[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha6-1045-gfc02c3b0
Steven Danneman
sdanneman at samba.org
Sat Feb 21 03:39:32 GMT 2009
The branch, master has been updated
via fc02c3b0890a9549989bb0aba16588026c6d6b43 (commit)
via c383022f89a34b83039502cc58178498cc06370e (commit)
via e311dcff2272968959b4268c2e7aad351443b191 (commit)
from 2539d678f54d09577d5c86fae1d6d43175bfca96 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fc02c3b0890a9549989bb0aba16588026c6d6b43
Author: Dan Sledz <dan.sledz at isilon.com>
Date: Fri Feb 13 12:28:57 2009 -0800
Introduce a new passdb backend: pdb_onefs_sam
Implements a custom backend for onefs that exclusively uses the wbclient
interface for all passdb calls.
It lacks some features of a standard passdb.
In particular it's a read only interface and doesn't implement privileges.
commit c383022f89a34b83039502cc58178498cc06370e
Author: Dan Sledz <dan.sledz at isilon.com>
Date: Fri Feb 13 12:24:22 2009 -0800
Introduce a new authentication backend auth_onefs_wb
This new backend is custom tailored to onefs' unique requirements:
1) No fallback logic
2) Does not validate the domain of the user
3) Handles unencrypted passwords
commit e311dcff2272968959b4268c2e7aad351443b191
Author: Dan Sledz <dan.sledz at isilon.com>
Date: Tue Dec 9 08:29:26 2008 +0000
Allow building with an external libwbclient library
Introduce a new configure option --with-wbclient which specifies a
location to find a compatible libwbclient library to link against. This
options is overwritten by --with-winbind
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 9 +
source3/auth/auth_onefs_wb.c | 134 +++++++++++++
source3/configure.in | 80 ++++++--
source3/passdb/pdb_onefs_sam.c | 433 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 636 insertions(+), 20 deletions(-)
create mode 100644 source3/auth/auth_onefs_wb.c
create mode 100644 source3/passdb/pdb_onefs_sam.c
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 98ed810..6087fa0 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -685,6 +685,7 @@ AUTH_SAM_OBJ = auth/auth_sam.o
AUTH_SERVER_OBJ = auth/auth_server.o
AUTH_UNIX_OBJ = auth/auth_unix.o
AUTH_WINBIND_OBJ = auth/auth_winbind.o
+AUTH_ONEFS_WB_OBJ = auth/auth_onefs_wb.o
AUTH_SCRIPT_OBJ = auth/auth_script.o
AUTH_NETLOGOND_OBJ = auth/auth_netlogond.o
@@ -2343,6 +2344,10 @@ bin/winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_WINBIND_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_WINBIND_OBJ)
+bin/onefs_wb. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_ONEFS_WB_OBJ)
+ @echo "Building plugin $@"
+ @$(SHLD_MODULE) $(AUTH_ONEFS_WB_OBJ)
+
bin/unix. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_UNIX_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_UNIX_OBJ)
@@ -2359,6 +2364,10 @@ bin/tdbsam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_tdb.o
@echo "Building plugin $@"
@$(SHLD_MODULE) passdb/pdb_tdb.o
+bin/onefs_sam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_onefs_sam.o
+ @echo "Building plugin $@"
+ @$(SHLD_MODULE) passdb/pdb_onefs_sam.o
+
bin/smbpasswd. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_smbpasswd.o
@echo "Building plugin $@"
@$(SHLD_MODULE) passdb/pdb_smbpasswd.o
diff --git a/source3/auth/auth_onefs_wb.c b/source3/auth/auth_onefs_wb.c
new file mode 100644
index 0000000..49de696
--- /dev/null
+++ b/source3/auth/auth_onefs_wb.c
@@ -0,0 +1,134 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind authentication mechnism, customized for onefs
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Andrew Bartlett 2001 - 2002
+ Copyright (C) Dan Sledz 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+/* Authenticate a user with a challenge/response */
+
