[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2497-gce45c77

Jeremy Allison jra at samba.org
Sat May 31 06:50:58 GMT 2008


The branch, v3-2-test has been updated
       via  ce45c773543c6687669fb6a9dd062a6a7e45b409 (commit)
      from  e7a295fa27f4bc7c0661873ef0d9661cfa9b14d0 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit ce45c773543c6687669fb6a9dd062a6a7e45b409
Author: Jeremy Allison <jra at samba.org>
Date:   Fri May 30 23:50:17 2008 -0700

    Split the winbindd_passdb backend into a 'builtin' and a 'sam'
    backend. This allows winbindd when running on a Samba PDC to
    correctly answer wbinfo -u lists and other queries.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/winbindd/winbindd_cache.c  |    6 +-
 source/winbindd/winbindd_ndr.c    |    9 +-
 source/winbindd/winbindd_passdb.c |  441 ++++++++++++++++++++++++++++---------
 source/winbindd/winbindd_util.c   |    8 +-
 4 files changed, 349 insertions(+), 115 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/winbindd/winbindd_cache.c b/source/winbindd/winbindd_cache.c
index 0203381..a11e96e 100644
--- a/source/winbindd/winbindd_cache.c
+++ b/source/winbindd/winbindd_cache.c
@@ -8,7 +8,7 @@
    Copyright (C) Volker Lendecke 2005
    Copyright (C) Guenther Deschner 2005
    Copyright (C) Michael Adam    2007
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
@@ -37,7 +37,7 @@ extern bool opt_nocache;
 #ifdef HAVE_ADS
 extern struct winbindd_methods ads_methods;
 #endif
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
 
 /*
  * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
@@ -137,7 +137,7 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
 	/* We have to know what type of domain we are dealing with first. */
 
 	if (domain->internal) {
-		domain->backend = &passdb_methods;
+		domain->backend = &builtin_passdb_methods;
 		domain->initialized = True;
 	}
 	if ( !domain->initialized ) {
diff --git a/source/winbindd/winbindd_ndr.c b/source/winbindd/winbindd_ndr.c
index 9d1502a..3e3ca32 100644
--- a/source/winbindd/winbindd_ndr.c
+++ b/source/winbindd/winbindd_ndr.c
@@ -74,7 +74,8 @@ void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
 extern struct winbindd_methods ads_methods;
 #endif
 extern struct winbindd_methods msrpc_methods;
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
 extern struct winbindd_methods reconnect_methods;
 extern struct winbindd_methods cache_methods;
 
@@ -97,8 +98,10 @@ void ndr_print_winbindd_methods(struct ndr_print *ndr,
 	} else if (r == &ads_methods) {
 		ndr_print_string(ndr, name, "ads_methods");
 #endif
-	} else if (r == &passdb_methods) {
-		ndr_print_string(ndr, name, "passdb_methods");
+	} else if (r == &builtin_passdb_methods) {
+		ndr_print_string(ndr, name, "builtin_passdb_methods");
+	} else if (r == &sam_passdb_methods) {
+		ndr_print_string(ndr, name, "sam_passdb_methods");
 	} else if (r == &reconnect_methods) {
 		ndr_print_string(ndr, name, "reconnect_methods");
 	} else if (r == &cache_methods) {
diff --git a/source/winbindd/winbindd_passdb.c b/source/winbindd/winbindd_passdb.c
index 7c1d7bd..8b2016c 100644
--- a/source/winbindd/winbindd_passdb.c
+++ b/source/winbindd/winbindd_passdb.c
@@ -6,6 +6,7 @@
    Copyright (C) Tim Potter 2000-2001,2003
    Copyright (C) Simo Sorce 2003
    Copyright (C) Volker Lendecke 2004
+   Copyright (C) Jeremy Allison 2008
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -27,20 +28,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
-/* Query display info for a domain.  This returns enough information plus a
-   bit extra to give an overview of domain users for the User Manager
-   application. */
-static NTSTATUS query_user_list(struct winbindd_domain *domain,
-			       TALLOC_CTX *mem_ctx,
-			       uint32 *num_entries, 
-			       WINBIND_USERINFO **info)
-{
-	/* We don't have users */
-	*num_entries = 0;
-	*info = NULL;
-	return NT_STATUS_OK;
-}
-
 /* list all domain groups */
 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 				TALLOC_CTX *mem_ctx,
@@ -167,16 +154,75 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
 			      char ***names,
 			      enum lsa_SidType **types)
 {
-	return NT_STATUS_UNSUCCESSFUL;
-}
+	size_t i;
+	bool have_mapped;
+	bool have_unmapped;
 
