[SCM] Samba Shared Repository - branch v3-2-test updated - initial-v3-2-unstable-1068-ge7164a2

Gerald (Jerry) Carter jerry at samba.org
Fri Jan 4 19:36:14 GMT 2008


The branch, v3-2-test has been updated
       via  e7164a252bf213a74d6eeac5aa04645eed5be241 (commit)
       via  f89e356bdaa203ef0a3ce6b8bd52170afa68a2c9 (commit)
       via  2030a8de19a2c7c735a8aa367dd953e4a5c447b8 (commit)
       via  ed30516bb0f55f9ba466debf91b6e33d1c28a484 (commit)
      from  df5839b5376e903486982ddc7c4f4fbd4550c60a (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit e7164a252bf213a74d6eeac5aa04645eed5be241
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Fri Jan 4 13:35:41 2008 -0600

    Fix the inherited trust flags when spidering the trust heirarchy.
    
    Also *do not* clear the trust list when rescanning or else it is possible
    to suffer from a race condition where no trusted domains can be found.

commit f89e356bdaa203ef0a3ce6b8bd52170afa68a2c9
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Fri Jan 4 13:34:10 2008 -0600

    Add a missing check for dealing with a one-way trust in query_user().

commit 2030a8de19a2c7c735a8aa367dd953e4a5c447b8
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Fri Jan 4 13:32:58 2008 -0600

    Ensure that winbindd_getgroups() can deal with a UPN name.
    
    A user logging in via GDM was not getting a complete list of supplementary
    groups in his/her token.  This is because getgroup() was not able to
    find the winbindd_domain* using the DNS name.  Fallback to matching the DNS
    name is the short name match failes.

commit ed30516bb0f55f9ba466debf91b6e33d1c28a484
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date:   Fri Jan 4 13:31:07 2008 -0600

    When connecting to an AD DC, use the DsGetDCName variant.
    
    This allows us to deal with child domains in transitive forest trusts.
    It also allows us to fill in the forest name to the target domain to the
    struct winbindd_domain *.

-----------------------------------------------------------------------

Summary of changes:
 source/winbindd/winbindd_ads.c   |   12 ++++++++++++
 source/winbindd/winbindd_cm.c    |   38 ++++++++++++++++++++++++++++++++++++--
 source/winbindd/winbindd_group.c |   11 ++++++++++-
 source/winbindd/winbindd_rpc.c   |    6 ++++++
 source/winbindd/winbindd_util.c  |   10 +++++++---
 5 files changed, 71 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/winbindd/winbindd_ads.c b/source/winbindd/winbindd_ads.c
index c9b2a52..3aba824 100644
--- a/source/winbindd/winbindd_ads.c
+++ b/source/winbindd/winbindd_ads.c
@@ -1270,12 +1270,24 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 				d.domain_type = domains[i].trust_type;
 				d.domain_trust_attribs = domains[i].trust_attributes;
 			} else {
+				/* Look up the record in the cache */
+				struct winbindd_tdc_domain *parent;
+
 				DEBUG(10,("trusted_domains(ads):  Inheriting trust "
 					  "flags for domain %s\n", d.alt_name));				
+
+				parent = wcache_tdc_fetch_domain(NULL, domain->name);
+				if (parent) {
+					d.domain_flags = parent->trust_flags;
+					d.domain_type  = parent->trust_type;
+					d.domain_trust_attribs = parent->trust_attribs;
+				} else {
 				d.domain_flags = domain->domain_flags;				
 				d.domain_type  = domain->domain_type;
 				d.domain_trust_attribs = domain->domain_trust_attribs;
 			}
+				TALLOC_FREE(parent);
+			}
 
 			wcache_tdc_add_domain( &d );
 
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 33674d2..99e401d 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -601,8 +601,34 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
 
 	orig_timeout = cli_set_timeout(netlogon_pipe->cli, 35000);
 	