+static NTSTATUS check_onefs_wb_security(const struct auth_context *auth_context,
+ void *my_private_data,
+ TALLOC_CTX *mem_ctx,
+ const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status;
+ wbcErr wbc_status;
+ struct wbcAuthUserParams params;
+ struct wbcAuthUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *err = NULL;
+
+ if (!user_info || !auth_context || !server_info) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* Send off request */
+
+ params.account_name = user_info->smb_name;
+ params.domain_name = user_info->domain;
+ params.workstation_name = user_info->wksta_name;
+
+ params.flags = 0;
+ params.parameter_control= user_info->logon_parameters;
+
+ /* Handle plaintext */
+ if (!user_info->encrypted) {
+ DEBUG(3,("Checking plaintext password for %s.\n",
+ user_info->internal_username));
+ params.level = WBC_AUTH_USER_LEVEL_PLAIN;
+
+ params.password.plaintext = user_info->plaintext_password.data;
+ } else {
+ DEBUG(3,("Checking encrypted password for %s.\n",
+ user_info->internal_username));
+ params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
+
+ memcpy(params.password.response.challenge,
+ auth_context->challenge.data,
+ sizeof(params.password.response.challenge));
+
+ params.password.response.nt_length = user_info->nt_resp.length;
+ params.password.response.nt_data = user_info->nt_resp.data;
+ params.password.response.lm_length = user_info->lm_resp.length;
+ params.password.response.lm_data = user_info->lm_resp.data;
+
+ }
+
+ /* we are contacting the privileged pipe */
+ become_root();
+ wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
+ unbecome_root();
+
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
+ wbc_status, wbcErrorString(wbc_status)));
+ }
+
+ if (wbc_status == WBC_ERR_NO_MEMORY) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (wbc_status == WBC_ERR_AUTH_ERROR) {
+ nt_status = NT_STATUS(err->nt_status);
+ wbcFreeMemory(err);
+ return nt_status;
+ }
+
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
+
+ nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
+ user_info->smb_name,
+ user_info->domain,
+ info, server_info);
+ wbcFreeMemory(info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ (*server_info)->nss_token |= user_info->was_mapped;
+
+ return nt_status;
+}
+
+/* module initialisation */
+static NTSTATUS auth_init_onefs_wb(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+{
+ if (!make_auth_methods(auth_context, auth_method)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*auth_method)->name = "onefs_wb";
+ (*auth_method)->auth = check_onefs_wb_security;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS auth_onefs_wb_init(void)
+{
+ return smb_register_auth(AUTH_INTERFACE_VERSION, "onefs_wb", auth_init_onefs_wb);
+}
diff --git a/source3/configure.in b/source3/configure.in
index 624862f..7fe824c 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -1104,6 +1104,7 @@ echo $samba_cv_HAVE_ONEFS
if test x"$samba_cv_HAVE_ONEFS" = x"yes"; then
AC_DEFINE(HAVE_ONEFS,1,[Whether building on Isilon OneFS])
default_shared_modules="$default_shared_modules vfs_onefs vfs_onefs_shadow_copy perfcount_onefs"
+ default_static_modules="$default_static_modules auth_onefs_wb pdb_onefs_sam"
ONEFS_LIBS="-lisi_acl -lisi_ecs -lisi_event -lisi_util"
# Need to also add general libs for oplocks support
save_LIBS="$save_LIBS -lisi_ecs -lisi_event -lisi_util -ldevstat"
@@ -5732,6 +5733,34 @@ AC_MSG_CHECKING(whether to build winbind)
# Initially, the value of $host_os decides whether winbind is supported
HAVE_WINBIND=yes
+HAVE_WBCLIENT=no
+
+# Define external wbclient library to link against. This disables winbind.
+# We define this here so --with-winbind can override it.