-/* Lookup user information from a rid or username. */
-static NTSTATUS query_user(struct winbindd_domain *domain, 
-			   TALLOC_CTX *mem_ctx, 
-			   const DOM_SID *user_sid,
-			   WINBIND_USERINFO *user_info)
-{
-	return NT_STATUS_NO_SUCH_USER;
+	*domain_name = NULL;
+	*names = NULL;
+	*types = NULL;
+
+	if (!num_rids) {
+		return NT_STATUS_OK;
+	}
+
+	/* Paranoia check */
+	if (!sid_check_is_in_builtin(sid) &&
+	    !sid_check_is_in_our_domain(sid) &&
+	    !sid_check_is_in_unix_users(sid) &&
+	    !sid_check_is_unix_users(sid) &&
+	    !sid_check_is_in_unix_groups(sid) &&
+	    !sid_check_is_unix_groups(sid) &&
+	    !sid_check_is_in_wellknown_domain(sid))
+	{
+		DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
+			  "passdb backend\n", sid_string_dbg(sid)));
+		return NT_STATUS_NONE_MAPPED;
+	}
+
+	*names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
+	*types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
+
+	if ((*names == NULL) || (*types == NULL)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	have_mapped = have_unmapped = false;
+
+	for (i=0; i<num_rids; i++) {
+		DOM_SID lsid;
+		const char *dom = NULL, *nam = NULL;
+		enum lsa_SidType type = SID_NAME_UNKNOWN;
+
+		if (!sid_compose(&lsid, sid, rids[i])) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
+		if (!lookup_sid(mem_ctx, &lsid, &dom, &nam, &type)) {
+			have_unmapped = true;
+			(*types)[i] = SID_NAME_UNKNOWN;
+			(*names)[i] = talloc_strdup(mem_ctx, "");
+		} else {
+			have_mapped = true;
+			(*types)[i] = type;
+			(*names)[i] = CONST_DISCARD(char *, nam);
+		}
+
+		if (domain_name == NULL) {
+			*domain_name = CONST_DISCARD(char *, dom);
+		} else {
+			char *dname = CONST_DISCARD(char *, dom);
+			TALLOC_FREE(dname);
+		}
+	}
+
+	if (!have_mapped) {
+		return NT_STATUS_NONE_MAPPED;
+	}
+	if (!have_unmapped) {
+		return NT_STATUS_OK;
+	}
+	return STATUS_SOME_UNMAPPED;
 }
 
 /* Lookup groups a user is a member of.  I wish Unix had a call like this! */
@@ -224,8 +270,247 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
 	return result;
 }
 
