[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-559-g3414eac
Gerald Carter
jerry at samba.org
Mon Mar 31 18:41:49 GMT 2008
The branch, v3-2-test has been updated
via 3414eac439b731ad7204b821ddc4fec54fe4435d (commit)
via b68caaa81bd75bb882c9363612d11d49dd73cb6f (commit)
via e7827bb6afa264c12ecdc0858f49707ca3d6104f (commit)
via 6aac972d790ad5ca65096cb2e85e6819b60a5413 (commit)
from d775194e9c7b75182c485fba427b20ec2bfcf16c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 3414eac439b731ad7204b821ddc4fec54fe4435d
Author: Gerald W. Carter <jerry at samba.org>
Date: Mon Mar 31 13:39:54 2008 -0500
Fix enumeration of forest trusts from our root domain.
Do not overwrite the domain->domain_flags when setting infomation
in set_dc_type_and_flags_connect().
commit b68caaa81bd75bb882c9363612d11d49dd73cb6f
Author: Gerald W. Carter <jerry at samba.org>
Date: Thu Mar 27 15:23:36 2008 -0500
DIsplay the short domain name in "wbinfo -m " by default.
This fixes wbinfo -m to make preexisting behavior.
Also adds the dns domain to the --verbose output.
commit e7827bb6afa264c12ecdc0858f49707ca3d6104f
Author: Steven Danneman <steven.danneman at isilon.com>
Date: Tue Mar 25 16:58:40 2008 -0700
Augmented "wbinfo -m" to list additional information about the type, direction, and transitivty of trusts.
* added several helper functions to convert the trust_flags field in the
winbindd_tdc_domain to more useful administrator ideas of trust type, trust
direction, and trust transitivity.
* converted winbindd_list_trusted_domains() to enumerate the trusted domain
cache, instead of the domain list, and return additional trust information to
the calling process
* modified wbinfo to pretty print this additional trust information when a new
--verbose switch is given with -m. Thus "wbinfo -m" and "wbinfo -all-domains"
output as before, but "wbinfo --verbose -m" prints extra trust info.
* updated some comments and fixed typos
commit 6aac972d790ad5ca65096cb2e85e6819b60a5413
Author: Steven Danneman <steven.danneman at isilon.com>
Date: Tue Mar 25 16:50:58 2008 -0700
Forest root trust flags won't overwrite child trust flags
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
-----------------------------------------------------------------------
Summary of changes:
source/nsswitch/wbinfo.c | 99 +++++++++++++++++++++++++++++++------
source/winbindd/winbindd_ads.c | 81 +++++++++++++++++++-----------
source/winbindd/winbindd_cm.c | 2 +-
source/winbindd/winbindd_misc.c | 104 ++++++++++++++++++++++++++++++++++-----
source/winbindd/winbindd_util.c | 6 +-
5 files changed, 230 insertions(+), 62 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index 82d1061..d62e82a 100644
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -83,7 +83,7 @@ static const char *get_winbind_domain(void)
if (!WBC_ERROR_IS_OK(wbc_status)) {
d_fprintf(stderr, "could not obtain winbind domain name!\n");
- /* HACK: (this module should not call lp_ funtions) */
+ /* HACK: (this module should not call lp_ functions) */
return lp_workgroup();
}
@@ -345,13 +345,15 @@ static bool wbinfo_wins_byip(char *ip)
return true;
}
-/* List trusted domains */
+/* List all/trusted domains */
-static bool wbinfo_list_domains(bool list_all_domains)
+static bool wbinfo_list_domains(bool list_all_domains, bool verbose)
{
struct winbindd_request request;
struct winbindd_response response;
+ bool print_all = !list_all_domains && verbose;
+
ZERO_STRUCT(request);
ZERO_STRUCT(response);
@@ -368,21 +370,78 @@ static bool wbinfo_list_domains(bool list_all_domains)
if (response.extra_data.data) {
const char *extra_data = (char *)response.extra_data.data;
char *name;
- char *p;
+ char *beg, *end;
TALLOC_CTX *frame = talloc_stackframe();
+ if (print_all) {
+ d_printf("%-16s%-24s%-12s%-12s%-5s%-5s\n",
+ "Domain Name", "DNS Domain", "Trust Type",
+ "Transitive", "In", "Out");
+ }
+
while(next_token_talloc(frame,&extra_data,&name,"\n")) {
- p = strchr(name, '\\');
- if (p == 0) {
