svn commit: samba r12740 - in trunk/source/nsswitch: .

gd at samba.org gd at samba.org
Fri Jan 6 13:41:56 GMT 2006 

Author: gd
Date: 2006-01-06 13:41:56 +0000 (Fri, 06 Jan 2006)
New Revision: 12740

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12740

Log:
Add account_lockout_policy_handler to the winbind child. 

This makes sure we query the domain lockout policies on startup and then
again each hour so that offline authentication can correctly lockout
accounts to prevent offline password attacks.

Guenther

Modified:
   trunk/source/nsswitch/winbindd.h
   trunk/source/nsswitch/winbindd_dual.c


Changeset:
Modified: trunk/source/nsswitch/winbindd.h
===================================================================
--- trunk/source/nsswitch/winbindd.h	2006-01-06 12:29:06 UTC (rev 12739)
+++ trunk/source/nsswitch/winbindd.h	2006-01-06 13:41:56 UTC (rev 12740)
@@ -143,7 +143,9 @@
 	struct winbindd_domain *domain;
 	pstring logfilename;
 
+	TALLOC_CTX *mem_ctx;
 	struct fd_event event;
+	struct timed_event *timed_event;
 	struct winbindd_async_request *requests;
 };
 

Modified: trunk/source/nsswitch/winbindd_dual.c
===================================================================
--- trunk/source/nsswitch/winbindd_dual.c	2006-01-06 12:29:06 UTC (rev 12739)
+++ trunk/source/nsswitch/winbindd_dual.c	2006-01-06 13:41:56 UTC (rev 12740)
@@ -235,6 +235,8 @@
 	setup_async_write(&child->event, request->request,
 			  sizeof(*request->request),
 			  async_main_request_sent, request);
+
+	talloc_destroy(child->mem_ctx);
 	return;
 }
 
@@ -447,6 +449,37 @@
 	schedule_async_request(child);
 }
 
+static void account_lockout_policy_handler(struct timed_event *te,
+					   const struct timeval *now,
+					   void *private_data)
+{
+	struct winbindd_child *child = private_data;
+
+	struct winbindd_methods *methods;
+	SAM_UNK_INFO_12 lockout_policy;
+	NTSTATUS result;
+
+	DEBUG(10,("account_lockout_policy_handler called\n"));
+
+	if (child->timed_event) {
+		talloc_free(child->timed_event);
+	}
+
+	methods = child->domain->methods;
+
+	result = methods->lockout_policy(child->domain, child->mem_ctx, &lockout_policy);
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(10,("account_lockout_policy_handler: failed to call lockout_policy\n"));
+		return;
+	}
+
+	child->timed_event = add_timed_event(child->mem_ctx, 
+					     timeval_current_ofs(3600, 0),
+					     "account_lockout_policy_handler",
+					     account_lockout_policy_handler,
+					     child);
+}
+
 static BOOL fork_domain_child(struct winbindd_child *child)
 {
 	int fdpair[2];
@@ -498,7 +531,18 @@
 		lp_set_logfile(child->logfilename);
 		reopen_logs();
 	}
-	
+
+	child->mem_ctx = talloc_init("child_mem_ctx");
+	if (child->mem_ctx == NULL) {
+		return False;
+	}
+
+	child->timed_event = add_timed_event(child->mem_ctx,
+					     timeval_zero(),
+					     "account_lockout_policy_handler",
+					     account_lockout_policy_handler,
+					     child);
+
 	while (1) {
 
 		int ret;

More information about the samba-cvs mailing list