[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1735-gcbe3dab

Bo Yang boyang at samba.org
Thu May 21 03:17:18 GMT 2009 

The branch, master has been updated
       via  cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e (commit)
       via  8c7a579bdcca32897bd9ee716a488568b721ed90 (commit)
       via  e65aa34078f5c2c969103a23d6693071d88672a2 (commit)
      from  000da55dd930d151db14ee8eed58e82806522692 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e
Author: Bo Yang <boyang at samba.org>
Date:   Fri May 22 02:12:59 2009 +0800

    s3: Fix onlinestatus msg to return status of all domain instead of omitting trusted domains
    
    Signed-off-by: Bo Yang <boyang at samba.org>

commit 8c7a579bdcca32897bd9ee716a488568b721ed90
Author: Bo Yang <boyang at samba.org>
Date:   Fri May 22 02:03:32 2009 +0800

    s3: set winbindd request flags in ntlm_auth to make it contact trusted domain when krb5 auth is enabled
    
    Signed-off-by: Bo Yang <boyang at samba.org>

commit e65aa34078f5c2c969103a23d6693071d88672a2
Author: Bo Yang <boyang at samba.org>
Date:   Fri May 22 01:39:03 2009 +0800

    s3: Fix request flags in wbinfo when perform krb5 authentication
    
    Signed-off-by: Bo Yang <boyang at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/wbinfo.c                |    3 +-
 source3/Makefile.in              |    2 +-
 source3/utils/ntlm_auth.c        |   57 ++++++++++++++++-
 source3/utils/ntlm_auth_proto.h  |    1 +
 source3/winbindd/winbindd_dual.c |  129 +++++++++++++++-----------------------
 5 files changed, 111 insertions(+), 81 deletions(-)


Changeset truncated at 500 lines:

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9ee0e01..04addda 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2031,7 +2031,8 @@ int main(int argc, char **argv, char **envp)
 				uint32 flags =  WBFLAG_PAM_KRB5 |
 						WBFLAG_PAM_CACHED_LOGIN |
 						WBFLAG_PAM_FALLBACK_AFTER_KRB5 |
-						WBFLAG_PAM_INFO3_TEXT;
+						WBFLAG_PAM_INFO3_TEXT |
+						WBFLAG_PAM_CONTACT_TRUSTDOM;
 
 				if (!wbinfo_auth_krb5(string_arg, "FILE", flags)) {
 					d_fprintf(stderr, "Could not authenticate user [%s] with "
diff --git a/source3/Makefile.in b/source3/Makefile.in
index fdcd86a..585bd5d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2813,7 +2813,7 @@ bin/ntlm_auth at EXEEXT@: $(BINARY_PREREQS) $(NTLM_AUTH_OBJ) $(PARAM_OBJ) \
 	@$(CC) -o $@ $(LDFLAGS) $(DYNEXP) $(NTLM_AUTH_OBJ) \
 		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) \
 		$(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \
-		$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
+		$(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) @INIPARSERLIBS@
 
 bin/pam_smbpass. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) @LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ @LIBTDB_TARGET@
 	@echo "Linking shared library $@"
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 50688bf..6de5ea6 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -26,6 +26,13 @@
 #include "includes.h"
 #include "utils/ntlm_auth.h"
 #include "../libcli/auth/libcli_auth.h"
+#include <iniparser.h>
+
+#ifndef PAM_WINBIND_CONFIG_FILE
+#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
+#endif
+
+#define WINBIND_KRB5_AUTH	0x00000080
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -125,6 +132,7 @@ static int use_cached_creds;
 
 static const char *require_membership_of;
 static const char *require_membership_of_sid;
+static const char *opt_pam_winbind_conf;
 
 static char winbind_separator(void)
 {
@@ -279,6 +287,36 @@ static bool get_require_membership_sid(void) {
 