+AC_ARG_WITH(wbclient,
+[AS_HELP_STRING([--with-wbclient], [Use external wbclient (optional)])],
+[
+ case "$withval" in
+ no)
+ HAVE_WBCLIENT=no
+ ;;
+ yes)
+ HAVE_WBCLIENT=yes
+ HAVE_WINBIND=no
+ ;;
+ *)
+ HAVE_WBCLIENT=yes
+ HAVE_WINBIND=no
+ WBCLIENT_INCLUDES="-I$withval/include"
+ WBCLIENT_LDFLAGS="-L$withval/lib"
+ ;;
+ esac ],
+)
+
+AC_SUBST(WBCLIENT_INCLUDES)
+AC_SUBST(WBCLIENT_LDFLAGS)
+AC_SUBST(WBCLIENT_LIBS)
+
# Define the winbind shared library name and any specific linker flags
# it needs to be built with.
@@ -5813,6 +5842,7 @@ AC_ARG_WITH(winbind,
case "$withval" in
yes)
HAVE_WINBIND=yes
+ HAVE_WBCLIENT=no
;;
no)
HAVE_WINBIND=no
@@ -5836,27 +5866,35 @@ if test x"$HAVE_WINBIND" = x"no"; then
WINBIND_NSS=""
WINBIND_WINS_NSS=""
fi
-
-if test x"$enable_developer" = x"yes" -a x"$LINK_LIBWBCLIENT" = x"STATIC" ; then
- BUILD_LIBWBCLIENT_SHARED=no
-else
- BUILD_LIBWBCLIENT_SHARED=yes
-fi
-
-LIBWBCLIENT_SHARED_TARGET=bin/libwbclient.$SHLIBEXT
-LIBWBCLIENT_STATIC_TARGET=bin/libwbclient.a
-LIBWBCLIENT_SOVER=0
-if test $BLDSHARED = true -a x"$HAVE_WINBIND" = x"yes" -a x"$BUILD_LIBWBCLIENT_SHARED" = x"yes"; then
- NSS_MODULES="${WINBIND_NSS} ${WINBIND_WINS_NSS}"
- ## Only worry about libwbclient if we have shared library support
- ## and winbindd
- LIBWBCLIENT_SHARED=$LIBWBCLIENT_SHARED_TARGET
- LIBWBCLIENT=libwbclient
- INSTALL_LIBWBCLIENT=installlibwbclient
- UNINSTALL_LIBWBCLIENT=uninstalllibwbclient
- WINBIND_LIBS="-lwbclient"
+if test x"$HAVE_WBCLIENT" = x"yes"; then
+ AC_CHECK_LIB(wbclient, wbcInterfaceDetails,
+ [WINBIND_LIBS="-lwbclient"], AC_MSG_ERROR([Could not find wbclient]), [$WBCLIENT_LDFLAGS])
+ WINBIND_LIBS="$WINBIND_LIBS $WBCLIENT_LDFLAGS"
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_WINBIND,1,[Whether to link to wbclient])
+ EXTRA_BIN_PROGS="$EXTRA_BIN_PROGS bin/wbinfo\$(EXEEXT)"
else
- LIBWBCLIENT_STATIC=$LIBWBCLIENT_STATIC_TARGET
+ if test x"$enable_developer" = x"yes" -a x"$LINK_LIBWBCLIENT" = x"STATIC" ; then
+ BUILD_LIBWBCLIENT_SHARED=no
+ else
+ BUILD_LIBWBCLIENT_SHARED=yes
+ fi
+
+ LIBWBCLIENT_SHARED_TARGET=bin/libwbclient.$SHLIBEXT
+ LIBWBCLIENT_STATIC_TARGET=bin/libwbclient.a