-	werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, our_domain->dcname,
+	if (our_domain->active_directory) {
+		struct DS_DOMAIN_CONTROLLER_INFO *domain_info = NULL;
+		
+		werr = rpccli_netlogon_dsr_getdcname(netlogon_pipe, 
+						     mem_ctx, 
+						     our_domain->dcname,
+						     domain->name,
+						     NULL,
+						     NULL,
+						     DS_RETURN_DNS_NAME,
+						     &domain_info);
+		if (W_ERROR_IS_OK(werr)) {
+			fstrcpy(tmp, domain_info->domain_controller_name);
+			if (strlen(domain->alt_name) == 0) {
+				fstrcpy(domain->alt_name, 
+					CONST_DISCARD(char*, domain_info->domain_name));
+			}
+			if (strlen(domain->forest_name) == 0) {
+				fstrcpy(domain->forest_name, 
+					CONST_DISCARD(char*, domain_info->dns_forest_name));
+			}
+		}		
+	} else {
+		
+		werr = rpccli_netlogon_getanydcname(netlogon_pipe, mem_ctx, 
+						    our_domain->dcname,
 					    domain->name, &tmp);
+	}
 
 	/* And restore our original timeout. */
 	cli_set_timeout(netlogon_pipe->cli, orig_timeout);
@@ -1869,9 +1895,17 @@ no_lsarpc_ds:
 		if (dns_name)
 			fstrcpy(domain->alt_name, dns_name);
 
-		if ( forest_name )
+		/* See if we can set some domain trust flags about
+		   ourself */
+
+		if ( forest_name ) {
 			fstrcpy(domain->forest_name, forest_name);		
 
+			if (strequal(domain->forest_name, domain->alt_name)) {
+				domain->domain_flags = DS_DOMAIN_TREE_ROOT;
+			}
+		}
+
 		if (dom_sid) 
 			sid_copy(&domain->sid, dom_sid);
 	} else {
diff --git a/source/winbindd/winbindd_group.c b/source/winbindd/winbindd_group.c
index fbd2fee..62e8d1c 100644
--- a/source/winbindd/winbindd_group.c
+++ b/source/winbindd/winbindd_group.c
@@ -1494,9 +1494,18 @@ void winbindd_getgroups(struct winbindd_cli_state *state)
 		s->username = talloc_strdup( state->mem_ctx, state->request.data.username );
 	}
 	
-	/* Get info for the domain */
+	/* Get info for the domain (either by short domain name or 
+	   DNS name in the case of a UPN) */
 
 	s->domain = find_domain_from_name_noinit(s->domname);
+	if (!s->domain) {
+		char *p = strchr(s->username, '@');
+		
+		if (p) {
+			s->domain = find_domain_from_name_noinit(p+1);			
+		}
+		
+	}
 
 	if (s->domain == NULL) {
 		DEBUG(7, ("could not find domain entry for domain %s\n", 
diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c
index ffb4769..f5e1226 100644
--- a/source/winbindd/winbindd_rpc.c
+++ b/source/winbindd/winbindd_rpc.c
@@ -456,6 +456,12 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 		return NT_STATUS_OK;
 	}
 	
+	if ( !winbindd_can_contact_domain( domain ) ) {
+		DEBUG(10,("query_user: No incoming trust for domain %s\n",
+			  domain->name));
+		return NT_STATUS_OK;
+	}
+	
 	/* no cache; hit the wire */
 		
 	result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
index 70468b6..cc12d4b 100644
--- a/source/winbindd/winbindd_util.c
+++ b/source/winbindd/winbindd_util.c
@@ -500,9 +500,13 @@ void rescan_trusted_domains( void )
 	    ((now-last_trustdom_scan) < WINBINDD_RESCAN_FREQ) )
 		return;
 		
-	/* clear the TRUSTDOM cache first */
-
-	wcache_tdc_clear();
+	/* I use to clear the cache here and start over but that
+	   caused problems in child processes that needed the
+	   trust dom list early on.  Removing it means we
+	   could have some trusted domains listed that have been
+	   removed from our primary domain's DC until a full
+	   restart.  This should be ok since I think this is what
+	   Windows does as well. */
 
 	/* this will only add new domains we didn't already know about
 	   in the domain_list()*/


-- 
Samba Shared Repository


More information about the samba-cvs mailing list