 	return False;
 }
+
+/* 
+ * Get some configuration from pam_winbind.conf to see if we 
+ * need to contact trusted domain
+ */
+
+int get_pam_winbind_config()
+{
+	int ctrl = 0;
+	dictionary *d = NULL;
+	
+	if (!opt_pam_winbind_conf || !*opt_pam_winbind_conf) {
+		opt_pam_winbind_conf = PAM_WINBIND_CONFIG_FILE;
+	}
+
+	d = iniparser_load(CONST_DISCARD(char *, opt_pam_winbind_conf));
+	
+	if (!d) {
+		return 0;
+	}
+	
+	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"), false)) {
+		ctrl |= WINBIND_KRB5_AUTH;
+	}
+
+	iniparser_freedict(d);
+	
+	return ctrl;
+}
+
 /* Authenticate a user with a plaintext password */
 
 static bool check_plaintext_auth(const char *user, const char *pass,
@@ -677,12 +715,27 @@ static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_m
 {
 	struct winbindd_request wb_request;
 	struct winbindd_response wb_response;
+	int ctrl = 0;
 	NSS_STATUS result;
 
 	/* get winbindd to do the ntlmssp step on our behalf */
 	ZERO_STRUCT(wb_request);
 	ZERO_STRUCT(wb_response);
 
+	/*
+	 * This is tricky here. If we set krb5_auth in pam_winbind.conf
+	 * creds for users in trusted domain will be stored the winbindd
+	 * child of the trusted domain. If we ask the primary domain for
+	 * ntlm_ccache_auth, it will fail. So, we have to ask the trusted
+	 * domain's child for ccache_ntlm_auth. that is to say, we have to 
+	 * set WBFALG_PAM_CONTACT_TRUSTDOM in request.flags.
+	 */
+	ctrl = get_pam_winbind_config();
+
+	if (ctrl | WINBIND_KRB5_AUTH) {
+		wb_request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM;
+	}
+
 	fstr_sprintf(wb_request.data.ccache_ntlm_auth.user,
 		"%s%c%s", opt_domain, winbind_separator(), opt_username);
 	wb_request.data.ccache_ntlm_auth.uid = geteuid();
@@ -2308,7 +2361,8 @@ enum {
 	OPT_USER_SESSION_KEY,
 	OPT_DIAGNOSTICS,
 	OPT_REQUIRE_MEMBERSHIP,
-	OPT_USE_CACHED_CREDS
+	OPT_USE_CACHED_CREDS,
+	OPT_PAM_WINBIND_CONF
 };
 
  int main(int argc, const char **argv)
@@ -2347,6 +2401,7 @@ enum {
 		{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
 		{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
 		{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
+		{ "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" },
 		POPT_COMMON_CONFIGFILE
 		POPT_COMMON_VERSION
 		POPT_TABLEEND
diff --git a/source3/utils/ntlm_auth_proto.h b/source3/utils/ntlm_auth_proto.h
index e48a190..5f8d264 100644
--- a/source3/utils/ntlm_auth_proto.h
+++ b/source3/utils/ntlm_auth_proto.h
@@ -44,5 +44,6 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 /* The following definitions come from utils/ntlm_auth_diagnostics.c  */
 
 bool diagnose_ntlm_auth(void);
+int get_pam_winbind_config(void);
 
 #endif /*  _NTLM_AUTH_PROTO_H_  */
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 893303e..a69d34f 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -692,29 +692,66 @@ void winbind_msg_online(struct messaging_context *msg_ctx,
 	}
 }
 
-/* Forward the online/offline messages to our children. */
+static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
+{
+	struct winbindd_domain *domain;
+	char *buf = NULL;
+
+	if ((buf = talloc_asprintf(mem_ctx, "global:%s ", 
+				   get_global_winbindd_state_offline() ? 
+				   "Offline":"Online")) == NULL) {
+		return NULL;
+	}
+
+	for (domain = domain_list(); domain; domain = domain->next) {
+		if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ", 
+						  domain->name, 
+						  domain->online ?
+						  "Online":"Offline")) == NULL) {
+			return NULL;
+		}
+	}
+
+	buf = talloc_asprintf_append_buffer(buf, "\n");
+
+	DEBUG(5,("collect_onlinestatus: %s", buf));
+
+	return buf;
+}
+
 void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
 			      void *private_data,
 			      uint32_t msg_type,
 			      struct server_id server_id,
 			      DATA_BLOB *data)
 {
-	struct winbindd_child *child;
+	TALLOC_CTX *mem_ctx;
+	const char *message;
+	struct server_id *sender;
+	
+	DEBUG(5,("winbind_msg_onlinestatus received.\n"));
+
+	if (!data->data) {
+		return;
+	}
 
