_0_25 (this will be it for 3.0.25pre1 unless something blows up) * Update release notes some more --- WHATSNEW.txt | 199 ++++++++++++++++++++-------------- source/Makefile.in | 4 +- source/configure.in | 2 +- source/libsmb/clifile.c | 2 + source/nsswitch/idmap.c | 73 +++++++++++-- source/nsswitch/idmap_cache.c | 61 +++++++++-- source/nsswitch/nss_info.c | 46 ++++++-- source/nsswitch/pam_winbind.c | 34 +++++- source/nsswitch/winbind_nss_aix.c | 79 +++++++++++--- source/nsswitch/winbindd.c | 9 +- source/nsswitch/winbindd_async.c | 2 +- source/nsswitch/winbindd_cache.c | 2 +- source/nsswitch/winbindd_cred_cache.c | 17 ++- source/nsswitch/winbindd_dual.c | 34 +++++- source/nsswitch/winbindd_user.c | 25 +++-- source/smbd/trans2.c | 12 +- source/utils/net_rpc.c | 22 ++++ 17 files changed, 477 insertions(+), 146 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b20af20a0c7..e472d4aee56 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -11,20 +11,21 @@ We would like to ask the Samba community for help in testing these changes as we work towards the next significant production upgrade Samba 3.0 release. -Major Featuers included in the 3.0.25 code base include: +Major Features included in the 3.0.25 code base include: - o Significant improvements in the winbind offline logon - support - o Support for secure DDNS updates as part of the 'net - ads join' process - o Rewriteen IdMap interface which allows for TTL based - caching and per domain backends. - o Support for storing password policies in the passdb - backend. - -Major bug fixes in 3.0.25pre1 include: - - o Compatibilities issues with Windows Vista + o Significant improvements in the winbind off-line logon support + o Support for secure DDNS updates as part of the 'net ads join' + process + o Rewritten IdMap interface which allows for TTL based caching and + per domain backends. + o New plug-in interface for the "winbind nss info" parameter. + o New file change notify subsystem which is able to make use of + inotify on Linux. + o Support for passing Windows security descriptors to a VFS + plug-in allowing for multiple Unix ACL implements to running side + by side on the Same server. + o Improved compatibility with Windows Vista clients. + o Man pages for VFS plugins. @@ -40,88 +41,110 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- + change notify timeout Removed n/a + change notify New Yes + fam change notify Removed n/a + idmap domains New "" + idmap alloc backend New "" + idmap expire time New 900 + idmap negative time New 120 + kernel change notify Per share Yes + max stat cache size Modified 1024MB + printjob username New %U + winbind normalize names New no - + commits ------- o Michael Adam - * Patch to lib/sysquotas_linux.c replacing some "get"s - by "set"s. This makes the difference between the get - and set calls for SMB_USER_FS_QUOTA_TYPE and - SMB_GROUP_FS_QUOTA_TYPE. - * Prevent collision from config.h created by standalone - compnent builds. + * Patch to lib/sysquotas_linux.c replacing some "get"s by "set"s. + This makes the difference between the get and set calls for + SMB_USER_FS_QUOTA_TYPE and SMB_GROUP_FS_QUOTA_TYPE. + * Prevent collision from config.h created by stand alone component + builds. o Jeremy Allison - * winbind offline logon fixes. + * winbind off-line logon fixes. * Support for AD sites when locating domain controllers. - * Fix libsmbclient bug with Konqueror and NetApp filers - that need a leading / in OpenAndX calls. + * Fix libsmbclient bug with Konqueror and NetApp filers that need + a leading / in OpenAndX calls. * BUG 4187: Possible crash in signing on/off code. * Fix memory leaks in pam_winbind.c. - * Fix a bugin the sequence number store/fetch routines in + * Fix a bug in the sequence number store/fetch routines in winbindd_cache.tdb. - * Fix the problem with Linux clients requesting O_WRONLY - on write-only files. - * Fix a class of memory allocation bugs in the handling - of user tokens. - * Fix crash bug in winbindd caused by a bug ni the - messaging dispatch code. - * Fix memory bloat in trans calls caused by talloc()'ing - memory off the wrong context. + * Fix the problem with Linux clients requesting O_WRONLY on write-only + files. + * Fix a class of memory allocation bugs in the handling of user tokens. + * Fix crash bug in winbindd caused by a bug in the messaging dispatch + code. + * Fix memory bloat in trans calls caused by talloc()'ing memory off the + wrong context. * Fix wildcard renames with SMBmv. * Fixes for pathname handling code. * Add in the wdel smbclient command to perform wildcard deletes. - * Fix a bug that causes smbd to 'hang' intermittently while - updatign the trusted domain cache. - * CLeanup error path processing in reduce_name(). + * Fix a bug