- d_fprintf(stderr, "Got invalid response: %s\n",
- extra_data);
- TALLOC_FREE(frame);
- SAFE_FREE(response.extra_data.data);
- return false;
+ /* Print Domain Name */
+ if ((beg = strchr(name, '\\')) == NULL)
+ goto error;
+ *beg = 0;
+ beg++;
+ if ((end = strchr(beg, '\\')) == NULL)
+ goto error;
+ *end = 0;
+
+ /* Print short name */
+
+ d_printf("%-16s", name);
+
+ if (!print_all) {
+ d_printf("\n");
+ continue;
}
- *p = 0;
- d_printf("%s\n", name);
+
+ /* Print DNS domain */
+
+ if (beg) {
+ d_printf("%-24s", beg);
+ }
+
+ /* Skip SID */
+ beg = ++end;
+ if ((end = strchr(beg, '\\')) == NULL)
+ goto error;
+
+ /* Print Trust Type */
+ beg = ++end;
+ if ((end = strchr(beg, '\\')) == NULL)
+ goto error;
+ *end = 0;
+ d_printf("%-12s", beg);
+
+ /* Print Transitive */
+ beg = ++end;
+ if ((end = strchr(beg, '\\')) == NULL)
+ goto error;
+ *end = 0;
+ d_printf("%-12s", beg);
+
+ /* Print Incoming */
+ beg = ++end;
+ if ((end = strchr(beg, '\\')) == NULL)
+ goto error;
+ *end = 0;
+ d_printf("%-5s", beg);
+
+ /* Print Outgoing */
+ beg = ++end;
+ d_printf("%-5s\n", beg);
}
+ goto out;
+
+error:
+ d_fprintf(stderr, "Got invalid response: %s\n", extra_data);
+ TALLOC_FREE(frame);
+ SAFE_FREE(response.extra_data.data);
+ return false;
+out:
TALLOC_FREE(frame);
SAFE_FREE(response.extra_data.data);
}
@@ -1278,6 +1337,7 @@ enum {
OPT_LIST_OWN_DOMAIN,
OPT_UID_INFO,
OPT_GROUP_INFO,
+ OPT_VERBOSE
};
int main(int argc, char **argv, char **envp)
@@ -1289,6 +1349,7 @@ int main(int argc, char **argv, char **envp)
static char *opt_domain_name;
static int int_arg;
int result = 1;
+ bool verbose = false;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -1341,6 +1402,7 @@ int main(int argc, char **argv, char **envp)
/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
#endif
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
+ { "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
POPT_COMMON_CONFIGFILE
POPT_COMMON_VERSION
POPT_TABLEEND
@@ -1363,6 +1425,11 @@ int main(int argc, char **argv, char **envp)
while((opt = poptGetNextOpt(pc)) != -1) {
/* get the generic configuration parameters like --domain */
+ switch (opt) {
+ case OPT_VERBOSE:
+ verbose = True;
+ break;
+ }
}
poptFreeContext(pc);
@@ -1471,7 +1538,7 @@ int main(int argc, char **argv, char **envp)
}
break;
case 'm':
- if (!wbinfo_list_domains(false)) {
+ if (!wbinfo_list_domains(false, verbose)) {
d_fprintf(stderr, "Could not list trusted domains\n");
goto done;
}
@@ -1601,7 +1668,7 @@ int main(int argc, char **argv, char **envp)
break;
}
case OPT_LIST_ALL_DOMAINS:
- if (!wbinfo_list_domains(true)) {
+ if (!wbinfo_list_domains(true, verbose)) {
goto done;
}
break;
@@ -1613,6 +1680,8 @@ int main(int argc, char **argv, char **envp)
/* generic configuration options */
case OPT_DOMAIN_NAME:
break;
+ case OPT_VERBOSE:
+ break;
default:
d_fprintf(stderr, "Invalid option\n");
poptPrintHelp(pc, stderr, 0);
diff --git a/source/winbindd/winbindd_ads.c b/source/winbindd/winbindd_ads.c
index 0900d56..ae8ad9d 100644
--- a/source/winbindd/winbindd_ads.c
+++ b/source/winbindd/winbindd_ads.c
@@ -1249,32 +1249,55 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
fstrcpy( d.alt_name, trusts.array[i].dns_name);
sid_copy( &d.sid, trusts.array[i].sid);
- /* This gets a little tricky. If we are
- following a transitive forest trust, then
- innerit the flags, type, and attrins from
- the domain we queried to make sure we don't
- record the view of the trust from the wrong
- side. Always view it from the side of our
- primary domain. --jerry */
- if ( domain->primary ||
- ((domain->domain_flags&fr_flags) == fr_flags) )
- {
- DEBUG(10,("trusted_domains(ads): Storing trust "
- "flags for domain %s\n", d.alt_name));
-
- /* Look this up in cache to make sure
- we have the current trust flags and
- attributes */
+ if ( domain->primary ) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and storing "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