-	DEBUG(10,("winbind_msg_onlinestatus: got onlinestatus message.\n"));
+	sender = (struct server_id *)data->data;
 
-	for (child = children; child != NULL; child = child->next) {
-		if (child->domain && child->domain->primary) {
-			DEBUG(10,("winbind_msg_onlinestatus: "
-				  "sending message to pid %u of primary domain.\n",
-				  (unsigned int)child->pid));
-			messaging_send_buf(msg_ctx, pid_to_procid(child->pid), 
-					   MSG_WINBIND_ONLINESTATUS,
-					   (uint8 *)data->data,
-					   data->length);
-			break;
-		}
+	mem_ctx = talloc_init("winbind_msg_onlinestatus");
+	if (mem_ctx == NULL) {
+		return;
 	}
+	
+	message = collect_onlinestatus(mem_ctx);
+	if (message == NULL) {
+		talloc_destroy(mem_ctx);
+		return;
+	}
+
+	messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS, 
+			   (uint8 *)message, strlen(message) + 1);
+
+	talloc_destroy(mem_ctx);
 }
 
 void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
@@ -1068,68 +1105,6 @@ static void child_msg_online(struct messaging_context *msg,
 	}
 }
 
-static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
-{
-	struct winbindd_domain *domain;
-	char *buf = NULL;
-
-	if ((buf = talloc_asprintf(mem_ctx, "global:%s ", 
-				   get_global_winbindd_state_offline() ? 
-				   "Offline":"Online")) == NULL) {
-		return NULL;
-	}
-
-	for (domain = domain_list(); domain; domain = domain->next) {
-		if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ", 
-						  domain->name, 
-						  domain->online ?
-						  "Online":"Offline")) == NULL) {
-			return NULL;
-		}
-	}
-
-	buf = talloc_asprintf_append_buffer(buf, "\n");
-
-	DEBUG(5,("collect_onlinestatus: %s", buf));
-
-	return buf;
-}
-
-static void child_msg_onlinestatus(struct messaging_context *msg_ctx,
-				   void *private_data,
-				   uint32_t msg_type,
-				   struct server_id server_id,
-				   DATA_BLOB *data)
-{
-	TALLOC_CTX *mem_ctx;
-	const char *message;
-	struct server_id *sender;
-
-	DEBUG(5,("winbind_msg_onlinestatus received.\n"));
-
-	if (!data->data) {
-		return;
-	}
-
-	sender = (struct server_id *)data->data;
-
-	mem_ctx = talloc_init("winbind_msg_onlinestatus");
-	if (mem_ctx == NULL) {
-		return;
-	}
-
-	message = collect_onlinestatus(mem_ctx);
-	if (message == NULL) {
-		talloc_destroy(mem_ctx);
-		return;
-	}
-
-	messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS, 
-			   (uint8 *)message, strlen(message) + 1);
-
-	talloc_destroy(mem_ctx);
-}
-
 static void child_msg_dump_event_list(struct messaging_context *msg,
 				      void *private_data,
 				      uint32_t msg_type,
@@ -1296,8 +1271,6 @@ static bool fork_domain_child(struct winbindd_child *child)
 	messaging_register(winbind_messaging_context(), NULL,
 			   MSG_WINBIND_ONLINE, child_msg_online);
 	messaging_register(winbind_messaging_context(), NULL,
-			   MSG_WINBIND_ONLINESTATUS, child_msg_onlinestatus);
-	messaging_register(winbind_messaging_context(), NULL,
 			   MSG_DUMP_EVENT_LIST, child_msg_dump_event_list);
 	messaging_register(winbind_messaging_context(), NULL,
 			   MSG_DEBUG, debug_message);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list