that causes smbd to 'hang' intermittently while updating + the trusted domain cache. + * Cleanup error path processing in reduce_name(). * Fixes for smbtorture tests (BASE-DELETE, ...) * Delete on close fixes ("I completely understand it this time"). - * Remove unneeded checks on incoming uid/gid for mknod - (fifo) unix extensions code. + * Remove unneeded checks on incoming uid/gid for mknod (fifo) Unix + extensions code. * More fixes for Unix Extensions include support for POSIX locking. * NTLMv2 fixes for Vista clients. - * Add an optimized lookup for Domain Users and only report - the current user (which is generally what the calling - application wants to know anyways). - * Fixes for supporting the Vista backup utility based on work - by Joe Meadows . + * Add an optimized lookup for Domain Users and only report the current + user (which is generally what the calling application wants to know + anyways). + * Fixes for supporting the Vista backup utility based on work by Joe + Meadows . * Fix 4377: Fix rename of "foo" -> "Foo". - + * BUG 4188: Fix for Vista delete directory bug. + * BUG 4400: Add support for processing large Krb5 tickets in SMB + sesssetup&X. Based on work by . + * Fix trans2 file size reporting for Linux CIFS client. o Danilo Almeida * Add additional debug support for pam_winbind. - * Add support for listing multiple groups in pam_winbind's + * Add support for listing multiple groups in pam_winbind's require-membership-of option which act as a logical OR. o Andrew Benham - * BUG 4290: Properly compute time to password expiration - in message from pam_winbind. + * BUG 4290: Properly compute time to password expiration in message + from pam_winbind. +o Alexander Bokovoy + * Add GPFS-provided DMAPI support + o Kai Blin * Match Windows NTLMSSP flags. o Gerald (Jerry) Carter - * Implement plugable "winbind nss info" interface. + * Implement pluggable "winbind nss info" interface. * Removal of unmaintained smbwrapper utility. - * Fix server affinity bugs in the 'net ads join' - code to include support for AD sites. + * Fix server affinity bugs in the 'net ads join' code to include + support for AD sites. * Implement DDNS update client code. * Upper case the host/sAMAccountName in the keytab file. - * Fix lookupname call in winbindd when joined to a child - domain and trying to resolve a SID in a sibling domain. + * Fix lookupname call in winbindd when joined to a child domain and + trying to resolve a SID in a sibling domain. * Fix password changes against a Windows 2000 DC using pam_winbind. * Fix crash in "pdbedit -L -w" * Add "winbind normalize names" option. - + * BUG 4093: Make %a resolve correctly for Windows Vista and Windows + XP 64bit clients. + * Printing fixes for Windows Vista. + * Protect the sasl bind against a NULL principal string in the + SPNEGO negTokenInit + * Fix some "cannot access LDAP when no root" bugs. + * NSS and PAM fixes on AIX. + * Cached credentials and Krb5 ticket renewal fixes in winbindd. o Mathias Dietz @@ -131,18 +154,19 @@ o Mathias Dietz o Guenther Deschner - * winbind offline logon fixes. + * winbind off-line logon fixes. * Support for AD sites when locating domain controllers. * Various fixes for 'net ads' user management functions. - * Add an CLDAP client written in perl. + * Add an CLDAP client written in Perl. * Cleanups to the Krb5 ticket refresh code in winbindd. * Fixes for various error messages from pam_winbind when password policies are being enforced. * Implement grace logons for offline authentications in pam_winbind. * Fixes for idmap_ad. * Memory leak fixes. - * BUG 4009: Fixes leaking file descriptors (CLOSE_WAIT) in - winbindd with short lived service tickets + * BUG 4009: Fixes leaking file descriptors (CLOSE_WAIT) in winbindd + with short lived service tickets + * Implement basic AD group policy library o dleonard@vintela.com @@ -150,78 +174,97 @@ o dleonard@vintela.com o SATOH Fumiyasu - * BUG 3319: Ensure that 'hide unreadable' does not filter - MS-DFS links. + * BUG 3319: Ensure that 'hide unreadable' does not filter MS-DFS links. o Krishna Ganugapati * Implement DDNS update client code. - + o YAMASAKI Hiroyuki * BUG 4346: Fix type reported for hidden shares via MS-RPC. o David Hu - * BUG 4267: Fix memory leaks in ldpasam. + * BUG 4267: Fix memory leaks in ldapsam. o Bjoern Jacke * BUG 4244: Limit stat cache to a default of 1MB. +o William Jojo + * BUG 3713: Re-add reporting what the profiles tool does (-v). + + +o Zack Kirsch + * Fix memory leaks on some error paths. + + o Volker Lendecke - * Allow changing of the hashsize when runing tdbbackup. + * Replace snum references with a structure based array. + * Allow changing of the hashsize when running tdbbackup. * Implement secure DDNS update code - * Klocwork, Covrity, and IBM Checker fixes. + * Klocwork, Coverity, and IBM Checker fixes. * BUG 4273: Fix crash in 'net rpc vampire' * Refactor older SMB file serving code. * Refactor open directory file serving code. - * Implement support for inotify when serving CIFS change - notification requests. - * Fixes to allow Samba 3.0 to pass various smbtorture tests - (RAW-OPEN, RAW-UNLINK, RAW-CLOSE, ...) + * Implement support for inotify when serving CIFS change notification + requests (includes merge work from SAMBA_4_0). + * Fixes to allow Samba 3.0 to pass various smbtorture tests (RAW-OPEN, + RAW-UNLINK, RAW-CLOSE, ...) * Refactor delete on close file server code. * MS-DFS fixes for Vista clients. + * BUG 4372: Long timeout in LDAP setup when accessing files after + 10 secs. + * Change the static array for the in-memory mirrors of the hash chain + locks to a dynamically allocated one. + * Use inotify for file change notification on Linux. + * Revert "msdfs root" to default to "no". + * Refactor AIO code. + * Fix memory leaks when returning user lists to clients via SAMR calls. o Herb Lewis * Cleanups to sharesec utility. - * Compilter warning cleanups. + * Compiler warning cleanups. o Jim McDonough * Bug fixes for GPFS VFS module. - o Stefan Metzmacher [merges from SAMBA_4_0] * Portability fixes for dlopen() * Sync libreplace - o Gomati Mohanan * Work on NFSv4 ACL VFS plugin. -o James Peach +o Lars Mueller + * Provide better feedback about deprecated use of multiple passdb + backends. + + +o James Peach * Replace exit_server with exit_server_cleanly where appropriate. * Add docs for VFS modules. * Portability fixes for autoconf and character set modules on OS X. - * Only attempt to reload the config file atfer the fork point + * Only attempt to reload the config file after the fork point if we are in daemon mode. o J Raynor - * Make sure we are privileged when doing DMAPI operations - on systems that don't have capability support. + * Make sure we are privileged when doing DMAPI operations on systems + that don't have capability support. o Jiri Sasek - Fix possible NULL dereference in adt_tree.c + I Fix possible NULL dereference in adt_tree.c o Karolin Seeger @@ -231,17 +274,15 @@ o Karolin Seeger o Simo Sorce * Initial implementation of new IdMap interface. - * Fix crash in pam_winbind caused by referencing a - pointer after the memory had been freed. + * Fix crash in pam_winbind caused by referencing a pointer after the + memory had been freed. + * Implement escaping function for ldap RDN values. o Peter Somogyi * Work on NFSv4 ACL VFS plugin. -o Andrew Tridgell - - o Jelmer Vernooij * Implement support for IDL autogenerated code to handle the MS-RPC parsing functions. diff --git a/source/Makefile.in b/source/Makefile.in index 4de8f74082c..3f3aa5ea57a 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -1277,8 +1277,8 @@ bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @BUILD_POPT@ bin/.dummy bin/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_OBJ) bin/.dummy @echo "Linking shared library $@" - @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) \ - @SONAMEFLAG@`basename $@` -lpam @INIPARSERLIBS@ + @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -lpam @INIPARSERLIBS@ $(GPLIBS) \ + @SONAMEFLAG@`basename $@` bin/builtin.@SHLIBEXT@: $(AUTH_BUILTIN_OBJ) @echo "Building plugin $@" diff --git a/source/configure.in b/source/configure.in index 8f07871bbe9..f54c9bd2982 100644 --- a/source/configure.in +++ b/source/configure.in @@ -46,7 +46,7 @@ AC_ARG_WITH(fhs, logfilebase="\${VARDIR}/log/samba" privatedir="\${CONFIGDIR}/private" libdir="\${prefix}/lib/samba" - configdir="${sysconfdir}/samba" + configdir="\${sysconfdir}/samba" swatdir="\${DATADIR}/samba/swat" ;; esac]) diff --git a/source/libsmb/clifile.c b/source/libsmb/clifile.c index 6328a1720a6..2fe9eb17259 100644 --- a/source/libsmb/clifile.c +++ b/source/libsmb/clifile.c @@ -330,6 +330,8 @@ static BOOL cli_unix_chmod_chown_internal(struct cli_state *cli, const char *fna p += clistr_push(cli, p, fname, -1, STR_TERMINATE); param_len = PTR_DIFF(p, param); + memset(data, 0xff, 40); /* Set all sizes/times to no change. */ + SIVAL(data,40,uid); SIVAL(data,48,gid); SIVAL(data,84,mode); diff --git a/source/nsswitch/idmap.c b/source/nsswitch/idmap.c index d69fd68e103..a58959afe4c 100644 --- a/source/nsswitch/idmap.c +++ b/source/nsswitch/idmap.c @@ -225,9 +225,36 @@ NTSTATUS idmap_close(void) static const char *idmap_default_domain[] = { "default domain", NULL }; +/**************************************************************************** + ****************************************************************************/ + +NTSTATUS idmap_init_cache(void) +{ + /* Always initialize the cache. We'll have