]>
Commit | Line | Data |
---|---|---|
0476a657 AF |
1 | From a280f61d71d5ea7e2212d253b84ac5b25810b88e Mon Sep 17 00:00:00 2001 |
2 | From: Uri Simchoni <uri@samba.org> | |
3 | Date: Wed, 10 Feb 2016 00:26:45 +0200 | |
4 | Subject: [PATCH 1/4] winbindd: introduce add_trusted_domain_from_tdc() | |
5 | ||
6 | This is purely a refactoring patch - | |
7 | Add a routine that adds a winbindd domain object based on | |
8 | domain trust cache entry. add_trusted_domain() becomes | |
9 | a wrapper for this new routine. | |
10 | ||
11 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 | |
12 | ||
13 | Signed-off-by: Uri Simchoni <uri@samba.org> | |
14 | Reviewed-by: Ralph Boehme <slow@samba.org> | |
15 | --- | |
16 | source3/winbindd/winbindd_util.c | 76 +++++++++++++++++++++++++--------------- | |
17 | 1 file changed, 48 insertions(+), 28 deletions(-) | |
18 | ||
19 | diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c | |
20 | index 353722e..70a9041 100644 | |
21 | --- a/source3/winbindd/winbindd_util.c | |
22 | +++ b/source3/winbindd/winbindd_util.c | |
23 | @@ -30,6 +30,10 @@ | |
24 | #undef DBGC_CLASS | |
25 | #define DBGC_CLASS DBGC_WINBIND | |
26 | ||
27 | +static struct winbindd_domain * | |
28 | +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, | |
29 | + struct winbindd_methods *methods); | |
30 | + | |
31 | extern struct winbindd_methods cache_methods; | |
32 | ||
33 | /** | |
34 | @@ -91,11 +95,31 @@ static bool is_in_internal_domain(const struct dom_sid *sid) | |
35 | ||
36 | /* Add a trusted domain to our list of domains. | |
37 | If the domain already exists in the list, | |
38 | - return it and don't re-initialize. | |
39 | - */ | |
40 | -static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name, | |
41 | - struct winbindd_methods *methods, | |
42 | - const struct dom_sid *sid) | |
43 | + return it and don't re-initialize. */ | |
44 | + | |
45 | +static struct winbindd_domain * | |
46 | +add_trusted_domain(const char *domain_name, const char *alt_name, | |
47 | + struct winbindd_methods *methods, const struct dom_sid *sid) | |
48 | +{ | |
49 | + struct winbindd_tdc_domain tdc; | |
50 | + | |
51 | + ZERO_STRUCT(tdc); | |
52 | + | |
53 | + tdc.domain_name = domain_name; | |
54 | + tdc.dns_name = alt_name; | |
55 | + if (sid) { | |
56 | + sid_copy(&tdc.sid, sid); | |
57 | + } | |
58 | + | |
59 | + return add_trusted_domain_from_tdc(&tdc, methods); | |
60 | +} | |
61 | + | |
62 | +/* Add a trusted domain out of a trusted domain cache | |
63 | + entry | |
64 | +*/ | |
65 | +static struct winbindd_domain * | |
66 | +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, | |
67 | + struct winbindd_methods *methods) | |
68 | { | |
69 | struct winbindd_domain *domain; | |
70 | const char *alternative_name = NULL; | |
71 | @@ -103,6 +127,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const | |
72 | const char *param; | |
73 | const char **ignored_domains, **dom; | |
74 | int role = lp_server_role(); | |
75 | + const char *domain_name = tdc->domain_name; | |
76 | + const struct dom_sid *sid = &tdc->sid; | |
77 | + | |
78 | + if (is_null_sid(sid)) { | |
79 | + sid = NULL; | |
80 | + } | |
81 | ||
82 | ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); | |
83 | for (dom=ignored_domains; dom && *dom; dom++) { | |
84 | @@ -114,8 +144,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const | |
85 | ||
86 | /* ignore alt_name if we are not in an AD domain */ | |
87 | ||
88 | - if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) { | |
89 | - alternative_name = alt_name; | |
90 | + if (tdc->dns_name && *tdc->dns_name) { | |
91 | + alternative_name = tdc->dns_name; | |
92 | } | |
93 | ||
94 | /* We can't call domain_list() as this function is called from | |
95 | @@ -127,8 +157,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const | |
96 | break; | |
97 | } | |
98 | ||
99 | - if (alternative_name && *alternative_name) | |
100 | - { | |
101 | + if (alternative_name) { | |
102 | if (strequal(alternative_name, domain->name) || | |