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+	bool result;
+	time_t seq_num;
+
+	result = pdb_get_seq_num(&seq_num);
+	if (!result) {
+		*seq = 1;
+	}
+
+	*seq = (int) seq_num;
+	/* *seq = 1; */
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+			       TALLOC_CTX *mem_ctx,
+			       struct samr_DomInfo12 *policy)
+{
+	/* actually we have that */
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				struct samr_DomInfo1 *policy)
+{
+	uint32 min_pass_len,pass_hist,password_properties;
+	time_t u_expire, u_min_age;
+	NTTIME nt_expire, nt_min_age;
+	uint32 account_policy_temp;
+
+	if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	min_pass_len = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	pass_hist = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	password_properties = account_policy_temp;
+	
+	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	u_expire = account_policy_temp;
+
+	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+	u_min_age = account_policy_temp;
+
+	unix_to_nt_time_abs(&nt_expire, u_expire);
+	unix_to_nt_time_abs(&nt_min_age, u_min_age);
+
+	init_samr_DomInfo1(policy,
+			   (uint16)min_pass_len,
+			   (uint16)pass_hist,
+			   password_properties,
+			   nt_expire,
+			   nt_min_age);
+
+	return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ BUILTIN specific functions.
+*********************************************************************/
+
+/* Query display info for a domain.  This returns enough information plus a
+   bit extra to give an overview of domain users for the User Manager
+   application. */
+static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_entries,
+				WINBIND_USERINFO **info)
+{
+	/* We don't have users */
+	*num_entries = 0;
+	*info = NULL;
+	return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS builtin_query_user(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				const DOM_SID *user_sid,
+				WINBIND_USERINFO *user_info)
+{
+	return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS builtin_lookup_groupmem(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				const DOM_SID *group_sid, uint32 *num_names,
+				DOM_SID **sid_mem, char ***names,
+				uint32 **name_types)
+{
+	*num_names = 0;
+	*sid_mem = NULL;
+	*names = NULL;
+	*name_types = 0;
+	return NT_STATUS_NO_SUCH_GROUP;
+}
+
+/* get a list of trusted domains - builtin domain */
+static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_domains,
+				char ***names,
+				char ***alt_names,
+				DOM_SID **dom_sids)
+{
+	*num_domains = 0;
+	*names = NULL;
+	*alt_names = NULL;
+	*dom_sids = NULL;
+	return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ SAM specific functions.
+*********************************************************************/
+
+static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
+				TALLOC_CTX *mem_ctx,
+				uint32 *num_entries,
+				WINBIND_USERINFO **info)
+{
+	struct pdb_search *ps = pdb_search_users(ACB_NORMAL);
+	struct samr_displayentry *entries = NULL;
+	uint32 i;
+
+	*num_entries = 0;
+	*info = NULL;
+
+	if (!ps) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	*num_entries = pdb_search_entries(ps,
+					1, 0xffffffff,
+					&entries);
+
+	*info = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries);
+	if (!(*info)) {
+		pdb_search_destroy(ps);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	for (i = 0; i < *num_entries; i++) {
+		struct samr_displayentry *e = &entries[i];
+
+		(*info)[i].acct_name = talloc_strdup(mem_ctx, e->account_name );
+		(*info)[i].full_name = talloc_strdup(mem_ctx, e->fullname );
+		(*info)[i].homedir = NULL;
+		(*info)[i].shell = NULL;
+		sid_compose(&(*info)[i].user_sid, &domain->sid, e->rid);
+
+		/* For the moment we set the primary group for
+		   every user to be the Domain Users group.
+		   There are serious problems with determining
+		   the actual primary group for large domains.
+		   This should really be made into a 'winbind
+		   force group' smb.conf parameter or
+		   something like that. */
+
+		sid_compose(&(*info)[i].group_sid, &domain->sid,
+				DOMAIN_GROUP_RID_USERS);
+	}
+
+	pdb_search_destroy(ps);
+	return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS sam_query_user(struct winbindd_domain *domain,
+                           TALLOC_CTX *mem_ctx,
+                           const DOM_SID *user_sid,
+                           WINBIND_USERINFO *user_info)
+{
+	struct samu *sampass = NULL;
+
+	ZERO_STRUCTP(user_info);
+
+	if (!sid_check_is_in_our_domain(user_sid)) {
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	DEBUG(10,("sam_query_user: getting samu info for sid %s\n",
+		sid_string_dbg(user_sid) ));
+
+	if (!(sampass = samu_new(mem_ctx))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!pdb_getsampwsid(sampass, user_sid)) {
+		TALLOC_FREE(sampass);
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	if (pdb_get_group_sid(sampass) == NULL) {
+		TALLOC_FREE(sampass);
+		return NT_STATUS_NO_SUCH_GROUP;
+	}
+
+	DEBUG(10,("sam_query_user: group sid %s\n",
+		sid_string_dbg(sampass->group_sid) ));
+
+	sid_copy(&user_info->user_sid, user_sid);
+	sid_copy(&user_info->group_sid, sampass->group_sid);
+
+	user_info->acct_name = talloc_strdup(mem_ctx, sampass->username ?
+					sampass->username : "");
+	user_info->full_name = talloc_strdup(mem_ctx, sampass->full_name ?
+					sampass->full_name : "");
+	user_info->homedir = talloc_strdup(mem_ctx, sampass->home_dir ?
+					sampass->home_dir : "");
+	if (sampass->unix_pw && sampass->unix_pw->pw_shell) {
+		user_info->shell = talloc_strdup(mem_ctx, sampass->unix_pw->pw_shell);
+	} else {
+		user_info->shell = talloc_strdup(mem_ctx, "");
+	}
+	user_info->primary_gid = sampass->unix_pw ? sampass->unix_pw->pw_gid : (gid_t)-1;
+
+	TALLOC_FREE(sampass);
+	return NT_STATUS_OK;
+}
+
 /* Lookup group membership given a rid.   */
-static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
 				TALLOC_CTX *mem_ctx,
 				const DOM_SID *group_sid, uint32 *num_names, 
 				DOM_SID **sid_mem, char ***names, 
@@ -320,83 +605,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 	return NT_STATUS_OK;
 }
 
-/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
-{
-	bool result;
-	time_t seq_num;
-
-	result = pdb_get_seq_num(&seq_num);
-	if (!result) {
-		*seq = 1;
-	}
-
-	*seq = (int) seq_num;
-	/* *seq = 1; */
-	return NT_STATUS_OK;
-}
-
-static NTSTATUS lockout_policy(struct winbindd_domain *domain,
-			       TALLOC_CTX *mem_ctx,
-			       struct samr_DomInfo12 *policy)
-{
-	/* actually we have that */
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS password_policy(struct winbindd_domain *domain,
-				TALLOC_CTX *mem_ctx,
-				struct samr_DomInfo1 *policy)
-{
-	uint32 min_pass_len,pass_hist,password_properties;
-	time_t u_expire, u_min_age;
-	NTTIME nt_expire, nt_min_age;
-	uint32 account_policy_temp;
-
-	if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	min_pass_len = account_policy_temp;
-
-	if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	pass_hist = account_policy_temp;
-
-	if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	password_properties = account_policy_temp;
-	
-	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	u_expire = account_policy_temp;
-
-	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	u_min_age = account_policy_temp;
-
-	unix_to_nt_time_abs(&nt_expire, u_expire);
-	unix_to_nt_time_abs(&nt_min_age, u_min_age);
-
-	init_samr_DomInfo1(policy,
-			   (uint16)min_pass_len,
-			   (uint16)pass_hist,
-			   password_properties,
-			   nt_expire,
-			   nt_min_age);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list