to delay initialization + of backends if we are offline */ + + if ( idmap_ctx ) { + return NT_STATUS_OK; + } + + if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + + if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) { + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + +/**************************************************************************** + ****************************************************************************/ + NTSTATUS idmap_init(void) { NTSTATUS ret; + static NTSTATUS backend_init_status = NT_STATUS_UNSUCCESSFUL; struct idmap_domain *dom; char *compat_backend = NULL; char *compat_params = NULL; @@ -238,16 +265,23 @@ NTSTATUS idmap_init(void) int compat = 0; int i; - if (idmap_ctx) { - return NT_STATUS_OK; - } + /* Always initialize the cache. We'll have to delay initialization + of backends if we are offline */ - if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { - return NT_STATUS_NO_MEMORY; + ret = idmap_init_cache(); + if ( !NT_STATUS_IS_OK(ret) ) + return ret; + + if ( NT_STATUS_IS_OK(backend_init_status) ) { + return NT_STATUS_OK; } + + /* We can't reliably call intialization code here unless + we are online */ - if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) { - return NT_STATUS_UNSUCCESSFUL; + if ( get_global_winbindd_state_offline() ) { + backend_init_status = NT_STATUS_FILE_IS_OFFLINE; + return backend_init_status; } static_init_idmap; @@ -559,11 +593,17 @@ NTSTATUS idmap_init(void) /* cleanpu temporary strings */ TALLOC_FREE( compat_backend ); + backend_init_status = NT_STATUS_OK; + return NT_STATUS_OK; done: DEBUG(0, ("Aborting IDMAP Initialization ...\n")); idmap_close(); + + /* save the init status for later checks */ + backend_init_status = ret; + return ret; } @@ -1067,6 +1107,14 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) /* let's see if there is any id mapping to be retieved from the backends */ if (bi) { + /* Only do query if we are online */ + if ( lp_winbind_offline_logon() && + get_global_winbindd_state_offline() ) + { + ret = NT_STATUS_FILE_IS_OFFLINE; + goto done; + } + ret = idmap_backends_unixids_to_sids(bids); IDMAP_CHECK_RET(ret); @@ -1132,7 +1180,8 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) if ( ! NT_STATUS_IS_OK(ret)) { if ( ! bids) { - /* alloc space for ids to be resolved by backends (realloc ten by ten) */ + /* alloc space for ids to be resolved + by backends (realloc ten by ten) */ bids = talloc_array(ctx, struct id_map *, 10); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); @@ -1164,6 +1213,14 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) /* let's see if there is any id mapping to be retieved from the backends */ if (bids) { + /* Only do query if we are online */ + if ( lp_winbind_offline_logon() && + get_global_winbindd_state_offline() ) + { + ret = NT_STATUS_FILE_IS_OFFLINE; + goto done; + } + ret = idmap_backends_sids_to_unixids(bids); IDMAP_CHECK_RET(ret); diff --git a/source/nsswitch/idmap_cache.c b/source/nsswitch/idmap_cache.c index 897dd9c4f5b..caf5fe72b3a 100644 --- a/source/nsswitch/idmap_cache.c +++ b/source/nsswitch/idmap_cache.c @@ -22,6 +22,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/ #include "includes.h" +#include "winbindd.h" #define TIMEOUT_LEN 12 #define IDMAP_CACHE_DATA_FMT "%12u/%s" @@ -418,14 +419,34 @@ NTSTATUS idmap_cache_map_sid(struct idmap_cache_ctx *cache, struct id_map *id) /* here ret == NT_STATUS_OK and id->status = ID_MAPPED */ if (t <= time(NULL)) { - /* We're expired, set an error code for upper layer */ - ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; + /* If we've been told to be offline - stay in + that state... */ + if (lp_winbind_offline_logon() && + get_global_winbindd_state_offline()) + { + DEBUG(10,("idmap_cache_map_sid: winbindd is " + "globally offline.\n")); + } else { + /* We're expired, set an error code + for upper layer */ + ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; + } } } else { if (t <= time(NULL)) { - /* We're expired, delete the entry and return not mapped */ - tdb_delete(cache->tdb, keybuf); - ret = NT_STATUS_NONE_MAPPED; + /* If we've been told to be offline - stay in + that state... */ + if (lp_winbind_offline_logon() && + get_global_winbindd_state_offline()) + { + DEBUG(10,("idmap_cache_map_sid: winbindd is " + "globally offline.\n")); + } else { + /* We're expired, delete the entry and return + not mapped */ + tdb_delete(cache->tdb, keybuf); + ret = NT_STATUS_NONE_MAPPED; + } } else { /* this is not mapped as it was a negative cache hit */ id->status = ID_UNMAPPED; @@ -508,14 +529,34 @@ NTSTATUS idmap_cache_map_id(struct idmap_cache_ctx *cache, struct id_map *id) /* here ret == NT_STATUS_OK and id->mapped = True */ if (t <= time(NULL)) { - /* We're expired, set an error code for upper layer */ - ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; + /* If we've been told to be offline - stay in + that state... */ + if (lp_winbind_offline_logon() && + get_global_winbindd_state_offline()) + { + DEBUG(10,("idmap_cache_map_sid: winbindd is " + "globally offline.