103 | strequal(alternative_name, domain->alt_name)) | |
104 | { | |
105 | @@ -136,12 +165,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const | |
106 | } | |
107 | } | |
108 | ||
109 | - if (sid) | |
110 | - { | |
111 | - if (is_null_sid(sid)) { | |
112 | - continue; | |
113 | - } | |
114 | - | |
115 | + if (sid != NULL) { | |
116 | if (dom_sid_equal(sid, &domain->sid)) { | |
117 | break; | |
118 | } | |
119 | @@ -191,11 +215,11 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const | |
120 | domain->internal = is_internal_domain(sid); | |
121 | domain->sequence_number = DOM_SEQUENCE_NONE; | |
122 | domain->last_seq_check = 0; | |
123 | - domain->initialized = False; | |
124 | + domain->initialized = false; | |
125 | domain->online = is_internal_domain(sid); | |
126 | domain->check_online_timeout = 0; | |
127 | domain->dc_probe_pid = (pid_t)-1; | |
128 | - if (sid) { | |
129 | + if (sid != NULL) { | |
130 | sid_copy(&domain->sid, sid); | |
131 | } | |
132 | ||
133 | @@ -246,9 +270,9 @@ done: | |
134 | ||
135 | setup_domain_child(domain); | |
136 | ||
137 | - DEBUG(2,("Added domain %s %s %s\n", | |
138 | - domain->name, domain->alt_name, | |
139 | - &domain->sid?sid_string_dbg(&domain->sid):"")); | |
140 | + DEBUG(2, | |
141 | + ("Added domain %s %s %s\n", domain->name, domain->alt_name, | |
142 | + !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : "")); | |
143 | ||
144 | return domain; | |
145 | } | |
146 | @@ -432,10 +456,8 @@ static void rescan_forest_root_trusts( void ) | |
147 | d = find_domain_from_name_noinit( dom_list[i].domain_name ); | |
148 | ||
149 | if ( !d ) { | |
150 | - (void)add_trusted_domain( dom_list[i].domain_name, | |
151 | - dom_list[i].dns_name, | |
152 | - &cache_methods, | |
153 | - &dom_list[i].sid); | |
154 | + d = add_trusted_domain_from_tdc(&dom_list[i], | |
155 | + &cache_methods); | |
156 | } | |
157 | ||
158 | if (d == NULL) { | |
159 | @@ -501,10 +523,8 @@ static void rescan_forest_trusts( void ) | |
160 | about it */ | |
161 | ||
162 | if ( !d ) { | |
163 | - (void)add_trusted_domain( dom_list[i].domain_name, | |
164 | - dom_list[i].dns_name, | |
165 | - &cache_methods, | |
166 | - &dom_list[i].sid); | |
167 | + d = add_trusted_domain_from_tdc(&dom_list[i], | |
168 | + &cache_methods); | |
169 | } | |
170 | ||
171 | if (d == NULL) { | |
172 | -- | |
173 | 2.9.4 | |
174 | ||
175 | ||
176 | From 153f173eea81ffa1caa4768589a08bb20a6a1950 Mon Sep 17 00:00:00 2001 | |
177 | From: Stefan Metzmacher <metze@samba.org> | |
178 | Date: Tue, 23 Dec 2014 09:43:03 +0000 | |
179 | Subject: [PATCH 2/4] s3:winbindd: mark our primary as active_directory if | |
180 | possible | |
181 | ||
182 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
183 | Reviewed-by: Guenther Deschner <gd@samba.org> | |
184 | --- | |
185 | source3/winbindd/winbindd_util.c | 6 ++++++ | |
186 | 1 file changed, 6 insertions(+) | |
187 | ||
188 | diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c | |
189 | index 70a9041..700076a 100644 | |
190 | --- a/source3/winbindd/winbindd_util.c | |
191 | +++ b/source3/winbindd/winbindd_util.c | |
192 | @@ -232,6 +232,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, | |
193 | domain->primary = true; | |
194 | } | |
195 | ||
196 | + if (domain->primary) { | |
197 | + if (lp_security() == SEC_ADS) { | |
198 | + domain->active_directory = true; | |
199 | + } | |
200 | + } | |
201 | + | |
202 | /* Link to domain list */ | |
203 | DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *); | |
204 | ||
205 | -- | |
206 | 2.9.4 | |
207 | ||
208 | ||
209 | From 5d741ee3d1dafbb32c106fed817840892b69598d Mon Sep 17 00:00:00 2001 | |
210 | From: Uri Simchoni <uri@samba.org> | |
211 | Date: Wed, 10 Feb 2016 00:32:23 +0200 | |
212 | Subject: [PATCH 3/4] winbindd: initialize foreign domain as AD based on trust | |
213 | ||
214 | Based on trust parameters, initialize the active_directory | |
215 | member of domain object to true. | |
216 | ||
217 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 | |
218 | ||
219 | Signed-off-by: Uri Simchoni <uri@samba.org> | |