d.domain_flags = trusts.array[i].trust_flags;
d.domain_type = trusts.array[i].trust_type;
d.domain_trust_attribs = trusts.array[i].trust_attributes;
- } else {
- /* Look up the record in the cache */
- struct winbindd_tdc_domain *parent;
- DEBUG(10,("trusted_domains(ads): Inheriting trust "
- "flags for domain %s\n", d.alt_name));
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ } else if ( (domain->domain_flags&fr_flags) == fr_flags ) {
+ /* Check if we already have this record. If
+ * we are following our forest root that is not
+ * our primary domain, we want to keep trust
+ * flags from the perspective of our primary
+ * domain not our forest root. */
+ struct winbindd_tdc_domain *exist = NULL;
+
+ exist =
+ wcache_tdc_fetch_domain(NULL, trusts.array[i].netbios_name);
+ if (!exist) {
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and storing "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
+ d.domain_flags = trusts.array[i].trust_flags;
+ d.domain_type = trusts.array[i].trust_type;
+ d.domain_trust_attribs = trusts.array[i].trust_attributes;
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
+ }
+ TALLOC_FREE(exist);
+ } else {
+ /* This gets a little tricky. If we are
+ following a transitive forest trust, then
+ innerit the flags, type, and attribs from
+ the domain we queried to make sure we don't
+ record the view of the trust from the wrong
+ side. Always view it from the side of our
+ primary domain. --jerry */
+ struct winbindd_tdc_domain *parent = NULL;
+
+ DEBUG(10,("trusted_domains(ads): Searching "
+ "trusted domain list of %s and inheriting "
+ "trust flags for domain %s\n",
+ domain->name, d.alt_name));
parent = wcache_tdc_fetch_domain(NULL, domain->name);
if (parent) {
@@ -1282,17 +1305,15 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
d.domain_type = parent->trust_type;
d.domain_trust_attribs = parent->trust_attribs;
} else {
- d.domain_flags = domain->domain_flags;
- d.domain_type = domain->domain_type;
- d.domain_trust_attribs = domain->domain_trust_attribs;
- }
+ d.domain_flags = domain->domain_flags;
+ d.domain_type = domain->domain_type;
+ d.domain_trust_attribs = domain->domain_trust_attribs;
+ }
TALLOC_FREE(parent);
+
+ wcache_tdc_add_domain( &d );
+ ret_count++;
}
-
- wcache_tdc_add_domain( &d );
-
- ret_count++;
-
}
*num_domains = ret_count;
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index d4241a0..39d8def 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -1938,7 +1938,7 @@ no_dssetup:
lsa_info->dns.dns_forest.string);
if (strequal(domain->forest_name, domain->alt_name)) {
- domain->domain_flags = NETR_TRUST_FLAG_TREEROOT;
+ domain->domain_flags |= NETR_TRUST_FLAG_TREEROOT;
}
}
diff --git a/source/winbindd/winbindd_misc.c b/source/winbindd/winbindd_misc.c
index c22da3e..93986d1 100644
--- a/source/winbindd/winbindd_misc.c
+++ b/source/winbindd/winbindd_misc.c
@@ -97,27 +97,104 @@ enum winbindd_result winbindd_dual_check_machine_acct(struct winbindd_domain *do
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
+/* Constants and helper functions for determining domain trust types */
+
+enum trust_type {
+ EXTERNAL = 0,
+ FOREST,
+ IN_FOREST,
+ NONE,
+};
+
+const char *trust_type_strings[] = {"External",
+ "Forest",
+ "In Forest",
+ "None"};
+
+static enum trust_type get_trust_type(struct winbindd_tdc_domain *domain)
+{
+ if (domain->trust_attribs == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN)
+ return EXTERNAL;
+ else if (domain->trust_attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE)
+ return FOREST;
+ else if (((domain->trust_flags & NETR_TRUST_FLAG_IN_FOREST) == NETR_TRUST_FLAG_IN_FOREST) &&
+ ((domain->trust_flags & NETR_TRUST_FLAG_PRIMARY) == 0x0))
+ return IN_FOREST;
+ return NONE;
+}
+
+static const char *get_trust_type_string(struct winbindd_tdc_domain *domain)
+{
+ return trust_type_strings[get_trust_type(domain)];
+}
+
+static bool trust_is_inbound(struct winbindd_tdc_domain *domain)
