svn commit: samba r17723 - in branches: SAMBA_3_0/source/include
SAMBA_3_0/source/nsswitch SAMBA_3_0_23/source/include
SAMBA_3_0_23/source/nsswitch
jerry at samba.org
jerry at samba.org
Tue Aug 22 22:53:09 GMT 2006
Author: jerry
Date: 2006-08-22 22:53:08 +0000 (Tue, 22 Aug 2006)
New Revision: 17723
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17723
Log:
* BUG 3969: Fix unsigned time comparison with expiration policy from AD DC
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
Modified:
branches/SAMBA_3_0/source/include/includes.h
branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
branches/SAMBA_3_0/source/nsswitch/winbind_nss_config.h
branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
branches/SAMBA_3_0_23/source/include/includes.h
branches/SAMBA_3_0_23/source/nsswitch/pam_winbind.c
branches/SAMBA_3_0_23/source/nsswitch/winbind_nss_config.h
branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h
branches/SAMBA_3_0_23/source/nsswitch/winbindd_pam.c
Changeset:
Modified: branches/SAMBA_3_0/source/include/includes.h
===================================================================
--- branches/SAMBA_3_0/source/include/includes.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0/source/include/includes.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -671,7 +671,15 @@
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
/*
* Types for devices, inodes and offsets.
*/
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c 2006-08-22 22:53:08 UTC (rev 17723)
@@ -366,7 +366,7 @@
request.data.auth.krb5_cc_type[0] = '\0';
request.data.auth.uid = -1;
- request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+ request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
if (ctrl & WINBIND_KRB5_AUTH) {
@@ -564,7 +564,7 @@
}
if (ctrl & WINBIND_KRB5_AUTH) {
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
}
ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
@@ -1150,7 +1150,7 @@
}
request.data.logoff.uid = pwd->pw_uid;
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user);
}
@@ -1391,7 +1391,7 @@
* Copyright (c) Tim Potter <tpot at samba.org> 2000
* Copyright (c) Andrew Bartlettt <abartlet at samba.org> 2002
* Copyright (c) Guenther Deschner <gd at samba.org> 2005-2006
- * Copyright (c) Jan Rêkorajski 1999.
+ * Copyright (c) Jan Rêkorajski 1999.
* Copyright (c) Andrew G. Morgan 1996-8.
* Copyright (c) Alex O. Yuriev, 1996.
* Copyright (c) Cristian Gafton 1996.
Modified: branches/SAMBA_3_0/source/nsswitch/winbind_nss_config.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbind_nss_config.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0/source/nsswitch/winbind_nss_config.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -24,12 +24,12 @@
#ifndef _WINBIND_NSS_CONFIG_H
#define _WINBIND_NSS_CONFIG_H
-/* shutup the compiler warnings due to krb5.h on i
- 64-bit sles9 */
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
#endif
+
/* Include header files from data in config.h file */
#ifndef NO_CONFIG_H
@@ -137,7 +137,16 @@
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
+
/* zero a structure */
#ifndef ZERO_STRUCT
#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -42,8 +42,8 @@
between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
The easiest way to do this is to always use 8byte values for time_t. */
-#if defined(uint64)
-# define SMB_TIME_T uint64
+#if defined(int64)
+# define SMB_TIME_T int64
#else
# define SMB_TIME_T time_t
#endif
@@ -198,7 +198,7 @@
#define WBFLAG_PAM_KRB5 0x1000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000
#define WBFLAG_PAM_CACHED_LOGIN 0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY 0x8000
+#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */
#define WINBINDD_MAX_EXTRA_DATA (128*1024)
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-08-22 22:53:08 UTC (rev 17723)
@@ -6,7 +6,7 @@
Copyright (C) Andrew Tridgell 2000
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2001-2002
- Copyright (C) Guenther Deschner 2005-2006
+ Copyright (C) Guenther Deschner 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -222,44 +222,18 @@
return NULL;
}
- if (strequal(domain_name, lp_workgroup())) {
- return find_our_domain();
- }
-
-#ifdef HAVE_ADS
-
- /* when trying to login using krb5 with a trusted domain account, we
- * need to make sure that our and the remote domain are AD */
-
- if ((state->request.flags & WBFLAG_PAM_KRB5) &&
- (lp_security() == SEC_ADS)) {
-
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (!our_domain->active_directory) {
- DEBUG(3,("find_auth_domain: out domain is not AD\n"));
- return NULL;
- }
-
- if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
- return NULL;
- }
-
- /* do we already know it's AD ? */
- if (domain->active_directory) {
+ /* we can auth against trusted domains */
+ if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
+ domain_name));
+ } else {
return domain;
}
-
- set_dc_type_and_flags(domain);
-
- if (!domain->active_directory) {
- DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
- return NULL;
}
- return domain;
- }
-#endif
return find_our_domain();
}
@@ -1306,15 +1280,12 @@
}
- /* this is required to provide password expiry warning */
- if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
result = fillup_password_policy(domain, state);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
goto done;
}
- }
}
Modified: branches/SAMBA_3_0_23/source/include/includes.h
===================================================================
--- branches/SAMBA_3_0_23/source/include/includes.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0_23/source/include/includes.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -667,7 +667,15 @@
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
/*
* Types for devices, inodes and offsets.