220 | Reviewed-by: Ralph Boehme <slow@samba.org> | |
221 | --- | |
222 | source3/winbindd/winbindd_util.c | 7 +++++++ | |
223 | 1 file changed, 7 insertions(+) | |
224 | ||
225 | diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c | |
226 | index 700076a..aaa9ee8 100644 | |
227 | --- a/source3/winbindd/winbindd_util.c | |
228 | +++ b/source3/winbindd/winbindd_util.c | |
229 | @@ -222,6 +222,9 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, | |
230 | if (sid != NULL) { | |
231 | sid_copy(&domain->sid, sid); | |
232 | } | |
233 | + domain->domain_flags = tdc->trust_flags; | |
234 | + domain->domain_type = tdc->trust_type; | |
235 | + domain->domain_trust_attribs = tdc->trust_attribs; | |
236 | ||
237 | /* Is this our primary domain ? */ | |
238 | if (strequal(domain_name, get_global_sam_name()) && | |
239 | @@ -236,6 +239,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc, | |
240 | if (lp_security() == SEC_ADS) { | |
241 | domain->active_directory = true; | |
242 | } | |
243 | + } else if (!domain->internal) { | |
244 | + if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) { | |
245 | + domain->active_directory = true; | |
246 | + } | |
247 | } | |
248 | ||
249 | /* Link to domain list */ | |
250 | -- | |
251 | 2.9.4 | |
252 | ||
253 | ||
254 | From a8ac7dcae2e3b00362ea9d91b5ef7f149bc734a0 Mon Sep 17 00:00:00 2001 | |
255 | From: Uri Simchoni <uri@samba.org> | |
256 | Date: Wed, 10 Feb 2016 00:38:11 +0200 | |
257 | Subject: [PATCH 4/4] winbindd: return trust parameters when listing trusts | |
258 | MIME-Version: 1.0 | |
259 | Content-Type: text/plain; charset=UTF-8 | |
260 | Content-Transfer-Encoding: 8bit | |
261 | ||
262 | When asking a child domain process to list trusts on that domain, | |
263 | return (along with trust domain names and SID) the trust properties - | |
264 | flags, type, and attributes. | |
265 | ||
266 | Use those attributes to initialize domain object. | |
267 | ||
268 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691 | |
269 | ||
270 | Signed-off-by: Uri Simchoni <uri@samba.org> | |
271 | Reviewed-by: Ralph Boehme <slow@samba.org> | |
272 | ||
273 | Autobuild-User(master): Ralph Böhme <slow@samba.org> | |
274 | Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144 | |
275 | --- | |
276 | source3/winbindd/winbindd_misc.c | 11 +++--- | |
277 | source3/winbindd/winbindd_util.c | 82 +++++++++++++++++++++++++++++----------- | |
278 | 2 files changed, 65 insertions(+), 28 deletions(-) | |
279 | ||
280 | diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c | |
281 | index 7d25167..5335ad9 100644 | |
282 | --- a/source3/winbindd/winbindd_misc.c | |
283 | +++ b/source3/winbindd/winbindd_misc.c | |
284 | @@ -172,11 +172,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain * | |
285 | ||
286 | for (i=0; i<trusts.count; i++) { | |
287 | extra_data = talloc_asprintf_append_buffer( | |
288 | - extra_data, "%s\\%s\\%s\n", | |
289 | - trusts.array[i].netbios_name, | |
290 | - trusts.array[i].dns_name, | |
291 | - sid_string_talloc(state->mem_ctx, | |
292 | - trusts.array[i].sid)); | |
293 | + extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n", | |
294 | + trusts.array[i].netbios_name, trusts.array[i].dns_name, | |
295 | + sid_string_talloc(state->mem_ctx, trusts.array[i].sid), | |
296 | + trusts.array[i].trust_flags, | |
297 | + (uint32_t)trusts.array[i].trust_type, | |
298 | + trusts.array[i].trust_attributes); | |
299 | } | |
300 | ||
301 | /* add our primary domain */ | |
302 | diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c | |
303 | index aaa9ee8..b99fac4 100644 | |
304 | --- a/source3/winbindd/winbindd_util.c | |
305 | +++ b/source3/winbindd/winbindd_util.c | |
306 | @@ -343,6 +343,8 @@ static void trustdom_list_done(struct tevent_req *req) | |
307 | struct winbindd_response *response; | |
308 | int res, err; | |
309 | char *p; | |
310 | + struct winbindd_tdc_domain trust_params = {0}; | |
311 | + ptrdiff_t extra_len; | |
312 | ||
313 | res = wb_domain_request_recv(req, state, &response, &err); | |
