]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
samba: remove SO_xxxBUF size definitions from default config
[people/pmueller/ipfire-2.x.git] / src / patches / samba / samba-3.6.99-winbind_fix_trusted_domain_handling.patch
1 From a280f61d71d5ea7e2212d253b84ac5b25810b88e Mon Sep 17 00:00:00 2001
2 From: Uri Simchoni <uri@samba.org>
3 Date: Wed, 10 Feb 2016 00:26:45 +0200
4 Subject: [PATCH 1/4] winbindd: introduce add_trusted_domain_from_tdc()
5
6 This is purely a refactoring patch -
7 Add a routine that adds a winbindd domain object based on
8 domain trust cache entry. add_trusted_domain() becomes
9 a wrapper for this new routine.
10
11 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
12
13 Signed-off-by: Uri Simchoni <uri@samba.org>
14 Reviewed-by: Ralph Boehme <slow@samba.org>
15 ---
16 source3/winbindd/winbindd_util.c | 76 +++++++++++++++++++++++++---------------
17 1 file changed, 48 insertions(+), 28 deletions(-)
18
19 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
20 index 353722e..70a9041 100644
21 --- a/source3/winbindd/winbindd_util.c
22 +++ b/source3/winbindd/winbindd_util.c
23 @@ -30,6 +30,10 @@
24 #undef DBGC_CLASS
25 #define DBGC_CLASS DBGC_WINBIND
26
27 +static struct winbindd_domain *
28 +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
29 + struct winbindd_methods *methods);
30 +
31 extern struct winbindd_methods cache_methods;
32
33 /**
34 @@ -91,11 +95,31 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
35
36 /* Add a trusted domain to our list of domains.
37 If the domain already exists in the list,
38 - return it and don't re-initialize.
39 - */
40 -static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
41 - struct winbindd_methods *methods,
42 - const struct dom_sid *sid)
43 + return it and don't re-initialize. */
44 +
45 +static struct winbindd_domain *
46 +add_trusted_domain(const char *domain_name, const char *alt_name,
47 + struct winbindd_methods *methods, const struct dom_sid *sid)
48 +{
49 + struct winbindd_tdc_domain tdc;
50 +
51 + ZERO_STRUCT(tdc);
52 +
53 + tdc.domain_name = domain_name;
54 + tdc.dns_name = alt_name;
55 + if (sid) {
56 + sid_copy(&tdc.sid, sid);
57 + }
58 +
59 + return add_trusted_domain_from_tdc(&tdc, methods);
60 +}
61 +
62 +/* Add a trusted domain out of a trusted domain cache
63 + entry
64 +*/
65 +static struct winbindd_domain *
66 +add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
67 + struct winbindd_methods *methods)
68 {
69 struct winbindd_domain *domain;
70 const char *alternative_name = NULL;
71 @@ -103,6 +127,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
72 const char *param;
73 const char **ignored_domains, **dom;
74 int role = lp_server_role();
75 + const char *domain_name = tdc->domain_name;
76 + const struct dom_sid *sid = &tdc->sid;
77 +
78 + if (is_null_sid(sid)) {
79 + sid = NULL;
80 + }
81
82 ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
83 for (dom=ignored_domains; dom && *dom; dom++) {
84 @@ -114,8 +144,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
85
86 /* ignore alt_name if we are not in an AD domain */
87
88 - if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
89 - alternative_name = alt_name;
90 + if (tdc->dns_name && *tdc->dns_name) {
91 + alternative_name = tdc->dns_name;
92 }
93
94 /* We can't call domain_list() as this function is called from
95 @@ -127,8 +157,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