\n")); + } else { + /* We're expired, set an error code + for upper layer */ + ret = NT_STATUS_SYNCHRONIZATION_REQUIRED; + } } } else { if (t <= time(NULL)) { - /* We're expired, delete the entry and return not mapped */ - tdb_delete(cache->tdb, keybuf); - ret = NT_STATUS_NONE_MAPPED; + /* If we've been told to be offline - stay in + that state... */ + if (lp_winbind_offline_logon() && + get_global_winbindd_state_offline()) + { + DEBUG(10,("idmap_cache_map_sid: winbindd is " + "globally offline.\n")); + } else { + /* We're expired, delete the entry and + return not mapped */ + tdb_delete(cache->tdb, keybuf); + ret = NT_STATUS_NONE_MAPPED; + } } else { /* this is not mapped is it was a negative cache hit */ id->status = ID_UNMAPPED; diff --git a/source/nsswitch/nss_info.c b/source/nsswitch/nss_info.c index 0b0caeee022..d2516296629 100644 --- a/source/nsswitch/nss_info.c +++ b/source/nsswitch/nss_info.c @@ -131,11 +131,17 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain ) NTSTATUS nss_init( const char **nss_list ) { NTSTATUS status; + static NTSTATUS nss_initialized = NT_STATUS_UNSUCCESSFUL; int i; char *backend, *domain; struct nss_function_entry *nss_backend; struct nss_domain_entry *nss_domain; + /* check for previous successful initializations */ + + if ( NT_STATUS_IS_OK(nss_initialized) ) + return NT_STATUS_OK; + /* The "template" backend should alqays be registered as it is a static module */ @@ -207,20 +213,25 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain ) } + nss_initialized = NT_STATUS_OK; + return NT_STATUS_OK; } /******************************************************************** *******************************************************************/ - NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid, - TALLOC_CTX *ctx, - ADS_STRUCT *ads, LDAPMessage *msg, - char **homedir, char **shell, char **gecos, - gid_t *p_gid) +static struct nss_domain_entry *find_nss_domain( const char *domain ) { + NTSTATUS status; struct nss_domain_entry *p; - struct nss_info_methods *m; + + status = nss_init( lp_winbind_nss_info() ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(4,("nss_get_info: Failed to init nss_info API (%s)!\n", + nt_errstr(status))); + return NULL; + } for ( p=nss_domain_list; p; p=p->next ) { if ( strequal( p->domain, domain ) ) @@ -231,12 +242,33 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain ) if ( !p ) { if ( !nss_domain_list ) { - return NT_STATUS_NOT_FOUND; + return NULL; } p = nss_domain_list; } + return p; +} + +/******************************************************************** + *******************************************************************/ + + NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid, + TALLOC_CTX *ctx, + ADS_STRUCT *ads, LDAPMessage *msg, + char **homedir, char **shell, char **gecos, + gid_t *p_gid) +{ + struct nss_domain_entry *p; + struct nss_info_methods *m; + + if ( (p = find_nss_domain( domain )) == NULL ) { + DEBUG(4,("nss_get_info: Failed to find nss domain pointer for %s\n", + domain )); + return NT_STATUS_NOT_FOUND; + } + m = p->backend->methods; return m->get_nss_info( p, user_sid, ctx, ads, msg, diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index ac87fcf32ee..d21c985feee 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -1517,6 +1517,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, dictionary *d = NULL; char *username_ret = NULL; char *new_authtok_required = NULL; + char *combined_member = NULL; + const char *real_username = NULL; /* parse arguments */ int ctrl = _pam_parse(pamh, flags, argc, argv, &d); @@ -1535,6 +1537,30 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, goto out; } +#if defined(AIX) + /* Decode the user name since AIX does not support logn user + names by default. The name is encoded as _#uid. */ + + if ( username[0] == '_' ) { + uid_t id = atoi( &username[1] ); + struct passwd *pw = NULL; + + if ( (id!