[SCM] Samba Shared Repository - branch v3-2-stable updated - release-3-2-0rc2-81-g90ad03b

Karolin Seeger kseeger at samba.org
Wed Jun 25 09:59:00 GMT 2008


The branch, v3-2-stable has been updated
       via  90ad03b06e9df879b2139b9208912bc476ecd99d (commit)
       via  46888ae889092f099d159530bf5fd58007275e9c (commit)
      from  a142ff51235ce0158417917a7cf1650dda62b206 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable


- Log -----------------------------------------------------------------
commit 90ad03b06e9df879b2139b9208912bc476ecd99d
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 24 18:04:37 2008 -0700

    Fix for bug #5551, smbd recursing back into winbindd from a winbindd call.
    Jeremy.
    (cherry picked from commit 132a5f4a5740f8a4e3bd634af654c9761c11aa1a)

commit 46888ae889092f099d159530bf5fd58007275e9c
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 24 16:42:30 2008 -0700

    Fix bug #5555. Don't return NT_STATUS_PASSWORD_MUST_CHANGE error on machine account logon.
    Jeremy.
    (cherry picked from commit 2a3e2c9550acb1c55c0c55e4bfb0faaadad2f6fd)

-----------------------------------------------------------------------

Summary of changes:
 source/auth/auth_sam.c  |    5 ++-
 source/auth/auth_util.c |   79 +++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 69 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/auth/auth_sam.c b/source/auth/auth_sam.c
index 4d25d31..66952ff 100644
--- a/source/auth/auth_sam.c
+++ b/source/auth/auth_sam.c
@@ -166,8 +166,9 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 		time_t must_change_time = pdb_get_pass_must_change_time(sampass);
 		time_t last_set_time = pdb_get_pass_last_set_time(sampass);
 
-		/* check for immediate expiry "must change at next logon" */
-		if (last_set_time == 0) {
+		/* check for immediate expiry "must change at next logon" 
+		 * for a user account. */
+		if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) {
 			DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
 			return NT_STATUS_PASSWORD_MUST_CHANGE;
 		}
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 7013285..115a6e9 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -486,26 +486,50 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
 }
 
 /***************************************************************************
+ Is the incoming username our own machine account ?
+ If so, the connection is almost certainly from winbindd.
+***************************************************************************/
+
+static bool is_our_machine_account(const char *username)
+{
+	bool ret;
+	char *truncname = NULL;
+	size_t ulen = strlen(username);
+
+	if (ulen == 0 || username[ulen-1] != '$') {
+		return false;
+	}
+	truncname = SMB_STRDUP(username);
+	if (!truncname) {
+		return false;
+	}
+	truncname[ulen-1] = '\0';
+	ret = strequal(truncname, global_myname());
+	SAFE_FREE(truncname);
+	return ret;
+}
+
+/***************************************************************************
  Make (and fill) a user_info struct from a struct samu
 ***************************************************************************/
 
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 			      struct samu *sampass)
 {
-	NTSTATUS status;
 	struct passwd *pwd;
 	gid_t *gids;
 	auth_serversupplied_info *result;
 	int i;
 	size_t num_gids;
 	DOM_SID unix_group_sid;
-	
+	const char *username = pdb_get_username(sampass);
+	NTSTATUS status;
 
 	if ( !(result = make_server_info(NULL)) ) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
+	if ( !(pwd = getpwnam_alloc(result, username)) ) {
 		DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
 			  pdb_get_username(sampass)));
 		TALLOC_FREE(result);
@@ -520,21 +544,50 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
 	talloc_steal(result, pwd->pw_name);
 	result->gid = pwd->pw_gid;
 	result->uid = pwd->pw_uid;
-	
+
 	TALLOC_FREE(pwd);
 
-	status = pdb_enum_group_memberships(result, sampass,
+	if (IS_DC && is_our_machine_account(username)) {
+		/*
+		 * Ensure for a connection from our own
+		 * machine account (from winbindd on a DC)
+		 * there are no supplementary groups.
+		 * Prevents loops in calling gid_to_sid().
+		 */
+		result->sids = NULL;
+		gids = NULL;
+		result->num_sids = 0;
+
+		/*
+		 * This is a hack of monstrous proportions.
+		 * If we know it's winbindd talking to us,
+		 * we know we must never recurse into it,
+		 * so turn off contacting winbindd for this
+		 * entire process. This will get fixed when
+		 * winbindd doesn't need to talk to smbd on
+		 * a PDC. JRA.
+		 */
+
+		winbind_off();
+
+		DEBUG(10, ("make_server_info_sam: our machine account %s "
+			"setting supplementary group list empty and "
+			"turning off winbindd requests.\n",
+			username));
+	} else {
+		status = pdb_enum_group_memberships(result, sampass,
 					    &result->sids, &gids,
 					    &result->num_sids);
 
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
-			   nt_errstr(status)));
-		result->sam_account = NULL; /* Don't free on error exit. */
-		TALLOC_FREE(result);
-		return status;
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
+				   nt_errstr(status)));
+			result->sam_account = NULL; /* Don't free on error exit. */
+			TALLOC_FREE(result);
+			return status;
+		}
 	}
-	
+
 	/* Add the "Unix Group" SID for each gid to catch mapped groups
 	   and their Unix equivalent.  This is to solve the backwards 
 	   compatibility problem of 'valid users = +ntadmin' where 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list