96 break;
97 }
98
99 - if (alternative_name && *alternative_name)
100 - {
101 + if (alternative_name) {
102 if (strequal(alternative_name, domain->name) ||
103 strequal(alternative_name, domain->alt_name))
104 {
105 @@ -136,12 +165,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
106 }
107 }
108
109 - if (sid)
110 - {
111 - if (is_null_sid(sid)) {
112 - continue;
113 - }
114 -
115 + if (sid != NULL) {
116 if (dom_sid_equal(sid, &domain->sid)) {
117 break;
118 }
119 @@ -191,11 +215,11 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
120 domain->internal = is_internal_domain(sid);
121 domain->sequence_number = DOM_SEQUENCE_NONE;
122 domain->last_seq_check = 0;
123 - domain->initialized = False;
124 + domain->initialized = false;
125 domain->online = is_internal_domain(sid);
126 domain->check_online_timeout = 0;
127 domain->dc_probe_pid = (pid_t)-1;
128 - if (sid) {
129 + if (sid != NULL) {
130 sid_copy(&domain->sid, sid);
131 }
132
133 @@ -246,9 +270,9 @@ done:
134
135 setup_domain_child(domain);
136
137 - DEBUG(2,("Added domain %s %s %s\n",
138 - domain->name, domain->alt_name,
139 - &domain->sid?sid_string_dbg(&domain->sid):""));
140 + DEBUG(2,
141 + ("Added domain %s %s %s\n", domain->name, domain->alt_name,
142 + !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
143
144 return domain;
145 }
146 @@ -432,10 +456,8 @@ static void rescan_forest_root_trusts( void )
147 d = find_domain_from_name_noinit( dom_list[i].domain_name );
148
149 if ( !d ) {
150 - (void)add_trusted_domain( dom_list[i].domain_name,
151 - dom_list[i].dns_name,
152 - &cache_methods,
153 - &dom_list[i].sid);
154 + d = add_trusted_domain_from_tdc(&dom_list[i],
155 + &cache_methods);
156 }
157
158 if (d == NULL) {
159 @@ -501,10 +523,8 @@ static void rescan_forest_trusts( void )
160 about it */
161
162 if ( !d ) {
163 - (void)add_trusted_domain( dom_list[i].domain_name,
164 - dom_list[i].dns_name,
165 - &cache_methods,
166 - &dom_list[i].sid);
167 + d = add_trusted_domain_from_tdc(&dom_list[i],
168 + &cache_methods);
169 }
170
171 if (d == NULL) {
172 --
173 2.9.4
174
175
176 From 153f173eea81ffa1caa4768589a08bb20a6a1950 Mon Sep 17 00:00:00 2001
177 From: Stefan Metzmacher <metze@samba.org>
178 Date: Tue, 23 Dec 2014 09:43:03 +0000
179 Subject: [PATCH 2/4] s3:winbindd: mark our primary as active_directory if
180 possible
181
182 Signed-off-by: Stefan Metzmacher <metze@samba.org>
183 Reviewed-by: Guenther Deschner <gd@samba.org>
184 ---
185 source3/winbindd/winbindd_util.c | 6 ++++++
186 1 file changed, 6 insertions(+)
187
188 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
189 index 70a9041..700076a 100644
190 --- a/source3/winbindd/winbindd_util.c
191 +++ b/source3/winbindd/winbindd_util.c
192 @@ -232,6 +232,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
193 domain->primary = true;
194 }
195
196 + if (domain->primary) {
197 + if (lp_security() == SEC_ADS) {
198 + domain->active_directory = true;
199 + }
200 + }
201 +
202 /* Link to domain list */
203 DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
204
205 --
206 2.9.4
207
208
209 From 5d741ee3d1dafbb32c106fed817840892b69598d Mon Sep 17 00:00:00 2001
210 From: Uri Simchoni <uri@samba.org>
211 Date: Wed, 10 Feb 2016 00:32:23 +0200
212 Subject: [PATCH 3/4] winbindd: initialize foreign domain as AD based on trust
213
214 Based on trust parameters, initialize the active_directory
215 member of domain object to true.