=0) && ((pw = getpwuid( id )) != NULL) ) { + real_username = strdup( pw->pw_name ); + } + } +#endif + + if ( !real_username ) { + /* Just making a copy of the username we got from PAM */ + if ( (real_username = strdup( username )) == NULL ) { + _pam_log_debug(pamh, ctrl, LOG_DEBUG, + "memory allocation failure when copying username"); + retval = PAM_SERVICE_ERR; + goto out; + } + } + retval = _winbind_read_password(pamh, ctrl, NULL, "Password: ", NULL, &password); @@ -1549,9 +1575,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, #ifdef DEBUG_PASSWORD _pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s' with password '%s'", - username, password); + real_username, password); #else - _pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", username); + _pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", real_username); #endif member = get_member_from_config(pamh, argc, argv, ctrl, d); @@ -1594,6 +1620,10 @@ out: free(username_ret); } + if ( real_username ) { + free( real_username ); + } + if (d) { iniparser_freedict(d); } diff --git a/source/nsswitch/winbind_nss_aix.c b/source/nsswitch/winbind_nss_aix.c index 6a39b4b7c41..bc0f252d79b 100644 --- a/source/nsswitch/winbind_nss_aix.c +++ b/source/nsswitch/winbind_nss_aix.c @@ -48,6 +48,11 @@ #include "winbind_client.h" #include +/* enable this to log which entry points have not been + completed yet */ +#define LOG_UNIMPLEMENTED_CALLS 0 + + #define WB_AIX_ENCODED '_' static int debug_enabled; @@ -566,14 +571,12 @@ static attrval_t pwd_to_groupsids(struct passwd *pwd) attrval_t r; char *s, *p; - s = wb_aix_getgrset(pwd->pw_name); - if (!s) { + if ( (s = wb_aix_getgrset(pwd->pw_name)) == NULL ) { r.attr_flag = EINVAL; return r; } - p = malloc(strlen(s)+2); - if (!p) { + if ( (p = malloc(strlen(s)+2)) == NULL ) { r.attr_flag = ENOMEM; return r; } @@ -626,6 +629,8 @@ static int wb_aix_user_attrib(const char *key, char *attributes[], if (strcmp(attributes[i], S_ID) == 0) { results[i].attr_un.au_int = pwd->pw_uid; + } else if (strcmp(attributes[i], S_PGID) == 0) { + results[i].attr_un.au_int = pwd->pw_gid; } else if (strcmp(attributes[i], S_PWD) == 0) { results[i].attr_un.au_char = strdup(pwd->pw_passwd); } else if (strcmp(attributes[i], S_HOME) == 0) { @@ -744,21 +749,69 @@ static void wb_aix_close(void *token) */ static attrlist_t **wb_aix_attrlist(void) { - attrlist_t **ret; + /* pretty confusing but we are allocating the array of pointers + and the structures we'll be pointing to all at once. So + you need N+1 pointers and N structures. */ + + attrlist_t **ret = NULL; + attrlist_t *offset = NULL; + int i; + int n; + size_t size; + + struct attr_types { + const char *name; + int flags; + int type; + } attr_list[] = { + /* user attributes */ + {S_ID, AL_USERATTR, SEC_INT}, + {S_PGRP, AL_USERATTR, SEC_CHAR}, + {S_HOME, AL_USERATTR, SEC_CHAR}, + {S_SHELL, AL_USERATTR, SEC_CHAR}, + {S_PGID, AL_USERATTR, SEC_INT}, + {S_GECOS, AL_USERATTR, SEC_CHAR}, + {S_SHELL, AL_USERATTR, SEC_CHAR}, + {S_PGRP, AL_USERATTR, SEC_CHAR}, + {S_GROUPS, AL_USERATTR, SEC_LIST}, + {"SID", AL_USERATTR, SEC_CHAR}, + + /* group attributes */ + {S_ID, AL_GROUPATTR, SEC_INT} + }; + logit("method attrlist called\n"); - ret = malloc(2*sizeof(attrlist_t *) + sizeof(attrlist_t)); - if (!ret) { + + n = sizeof(attr_list) / sizeof(struct attr_types); + size = (n*sizeof(attrlist_t *)); + + if ( (ret = malloc( size )) == NULL ) { errno = ENOMEM; return NULL; } - ret[0] = (attrlist_t *)(ret+2); + /* offset to where the structures start in the buffer */ - /* just one extra attribute - the windows SID */ - ret[0]->al_name = strdup("SID"); - ret[0]->al_flags = AL_USERATTR; - ret[0]->al_type = SEC_CHAR; - ret[1] = NULL; + offset = (attrlist_t *)(ret + n); + + /* now loop over the user_attr_list[] array and add + all the members */ + + for ( i=0; ial_name = strdup(attr_list[i].name); + a->al_flags = attr_list[i].flags; + a->al_type = attr_list[i].type; + + ret[i] = a; + } + ret[n] = NULL; return ret; } diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c index b4570f2525a..e0b126f9f2f 100644 --- a/source/nsswitch/winbindd.c +++ b/source/nsswitch/winbindd.c @@ -1011,14 +1011,10 @@ int main(int argc, char **argv, char **envp) /* Winbind daemon initialisation */ - if ( ! NT_STATUS_IS_OK(idmap_init()) ) { - DEBUG(1, ("Could not init idmap! - Sid/[UG]id mapping will not be available\n")); + if ( ! NT_STATUS_IS_OK(idmap_init_cache()) ) { + DEBUG(1, ("Could not init idmap cache!\n")); } -#ifdef WITH_ADS - nss_init( lp_winbind_nss_info() ); -#endif - /* Unblock all signals we are interested in as they may have been blocked by the parent process. */ @@ -1084,6 +1080,7 @@ int main(int argc, char **argv, char **envp) DEBUG(0,("unable to initalize domain list\n")); exit(1); } +#endif init_idmap_child(); diff --git a/source/nsswitch/winbindd_async.c b/source/nsswitch/winbindd_async.c index cafaf1cb056..aa48f513e97 100644 --- a/source/nsswitch/winbindd_async.c +++ b/source/nsswitch/winbindd_async.c @@ -535,7 +535,7 @@ void winbindd_sid2gid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid, request.cmd = WINBINDD_DUAL_SID2GID; sid_to_string(request.data.dual_sid2id.sid, sid); - DEBUG(7,("idmap_sid2gid_async: Resolving %s to a gid\n", + DEBUG(7,("winbindd_sid2gid_async: Resolving %s to a