*/
Modified: branches/SAMBA_3_0_23/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0_23/source/nsswitch/pam_winbind.c 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0_23/source/nsswitch/pam_winbind.c 2006-08-22 22:53:08 UTC (rev 17723)
@@ -348,7 +348,7 @@
request.data.auth.krb5_cc_type[0] = '\0';
request.data.auth.uid = -1;
- request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+ request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
if (ctrl & WINBIND_KRB5_AUTH) {
@@ -546,7 +546,7 @@
}
if (ctrl & WINBIND_KRB5_AUTH) {
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
}
ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
@@ -1132,7 +1132,7 @@
}
request.data.logoff.uid = pwd->pw_uid;
- request.flags = WBFLAG_PAM_KRB5;
+ request.flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CONTACT_TRUSTDOM;
retval = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_LOGOFF, &request, &response, user);
}
@@ -1373,7 +1373,7 @@
* Copyright (c) Tim Potter <tpot at samba.org> 2000
* Copyright (c) Andrew Bartlettt <abartlet at samba.org> 2002
* Copyright (c) Guenther Deschner <gd at samba.org> 2005-2006
- * Copyright (c) Jan Rêkorajski 1999.
+ * Copyright (c) Jan Rêkorajski 1999.
* Copyright (c) Andrew G. Morgan 1996-8.
* Copyright (c) Alex O. Yuriev, 1996.
* Copyright (c) Cristian Gafton 1996.
Modified: branches/SAMBA_3_0_23/source/nsswitch/winbind_nss_config.h
===================================================================
--- branches/SAMBA_3_0_23/source/nsswitch/winbind_nss_config.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0_23/source/nsswitch/winbind_nss_config.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -24,12 +24,12 @@
#ifndef _WINBIND_NSS_CONFIG_H
#define _WINBIND_NSS_CONFIG_H
-/* shutup the compiler warnings due to krb5.h on i
- 64-bit sles9 */
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
#endif
+
/* Include header files from data in config.h file */
#ifndef NO_CONFIG_H
@@ -137,7 +137,16 @@
#endif /* don't lie. If we don't have it, then don't use it */
#endif
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif /* don't lie. If we don't have it, then don't use it */
+#endif
+
+
/* zero a structure */
#ifndef ZERO_STRUCT
#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h
===================================================================
--- branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_nss.h 2006-08-22 22:53:08 UTC (rev 17723)
@@ -42,8 +42,8 @@
between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
The easiest way to do this is to always use 8byte values for time_t. */
-#if defined(uint64)
-# define SMB_TIME_T uint64
+#if defined(int64)
+# define SMB_TIME_T int64
#else
# define SMB_TIME_T time_t
#endif
@@ -190,7 +190,7 @@
#define WBFLAG_PAM_KRB5 0x1000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000
#define WBFLAG_PAM_CACHED_LOGIN 0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY 0x8000
+#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */
#define WINBINDD_MAX_EXTRA_DATA (128*1024)
Modified: branches/SAMBA_3_0_23/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0_23/source/nsswitch/winbindd_pam.c 2006-08-22 22:28:37 UTC (rev 17722)
+++ branches/SAMBA_3_0_23/source/nsswitch/winbindd_pam.c 2006-08-22 22:53:08 UTC (rev 17723)
@@ -6,7 +6,7 @@
Copyright (C) Andrew Tridgell 2000
Copyright (C) Tim Potter 2001
Copyright (C) Andrew Bartlett 2001-2002
- Copyright (C) Guenther Deschner 2005-2006
+ Copyright (C) Guenther Deschner 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -222,44 +222,18 @@
return NULL;
}
- if (strequal(domain_name, lp_workgroup())) {
- return find_our_domain();
- }
-
-#ifdef HAVE_ADS
-
- /* when trying to login using krb5 with a trusted domain account, we
- * need to make sure that our and the remote domain are AD */
-
- if ((state->request.flags & WBFLAG_PAM_KRB5) &&
- (lp_security() == SEC_ADS)) {
-
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (!our_domain->active_directory) {
- DEBUG(3,("find_auth_domain: out domain is not AD\n"));
- return NULL;
- }
-
- if ((domain = find_domain_from_name_noinit(domain_name)) == NULL) {
- return NULL;
- }
-
- /* do we already know it's AD ? */
- if (domain->active_directory) {
+ /* we can auth against trusted domains */
+ if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DEBUG(3, ("Authentication for domain [%s] skipped "
+ "as it is not a trusted domain\n",
+ domain_name));
+ } else {
return domain;
}
-
- set_dc_type_and_flags(domain);
-
- if (!domain->active_directory) {
- DEBUG(3,("find_auth_domain: remote domain is not AD\n"));
- return NULL;
}
- return domain;
- }
-#endif
return find_our_domain();
}
@@ -1286,15 +1260,12 @@
}
- /* this is required to provide password expiry warning */
- if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
result = fillup_password_policy(domain, state);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
goto done;
}
- }
}
More information about the samba-cvs
mailing list