216
217 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
218
219 Signed-off-by: Uri Simchoni <uri@samba.org>
220 Reviewed-by: Ralph Boehme <slow@samba.org>
221 ---
222 source3/winbindd/winbindd_util.c | 7 +++++++
223 1 file changed, 7 insertions(+)
224
225 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
226 index 700076a..aaa9ee8 100644
227 --- a/source3/winbindd/winbindd_util.c
228 +++ b/source3/winbindd/winbindd_util.c
229 @@ -222,6 +222,9 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
230 if (sid != NULL) {
231 sid_copy(&domain->sid, sid);
232 }
233 + domain->domain_flags = tdc->trust_flags;
234 + domain->domain_type = tdc->trust_type;
235 + domain->domain_trust_attribs = tdc->trust_attribs;
236
237 /* Is this our primary domain ? */
238 if (strequal(domain_name, get_global_sam_name()) &&
239 @@ -236,6 +239,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
240 if (lp_security() == SEC_ADS) {
241 domain->active_directory = true;
242 }
243 + } else if (!domain->internal) {
244 + if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
245 + domain->active_directory = true;
246 + }
247 }
248
249 /* Link to domain list */
250 --
251 2.9.4
252
253
254 From a8ac7dcae2e3b00362ea9d91b5ef7f149bc734a0 Mon Sep 17 00:00:00 2001
255 From: Uri Simchoni <uri@samba.org>
256 Date: Wed, 10 Feb 2016 00:38:11 +0200
257 Subject: [PATCH 4/4] winbindd: return trust parameters when listing trusts
258 MIME-Version: 1.0
259 Content-Type: text/plain; charset=UTF-8
260 Content-Transfer-Encoding: 8bit
261
262 When asking a child domain process to list trusts on that domain,
263 return (along with trust domain names and SID) the trust properties -
264 flags, type, and attributes.
265
266 Use those attributes to initialize domain object.
267
268 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
269
270 Signed-off-by: Uri Simchoni <uri@samba.org>
271 Reviewed-by: Ralph Boehme <slow@samba.org>
272
273 Autobuild-User(master): Ralph Böhme <slow@samba.org>
274 Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144
275 ---
276 source3/winbindd/winbindd_misc.c | 11 +++---
277 source3/winbindd/winbindd_util.c | 82 +++++++++++++++++++++++++++++-----------
278 2 files changed, 65 insertions(+), 28 deletions(-)
279
280 diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
281 index 7d25167..5335ad9 100644
282 --- a/source3/winbindd/winbindd_misc.c
283 +++ b/source3/winbindd/winbindd_misc.c
284 @@ -172,11 +172,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *
285
286 for (i=0; i<trusts.count; i++) {
287 extra_data = talloc_asprintf_append_buffer(
288 - extra_data, "%s\\%s\\%s\n",
289 - trusts.array[i].netbios_name,
290 - trusts.array[i].dns_name,
291 - sid_string_talloc(state->mem_ctx,
292 - trusts.array[i].sid));
293 + extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n",
294 + trusts.array[i].netbios_name, trusts.array[i].dns_name,
295 + sid_string_talloc(state->mem_ctx, trusts.array[i].sid),
296 + trusts.array[i].trust_flags,
297 + (uint32_t)trusts.array[i].trust_type,
298 + trusts.array[i].trust_attributes);
299 }
300
301 /* add our primary domain */
302 diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
303 index aaa9ee8..b99fac4 100644
304 --- a/source3/winbindd/winbindd_util.c
305 +++ b/source3/winbindd/winbindd_util.c
306 @@ -343,6 +343,8 @@ static void trustdom_list_done(struct tevent_req *req)
307 struct winbindd_response *response;
308 int res, err;
309 char *p;
310 + struct winbindd_tdc_domain trust_params = {0};