+ LIBWBCLIENT_SOVER=0
+ if test $BLDSHARED = true -a x"$HAVE_WINBIND" = x"yes" -a x"$BUILD_LIBWBCLIENT_SHARED" = x"yes"; then
+ NSS_MODULES="${WINBIND_NSS} ${WINBIND_WINS_NSS}"
+ ## Only worry about libwbclient if we have shared
+ # library support
+ LIBWBCLIENT_SHARED=$LIBWBCLIENT_SHARED_TARGET
+ LIBWBCLIENT=libwbclient
+ INSTALL_LIBWBCLIENT=installlibwbclient
+ UNINSTALL_LIBWBCLIENT=uninstalllibwbclient
+ WINBIND_LIBS="-lwbclient"
+ else
+ LIBWBCLIENT_STATIC=$LIBWBCLIENT_STATIC_TARGET
+ fi
fi
if test x"$HAVE_WINBIND" = x"yes"; then
@@ -6108,6 +6146,7 @@ SMB_MODULE(pdb_ldap, passdb/pdb_ldap.o passdb/pdb_nds.o, "bin/ldapsam.$SHLIBEXT"
[ PASSDB_LIBS="$PASSDB_LIBS $LDAP_LIBS" ] )
SMB_MODULE(pdb_smbpasswd, passdb/pdb_smbpasswd.o, "bin/smbpasswd.$SHLIBEXT", PDB)
SMB_MODULE(pdb_tdbsam, passdb/pdb_tdb.o, "bin/tdbsam.$SHLIBEXT", PDB)
+SMB_MODULE(pdb_onefs_sam, passdb/pdb_onefs_sam.o, "bin/onefs_sam.$SHLIBEXT", PDB)
SMB_SUBSYSTEM(PDB,passdb/pdb_interface.o)
@@ -6150,6 +6189,7 @@ SMB_SUBSYSTEM(CHARSET,lib/iconv.o)
SMB_MODULE(auth_sam, \$(AUTH_SAM_OBJ), "bin/sam.$SHLIBEXT", AUTH)
SMB_MODULE(auth_unix, \$(AUTH_UNIX_OBJ), "bin/unix.$SHLIBEXT", AUTH)
SMB_MODULE(auth_winbind, \$(AUTH_WINBIND_OBJ), "bin/winbind.$SHLIBEXT", AUTH)
+SMB_MODULE(auth_onefs_wb, \$(AUTH_ONEFS_WB_OBJ), "bin/onefs_wb.$SHLIBEXT", AUTH)
SMB_MODULE(auth_server, \$(AUTH_SERVER_OBJ), "bin/smbserver.$SHLIBEXT", AUTH)
SMB_MODULE(auth_domain, \$(AUTH_DOMAIN_OBJ), "bin/domain.$SHLIBEXT", AUTH)
SMB_MODULE(auth_builtin, \$(AUTH_BUILTIN_OBJ), "bin/builtin.$SHLIBEXT", AUTH)
diff --git a/source3/passdb/pdb_onefs_sam.c b/source3/passdb/pdb_onefs_sam.c
new file mode 100644
index 0000000..51b8618
--- /dev/null
+++ b/source3/passdb/pdb_onefs_sam.c
@@ -0,0 +1,433 @@
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling for wbclient
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Jelmer Vernooij 2002
+ Copyright (C) Simo Sorce 2003
+ Copyright (C) Volker Lendecke 2006
+ Copyright (C) Dan Sledz 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/***************************************************************************
+ Default implementations of some functions.
