svn commit: samba r19255 - in branches/SAMBA_3_0/source: nsswitch param

gd at samba.org gd at samba.org
Thu Oct 12 13:29:02 GMT 2006


Author: gd
Date: 2006-10-12 13:29:01 +0000 (Thu, 12 Oct 2006)
New Revision: 19255

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19255

Log:
Add blacklist of accounts when NSS initgroups calls are coming in and
"winbind use default domain" is set. Defaults to "root, nobody, lp"
currently.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
   branches/SAMBA_3_0/source/param/loadparm.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_group.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_group.c	2006-10-12 11:25:37 UTC (rev 19254)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_group.c	2006-10-12 13:29:01 UTC (rev 19255)
@@ -1018,6 +1018,30 @@
 	DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
 		  state->request.data.username));
 
+	/* when using "winbind use default domain" we need to avoid that
+	 * initgroups() requests from NSS hit our DC too badly for accounts
+	 * that will never be on the remote DC */
+
+	if (lp_winbind_use_default_domain()) {
+		
+		const char **list = lp_winbind_initgroups_blacklist();
+		int i;
+
+		if (!list || !list[0]) {
+			goto parse;
+		}
+
+		for (i=0; list[i] != NULL; i++) {
+	
+			if (strequal(state->request.data.username, list[i])) {
+				DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n", 
+					state->request.data.username));
+				request_ok(state);
+				return;
+			}
+		}
+	}
+ parse:
 	/* Parse domain and username */
 
 	s = TALLOC_P(state->mem_ctx, struct getgroups_state);

Modified: branches/SAMBA_3_0/source/param/loadparm.c
===================================================================
--- branches/SAMBA_3_0/source/param/loadparm.c	2006-10-12 11:25:37 UTC (rev 19254)
+++ branches/SAMBA_3_0/source/param/loadparm.c	2006-10-12 13:29:01 UTC (rev 19255)
@@ -181,6 +181,7 @@
 	BOOL bWinbindRefreshTickets;
 	BOOL bWinbindOfflineLogon;
 	char **szIdmapBackend;
+	char **szWinbindInitgroupsBlacklist;
 	char *szAddShareCommand;
 	char *szChangeShareCommand;
 	char *szDeleteShareCommand;
@@ -1278,6 +1279,7 @@
 	{"winbind nss info", P_LIST, P_GLOBAL, &Globals.szWinbindNssInfo, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind refresh tickets", P_BOOL, P_GLOBAL, &Globals.bWinbindRefreshTickets, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind offline logon", P_BOOL, P_GLOBAL, &Globals.bWinbindOfflineLogon, NULL, NULL, FLAG_ADVANCED},
+	{"winbind initgroups blacklist", P_LIST, P_GLOBAL, &Globals.szWinbindInitgroupsBlacklist, NULL, NULL, FLAG_ADVANCED},
 
 	{NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -1624,6 +1626,7 @@
 	Globals.szWinbindNssInfo = str_list_make("template", NULL);
 	Globals.bWinbindRefreshTickets = False;
 	Globals.bWinbindOfflineLogon = False;
+	Globals.szWinbindInitgroupsBlacklist = str_list_make("root nobody lp", NULL);
 
 	Globals.bPassdbExpandExplicit = False;
 
@@ -1839,6 +1842,7 @@
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 
 FN_GLOBAL_LIST(lp_idmap_backend, &Globals.szIdmapBackend)
+FN_GLOBAL_LIST(lp_winbind_initgroups_blacklist, &Globals.szWinbindInitgroupsBlacklist)
 FN_GLOBAL_BOOL(lp_passdb_expand_explicit, &Globals.bPassdbExpandExplicit)
 
 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)



More information about the samba-cvs mailing list