gid\n", request.data.dual_sid2id.sid)); do_async(mem_ctx, idmap_child(), &request, winbindd_sid2gid_recv, diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c index 908d6ed19ae..ff5f93bfedd 100644 --- a/source/nsswitch/winbindd_cache.c +++ b/source/nsswitch/winbindd_cache.c @@ -2119,7 +2119,7 @@ void wcache_invalidate_cache(void) } } -static BOOL init_wcache(void) +BOOL init_wcache(void) { if (wcache == NULL) { wcache = SMB_XMALLOC_P(struct winbind_cache); diff --git a/source/nsswitch/winbindd_cred_cache.c b/source/nsswitch/winbindd_cred_cache.c index 0847ac9e271..600409420ae 100644 --- a/source/nsswitch/winbindd_cred_cache.c +++ b/source/nsswitch/winbindd_cred_cache.c @@ -215,7 +215,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx, DEBUG(10,("krb5_ticket_gain_handler: successful kinit for: %s in ccache: %s\n", entry->principal_name, entry->ccname)); - new_start = entry->refresh_time; + /* Renew at 1/2 the expiration time */ + new_start = entry->refresh_time / 2; goto got_ticket; } @@ -369,8 +370,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, krb5_ticket_gain_handler, entry); } else { + /* Renew at 1/2 the ticket expiration time */ entry->event = event_add_timed(winbind_event_context(), entry, - timeval_set((ticket_end - 1), 0), + timeval_set((ticket_end - 1)/2, 0), "krb5_ticket_refresh_handler", krb5_ticket_refresh_handler, entry); @@ -494,6 +496,17 @@ static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp, const memcredp->len += strlen(pass)+1; } +#if defined(LINUX) + /* aligning the memory on on x86_64 and compiling + with gcc 4.1 using -O2 causes a segv in the + next memset() --jerry */ + memcredp->nt_hash = SMB_MALLOC_ARRAY(unsigned char, memcredp->len); +#else + /* On non-linux platforms, mlock()'d memory must be aligned */ + memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char, + getpagesize(), memcredp->len); +#endif + /* On non-linux platforms, mlock()'d memory must be aligned */ memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char, psize, diff --git a/source/nsswitch/winbindd_dual.c b/source/nsswitch/winbindd_dual.c index edb4fa504b1..6324de9a2d9 100644 --- a/source/nsswitch/winbindd_dual.c +++ b/source/nsswitch/winbindd_dual.c @@ -502,10 +502,26 @@ void winbind_msg_offline(int msg_type, struct process_id src, } DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name)); set_domain_offline(domain); + + /* Send an offline message to the idmap child when our + primary domain goes offline */ + + if ( domain->primary ) { + struct winbindd_child *idmap = idmap_child(); + + if ( idmap->pid != 0 ) { + message_send_pid(pid_to_procid(idmap->pid), + MSG_WINBIND_OFFLINE, + domain->name, + strlen(domain->name)+1, + False); + } + } } for (child = children; child != NULL; child = child->next) { - /* Don't send message to idmap child. */ + /* Don't send message to idmap child. We've already + done so above. */ if (!child->domain || (child == idmap_child())) { continue; } @@ -556,6 +572,22 @@ void winbind_msg_online(int msg_type, struct process_id src, winbindd_flush_negative_conn_cache(domain); set_domain_online_request(domain); + + /* Send an offline message to the idmap child when our + primary domain goes offline */ + + if ( domain->primary ) { + struct winbindd_child *idmap = idmap_child(); + + if ( idmap->pid != 0 ) { + message_send_pid(pid_to_procid(idmap->pid), + MSG_WINBIND_ONLINE, + domain->name, + strlen(domain->name)+1, + False); + } + + } } for (child = children; child != NULL; child = child->next) { diff --git a/source/nsswitch/winbindd_user.c b/source/nsswitch/winbindd_user.c index 9df3a6a3bc1..47a7364e3a7 100644 --- a/source/nsswitch/winbindd_user.c +++ b/source/nsswitch/winbindd_user.c @@ -41,20 +41,21 @@ static BOOL fillup_pw_field(const char *lp_template, if (out == NULL) return False; - if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) { - safe_strcpy(out, in, sizeof(fstring) - 1); - return True; - } - - /* Home directory and shell - use template config parameters. The - defaults are /tmp for the home directory and /bin/false for - shell. */ - - /* The substitution of %U and %D in the 'template homedir' is done - by talloc_sub_specified() below. */ + /* The substitution of %U and %D in the 'template + homedir' is done by talloc_sub_specified() below. + If we have an in string (which means the value has already + been set in the nss_info backend), then use that. + Otherwise use the template value passed in. */ - templ = talloc_sub_specified(NULL, lp_template, username, domname, + if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) { + templ = talloc_sub_specified(NULL, in, + username, domname, uid, gid); + } else { + templ = talloc_sub_specified(NULL, lp_template, + username, domname, + uid, gid); + } if (!templ) return False; diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index 584345a906a..5bbd618231b 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -2882,7 +2882,7 @@ static char *store_file_unix_basic(connection_struct *conn, SOFF_T(pdata,0,get_allocation_size(conn,fsp,psbuf)); /* Number of bytes used on disk - 64 Bit */ pdata += 8; - put_long_date_timespec(pdata,get_ctimespec(psbuf)); /* Creation Time 64 Bit */ + put_long_date_timespec(pdata,get_ctimespec(psbuf)); /* Change Time 64 Bit */ put_long_date_timespec(pdata+8,get_atimespec(psbuf)); /* Last access time 64 Bit */ put_long_date_timespec(pdata+16,get_mtimespec(psbuf)); /* Last modification time 64 Bit */ pdata += 24; @@ -4805,6 +4805,16 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n", delete_on_fail = True; } +#if 1 + /* Horrible backwards compatibility hack as an old server bug + * allowed a CIFS client bug to remain unnoticed :-(. JRA. + * */ + + if (!size) { + size = get_file_size(*psbuf); + } +#endif + /* * Deal with the UNIX specific mode set. */ diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index 9678036d523..34e87ddbd21 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -5683,6 +5683,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) if (!pipe_hnd) { DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) )); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5692,6 +5693,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) DEBUG(0, ("Couldn't open policy handle. Error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5704,6 +5706,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) DEBUG(0, ("LSA Query Info failed. Returned error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5719,6 +5722,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5731,6 +5735,7 @@ static int rpc_trustdom_establish(int argc, const char **argv) DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5916,6 +5921,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) /* open \PIPE\lsarpc and open policy handle */ if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) { DEBUG(0, ("Couldn't connect to domain controller\n")); + talloc_destroy(mem_ctx); return -1; }; @@ -5924,6 +5930,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) )); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; }; @@ -5933,6 +5940,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) DEBUG(0, ("Couldn't open policy handle. Error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; }; @@ -5945,6 +5953,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) DEBUG(0, ("LSA Query Info failed. Returned error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } @@ -5964,6 +5973,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; }; @@ -5975,6 +5985,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) domain_sids[i], trusted_dom_names[i]); if (!NT_STATUS_IS_OK(nt_status)) { cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; } }; @@ -5993,6 +6004,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv) DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n", nt_errstr(nt_status))); cli_shutdown(cli); + talloc_destroy(mem_ctx); return -1; }; @@ -6052,6 +6064,7 @@ static int rpc_trustdom_list(int argc, const char **argv) /* open \PIPE\lsarpc and open policy handle */ if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) { DEBUG(0, ("Couldn't connect to domain controller\n")); + talloc_destroy(mem_ctx); return -1; }; @@ -6059,6 +6072,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (!pipe_hnd) { DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) )); + talloc_destroy(mem_ctx); return -1; }; @@ -6067,6 +6081,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't open policy handle. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6078,6 +6093,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("LSA Query Info failed. Returned error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; } @@ -6096,6 +6112,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6116,6 +6133,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6133,6 +6151,7 @@ static int rpc_trustdom_list(int argc, const char **argv) pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &nt_status); if (!pipe_hnd) { DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6142,6 +6161,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6153,6 +6173,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Couldn't open domain object. Error was %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; @@ -6170,6 +6191,7 @@ static int rpc_trustdom_list(int argc, const char **argv) if (NT_STATUS_IS_ERR(nt_status)) { DEBUG(0, ("Couldn't enumerate accounts. Error was: %s\n", nt_errstr(nt_status))); + talloc_destroy(mem_ctx); return -1; }; -- cgit