314 | if ((res == -1) || (response->result != WINBINDD_OK)) { | |
315 | @@ -351,17 +353,27 @@ static void trustdom_list_done(struct tevent_req *req) | |
316 | return; | |
317 | } | |
318 | ||
319 | + if (response->length < sizeof(struct winbindd_response)) { | |
320 | + DEBUG(0, ("ill-formed trustdom response - short length\n")); | |
321 | + TALLOC_FREE(state); | |
322 | + return; | |
323 | + } | |
324 | + | |
325 | + extra_len = response->length - sizeof(struct winbindd_response); | |
326 | + | |
327 | p = (char *)response->extra_data.data; | |
328 | ||
329 | - while ((p != NULL) && (*p != '\0')) { | |
330 | + while ((p - (char *)response->extra_data.data) < extra_len) { | |
331 | char *q, *sidstr, *alt_name; | |
332 | - struct dom_sid sid; | |
333 | - struct winbindd_domain *domain; | |
334 | - char *alternate_name = NULL; | |
335 | + | |
336 | + DEBUG(10, ("parsing response line '%s'\n", p)); | |
337 | + | |
338 | + ZERO_STRUCT(trust_params); | |
339 | + trust_params.domain_name = p; | |
340 | ||
341 | alt_name = strchr(p, '\\'); | |
342 | if (alt_name == NULL) { | |
343 | - DEBUG(0, ("Got invalid trustdom response\n")); | |
344 | + DEBUG(10, ("Got invalid trustdom response\n")); | |
345 | break; | |
346 | } | |
347 | ||
348 | @@ -370,39 +382,63 @@ static void trustdom_list_done(struct tevent_req *req) | |
349 | ||
350 | sidstr = strchr(alt_name, '\\'); | |
351 | if (sidstr == NULL) { | |
352 | - DEBUG(0, ("Got invalid trustdom response\n")); | |
353 | + DEBUG(10, ("Got invalid trustdom response\n")); | |
354 | break; | |
355 | } | |
356 | ||
357 | *sidstr = '\0'; | |
358 | sidstr += 1; | |
359 | ||
360 | - q = strchr(sidstr, '\n'); | |
361 | - if (q != NULL) | |
362 | - *q = '\0'; | |
363 | + /* use the real alt_name if we have one, else pass in NULL */ | |
364 | + if (!strequal(alt_name, "(null)")) { | |
365 | + trust_params.dns_name = alt_name; | |
366 | + } | |
367 | + | |
368 | + q = strtok(sidstr, "\\"); | |
369 | + if (q == NULL) { | |
370 | + DEBUG(10, ("Got invalid trustdom response\n")); | |
371 | + break; | |
372 | + } | |
373 | + | |
374 | + if (!string_to_sid(&trust_params.sid, sidstr)) { | |
375 | + DEBUG(0, ("Got invalid trustdom response\n")); | |
376 | + break; | |
377 | + } | |
378 | ||
379 | - if (!string_to_sid(&sid, sidstr)) { | |
380 | + q = strtok(NULL, "\\"); | |
381 | + if (q == NULL) { | |
382 | DEBUG(0, ("Got invalid trustdom response\n")); | |
383 | break; | |
384 | } | |
385 | ||
386 | - /* use the real alt_name if we have one, else pass in NULL */ | |
387 | + trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10); | |
388 | ||
389 | - if ( !strequal( alt_name, "(null)" ) ) | |
390 | - alternate_name = alt_name; | |
391 | + q = strtok(NULL, "\\"); | |
392 | + if (q == NULL) { | |
393 | + DEBUG(0, ("Got invalid trustdom response\n")); | |
394 | + break; | |
395 | + } | |
396 | + | |
397 | + trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10); | |
398 | ||
399 | - /* If we have an existing domain structure, calling | |
400 | - add_trusted_domain() will update the SID if | |
401 | - necessary. This is important because we need the | |
402 | - SID for sibling domains */ | |
403 | + q = strtok(NULL, "\n"); | |
404 | + if (q == NULL) { | |
405 | + DEBUG(10, ("Got invalid trustdom response\n")); | |
406 | + break; | |
407 | + } | |
408 | ||
409 | - (void)add_trusted_domain(p, alternate_name, | |
410 | - &cache_methods, | |
411 | - &sid); | |
412 | + trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10); | |
413 | + | |
414 | + /* | |
415 | + * We always call add_trusted_domain() cause on an existing | |
416 | + * domain structure, it will update the SID if necessary. | |
417 | + * This is important because we need the SID for sibling | |
418 | + * domains. | |
419 | + */ | |
420 | + (void)add_trusted_domain_from_tdc(&trust_params, | |
421 | + &cache_methods); | |
422 | ||
423 | - p=q; | |
424 | - if (p != NULL) | |
425 | - p += 1; | |
426 | + p = q + strlen(q) + 1; | |
427 | } | |
428 | ||
429 | /* | |
430 | -- | |
431 | 2.9.4 | |
432 |