+ ****************************************************************************/
+static NTSTATUS _pdb_onefs_sam_getsampw(struct pdb_methods *methods,
+ struct samu *user,
+ const struct passwd *pwd)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ if (pwd == NULL)
+ return NT_STATUS_NO_SUCH_USER;
+
+ memset(user, 0, sizeof(user));
+
+ /* Can we really get away with this little of information */
+ user->methods = methods;
+ result = samu_set_unix(user, pwd);
+
+ return result;
+}
+
+static NTSTATUS pdb_onefs_sam_getsampwnam(struct pdb_methods *methods, struct samu *user, const char *sname)
+{
+ return _pdb_onefs_sam_getsampw(methods, user, winbind_getpwnam(sname));
+}
+
+static NTSTATUS pdb_onefs_sam_getsampwsid(struct pdb_methods *methods, struct samu *user, const DOM_SID *sid)
+{
+ return _pdb_onefs_sam_getsampw(methods, user, winbind_getpwsid(sid));
+}
+
+static bool pdb_onefs_sam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ DOM_SID *sid)
+{
+ return winbind_uid_to_sid(sid, uid);
+}
+
+static bool pdb_onefs_sam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ DOM_SID *sid)
+{
+ return winbind_gid_to_sid(sid, gid);
+}
+
+static bool pdb_onefs_sam_sid_to_id(struct pdb_methods *methods,
+ const DOM_SID *sid,
+ union unid_t *id, enum lsa_SidType *type)
+{
+ if (winbind_sid_to_uid(&id->uid, sid)) {
+ *type = SID_NAME_USER;
+ } else if (winbind_sid_to_gid(&id->gid, sid)) {
+ /* We assume all gids are groups, not aliases */
+ *type = SID_NAME_DOM_GRP;
+ } else {
+ return false;
+ }
+
+ return true;
+}
+
+static NTSTATUS pdb_onefs_sam_enum_group_members(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *group,
+ uint32 **pp_member_rids,
+ size_t *p_num_members)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS pdb_onefs_sam_enum_group_memberships(struct pdb_methods *methods,
+ TALLOC_CTX *mem_ctx,
+ struct samu *user,
+ DOM_SID **pp_sids,
+ gid_t **pp_gids,
+ size_t *p_num_groups)
+{
+ size_t i;
+ const char *username = pdb_get_username(user);
+
+ if (!winbind_get_groups(mem_ctx, username, p_num_groups, pp_gids)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (*p_num_groups == 0) {
+ smb_panic("primary group missing");
+ }
+
+ *pp_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, *p_num_groups);
+
+ if (*pp_sids == NULL) {
+ TALLOC_FREE(*pp_gids);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i=0; i < *p_num_groups; i++) {
+ gid_to_sid(&(*pp_sids)[i], (*pp_gids)[i]);
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_onefs_sam_lookup_rids(struct pdb_methods *methods,
+ const DOM_SID *domain_sid,
+ int num_rids,
+ uint32 *rids,
+ const char **names,
+ enum lsa_SidType *attrs)
+{
+ NTSTATUS result = NT_STATUS_OK;
+ char *domain = NULL;
+ char **account_names = NULL;
+ char name[256];
+ enum lsa_SidType *attr_list = NULL;
+ int i;
+
+ if (!winbind_lookup_rids(talloc_tos(), domain_sid, num_rids, rids,
+ (const char **)&domain,
+ (const char ***)&account_names, &attr_list))
+ {
+ result = NT_STATUS_NONE_MAPPED;
+ goto done;
+ }
+
+ memcpy(attrs, attr_list, num_rids * sizeof(enum lsa_SidType));
+
+ for (i=0; i<num_rids; i++) {
+ if (attrs[i] == SID_NAME_UNKNOWN) {
+ names[i] = NULL;
+ } else {
+ snprintf(name, sizeof(name), "%s%c%s", domain,
+ *lp_winbind_separator(), account_names[i]);
+ names[i] = talloc_strdup(names, name);
+ }
+ }
+
+done:
+ TALLOC_FREE(account_names);
+ TALLOC_FREE(domain);
+ TALLOC_FREE(attrs);
+ return result;
+}
+
+static NTSTATUS pdb_onefs_sam_get_account_policy(struct pdb_methods *methods, int policy_index, uint32 *value)
+{
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS pdb_onefs_sam_set_account_policy(struct pdb_methods *methods, int policy_index, uint32 value)
+{
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+static bool pdb_onefs_sam_search_groups(struct pdb_methods *methods,
+ struct pdb_search *search)
+{
+ return false;
+}
+
+static bool pdb_onefs_sam_search_aliases(struct pdb_methods *methods,
+ struct pdb_search *search,
+ const DOM_SID *sid)
+{
+
+ return false;
+}
+
+static bool pdb_onefs_sam_get_trusteddom_pw(struct pdb_methods *methods,
+ const char *domain,
+ char **pwd,
--
Samba Shared Repository
More information about the samba-cvs
mailing list