311 + ptrdiff_t extra_len;
312
313 res = wb_domain_request_recv(req, state, &response, &err);
314 if ((res == -1) || (response->result != WINBINDD_OK)) {
315 @@ -351,17 +353,27 @@ static void trustdom_list_done(struct tevent_req *req)
316 return;
317 }
318
319 + if (response->length < sizeof(struct winbindd_response)) {
320 + DEBUG(0, ("ill-formed trustdom response - short length\n"));
321 + TALLOC_FREE(state);
322 + return;
323 + }
324 +
325 + extra_len = response->length - sizeof(struct winbindd_response);
326 +
327 p = (char *)response->extra_data.data;
328
329 - while ((p != NULL) && (*p != '\0')) {
330 + while ((p - (char *)response->extra_data.data) < extra_len) {
331 char *q, *sidstr, *alt_name;
332 - struct dom_sid sid;
333 - struct winbindd_domain *domain;
334 - char *alternate_name = NULL;
335 +
336 + DEBUG(10, ("parsing response line '%s'\n", p));
337 +
338 + ZERO_STRUCT(trust_params);
339 + trust_params.domain_name = p;
340
341 alt_name = strchr(p, '\\');
342 if (alt_name == NULL) {
343 - DEBUG(0, ("Got invalid trustdom response\n"));
344 + DEBUG(10, ("Got invalid trustdom response\n"));
345 break;
346 }
347
348 @@ -370,39 +382,63 @@ static void trustdom_list_done(struct tevent_req *req)
349
350 sidstr = strchr(alt_name, '\\');
351 if (sidstr == NULL) {
352 - DEBUG(0, ("Got invalid trustdom response\n"));
353 + DEBUG(10, ("Got invalid trustdom response\n"));
354 break;
355 }
356
357 *sidstr = '\0';
358 sidstr += 1;
359
360 - q = strchr(sidstr, '\n');
361 - if (q != NULL)
362 - *q = '\0';
363 + /* use the real alt_name if we have one, else pass in NULL */
364 + if (!strequal(alt_name, "(null)")) {
365 + trust_params.dns_name = alt_name;
366 + }
367 +
368 + q = strtok(sidstr, "\\");
369 + if (q == NULL) {
370 + DEBUG(10, ("Got invalid trustdom response\n"));
371 + break;
372 + }
373 +
374 + if (!string_to_sid(&trust_params.sid, sidstr)) {
375 + DEBUG(0, ("Got invalid trustdom response\n"));
376 + break;
377 + }
378
379 - if (!string_to_sid(&sid, sidstr)) {
380 + q = strtok(NULL, "\\");
381 + if (q == NULL) {
382 DEBUG(0, ("Got invalid trustdom response\n"));
383 break;
384 }
385
386 - /* use the real alt_name if we have one, else pass in NULL */
387 + trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
388
389 - if ( !strequal( alt_name, "(null)" ) )
390 - alternate_name = alt_name;
391 + q = strtok(NULL, "\\");
392 + if (q == NULL) {
393 + DEBUG(0, ("Got invalid trustdom response\n"));
394 + break;
395 + }
396 +
397 + trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
398
399 - /* If we have an existing domain structure, calling
400 - add_trusted_domain() will update the SID if
401 - necessary. This is important because we need the
402 - SID for sibling domains */
403 + q = strtok(NULL, "\n");
404 + if (q == NULL) {
405 + DEBUG(10, ("Got invalid trustdom response\n"));
406 + break;
407 + }
408
409 - (void)add_trusted_domain(p, alternate_name,
410 - &cache_methods,
411 - &sid);
412 + trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
413 +
414 + /*
415 + * We always call add_trusted_domain() cause on an existing
416 + * domain structure, it will update the SID if necessary.
417 + * This is important because we need the SID for sibling
418 + * domains.
419 + */
420 + (void)add_trusted_domain_from_tdc(&trust_params,
421 + &cache_methods);
422
423 - p=q;
424 - if (p != NULL)
425 - p += 1;
426 + p = q + strlen(q) + 1;
427 }
428
429 /*
430 --
431 2.9.4
432
Peter's tree of IPFire 2.x