+{
+ return (domain->trust_flags == 0x0) ||
+ ((domain->trust_flags & NETR_TRUST_FLAG_IN_FOREST) ==
+ NETR_TRUST_FLAG_IN_FOREST) ||
+ ((domain->trust_flags & NETR_TRUST_FLAG_INBOUND) ==
+ NETR_TRUST_FLAG_INBOUND);
+}
+
+static bool trust_is_outbound(struct winbindd_tdc_domain *domain)
+{
+ return (domain->trust_flags == 0x0) ||
+ ((domain->trust_flags & NETR_TRUST_FLAG_IN_FOREST) ==
+ NETR_TRUST_FLAG_IN_FOREST) ||
+ ((domain->trust_flags & NETR_TRUST_FLAG_OUTBOUND) ==
+ NETR_TRUST_FLAG_OUTBOUND);
+}
+
+static bool trust_is_transitive(struct winbindd_tdc_domain *domain)
+{
+ if ((domain->trust_attribs == NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE) ||
+ (domain->trust_attribs == NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) ||
+ (domain->trust_attribs == NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL))
+ return False;
+ return True;
+}
+
void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
{
- struct winbindd_domain *d = NULL;
+ struct winbindd_tdc_domain *dom_list = NULL;
+ struct winbindd_tdc_domain *d = NULL;
+ size_t num_domains = 0;
int extra_data_len = 0;
char *extra_data = NULL;
+ int i = 0;
DEBUG(3, ("[%5lu]: list trusted domains\n",
(unsigned long)state->pid));
- for ( d=domain_list(); d; d=d->next ) {
+ if( !wcache_tdc_fetch_list( &dom_list, &num_domains )) {
+ request_error(state);
+ goto done;
+ }
+
+ for ( i = 0; i < num_domains; i++ ) {
+ d = &dom_list[i];
if ( !extra_data ) {
- extra_data = talloc_asprintf(
- state->mem_ctx, "%s\\%s\\%s",
- d->name, d->alt_name ? d->alt_name : d->name,
- sid_string_talloc(state->mem_ctx, &d->sid));
+ extra_data = talloc_asprintf(state->mem_ctx,
+ "%s\\%s\\%s\\%s\\%s\\%s\\%s",
+ d->domain_name,
+ d->dns_name ? d->dns_name : d->domain_name,
+ sid_string_talloc(state->mem_ctx, &d->sid),
+ get_trust_type_string(d),
+ trust_is_transitive(d) ? "Yes" : "No",
+ trust_is_inbound(d) ? "Yes" : "No",
+ trust_is_outbound(d) ? "Yes" : "No");
} else {
- extra_data = talloc_asprintf(
- state->mem_ctx, "%s\n%s\\%s\\%s",
- extra_data, d->name,
- d->alt_name ? d->alt_name : d->name,
- sid_string_talloc(state->mem_ctx, &d->sid));
+ extra_data = talloc_asprintf(state->mem_ctx,
+ "%s\n%s\\%s\\%s\\%s\\%s\\%s\\%s",
+ extra_data,
+ d->domain_name,
+ d->dns_name ? d->dns_name : d->domain_name,
+ sid_string_talloc(state->mem_ctx, &d->sid),
+ get_trust_type_string(d),
+ trust_is_transitive(d) ? "Yes" : "No",
+ trust_is_inbound(d) ? "Yes" : "No",
+ trust_is_outbound(d) ? "Yes" : "No");
}
}
@@ -131,9 +208,10 @@ void winbindd_list_trusted_domains(struct winbindd_cli_state *state)
state->response.length += extra_data_len+1;
}
- TALLOC_FREE( extra_data );
-
request_ok(state);
+done:
+ TALLOC_FREE( dom_list );
+ TALLOC_FREE( extra_data );
}
enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *domain,
diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
index 038bafb..641fd5a 100644
--- a/source/winbindd/winbindd_util.c
+++ b/source/winbindd/winbindd_util.c
@@ -339,7 +339,7 @@ static void trustdom_recv(void *private_data, bool success)
*/
if ( state->primary ) {
- /* If this is our primary domain and we are not the in the
+ /* If this is our primary domain and we are not in the
forest root, we have to scan the root trusts first */
if ( !state->forest_root )
@@ -349,7 +349,7 @@ static void trustdom_recv(void *private_data, bool success)
} else if ( state->forest_root ) {
/* Once we have done root forest trust search, we can
- go on to search thing trusted forests */
+ go on to search the trusted forests */
rescan_forest_trusts();
}
@@ -419,7 +419,7 @@ static void rescan_forest_root_trusts( void )
}
/********************************************************************
- scan the transitive forest trists (not our own)
+ scan the transitive forest trusts (not our own)
********************************************************************/
--
Samba Shared Repository
More information about the samba-cvs
mailing list