[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Mon Aug 5 03:55:05 MDT 2013
The branch, v4-0-test has been updated
via 221cffa s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
via 85db68b s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr()
via 93d4207 s4:server: avoid calling into nss_winbind from within 'samba'
via 45349be s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820)
via a1a7349 s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
via c257e3b service_stream: Log if the connection termination is deferred or not (bug #9820)
via a629507 s4-winbind: Add special case for BUILTIN domain
via 7ded0ce pam_winbind: update documentation for "DIR" krb5ccname pragma.
via 7ce7020 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
via 98393f9 wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
from 64dce3c s3-netlogon: enumerate UPN suffixes from PASSDB when available
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 221cffa25510b6115490b5c48d60ec231357a068
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 24 10:19:26 2013 +1200
s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
This caused crashes in _tsocket_address_bsd_from_sockaddr() when we
read past the end of the allocation.
(similar to commit e9ae36e9683372b86f1efbd29904722a33fea083)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10042
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jul 24 14:37:43 CEST 2013 on sn-devel-104
(cherry picked from commit 077dfd0a89a854c21b91b0f871d034fd9fe82a9a)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Mon Aug 5 11:54:46 CEST 2013 on sn-devel-104
commit 85db68b26c7572e7ea7bc820d14045658803f188
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 24 10:19:26 2013 +1200
s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr()
This caused crashes in _tsocket_address_bsd_from_sockaddr() when we
read past the end of the allocation.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e9ae36e9683372b86f1efbd29904722a33fea083)
commit 93d42071056980a9a438cfe4660154a6050226dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 10 14:48:18 2013 +0200
s4:server: avoid calling into nss_winbind from within 'samba'
The most important part is that the 'winbind_server' doesn't
recurse into itself. This could happen if the krb5 libraries
call getlogin().
As we may run in single process mode, we need to set
_NO_WINBINDD=1 everywhere, the only exception is the forked
'smbd'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
The last 5 patches address bug #9820 - crash of winbind after "ls -l
/usr/local/samba/var/locks/sysvol".
commit 45349be04011579f0a65ae687c13c90beaeda684
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 9 16:38:59 2013 +0200
s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820)
Sadly we may have nested event loops, which won't work correctly with
broken connections, that's why we have to do this...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 10 08:47:38 CEST 2013 on sn-devel-104
(cherry picked from commit e6a58d370403e818bc2cfb8389751b78adcc14fd)
commit a1a7349888e8f3709a6e98b2ca94be6a4dd13258
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 11:28:03 2013 +1000
s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
Instead, wait until the call attempts to reply, and let it terminate then
(often this happens in the attempt to then write to the broken pipe).
Andrew Bartlett
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2505d48e4fbcd8a805a88ad0b05fb1a16a588197)
commit c257e3bdf5ff719652ac6e6683c889e2fe449ccd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jun 27 11:27:03 2013 +1000
service_stream: Log if the connection termination is deferred or not (bug #9820)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit df929d6feb857668ad9da277213e9fae1480ff63)
commit a629507db95f3d5842f83408708bdd04340e52df
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 15 23:01:44 2013 +1000
s4-winbind: Add special case for BUILTIN domain
This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104
(cherry picked from commit 88c72fceb1c86752c52651bdea5b116806dd92c5)
commit 7ded0ceec146e6283f3b3917888957ee8054d82e
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:09:14 2013 +0200
pam_winbind: update documentation for "DIR" krb5ccname pragma.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
(cherry picked from commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb)
The last 3 patches address bug #10043 - Allow to change the default location for
Kerberos credential caches.
commit 7ce7020bb88f1b0f85e53f8672aa9d33b562d9fe
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:05:51 2013 +0200
s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7ad3a367d52b1f123c318946d654e95639202130)
commit 98393f952662aff8fa9dc316c96d51e93c48be3d
Author: Günther Deschner <gd at samba.org>
Date: Thu Jul 18 19:04:29 2013 +0200
wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++-----
examples/pam_winbind/pam_winbind.conf | 3 +-
file_server/file_server.c | 9 +++++
nsswitch/wbinfo.c | 6 ++-
source3/winbindd/winbindd_pam.c | 23 ++++++++++++
source4/lib/socket/socket_unix.c | 8 ++--
source4/rpc_server/dcerpc_server.c | 55 ++++++++++++++++++++++++++++-
source4/rpc_server/dcerpc_server.h | 8 ++++-
source4/smbd/server.c | 7 ++++
source4/smbd/service_stream.c | 6 +++-
source4/winbind/wb_dom_info.c | 5 ++-
source4/winbind/wb_init_domain.c | 38 +++++++++++----------
source4/winbind/wb_samba3_protocol.c | 5 +++
source4/winbind/wb_server.c | 51 +++++++++++++++++++++++++++-
source4/winbind/wb_server.h | 10 +++++-
source4/winbind/wb_sid2domain.c | 14 +++++++
16 files changed, 244 insertions(+), 43 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 7098ff4..be7f684 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication
- by enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a
- credential cache. The type of credential cache can be set with
- this option. Currently the only supported value is:
- <parameter>FILE</parameter>. In that case a credential cache in
- the form of /tmp/krb5cc_UID will be created, where UID is
- replaced with the numeric user id. Leave empty to just do
- kerberos authentication without having a ticket cache after the
- logon has succeeded. This setting is empty by default.
+ When pam_winbind is configured to try kerberos authentication by
+ enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a credential
+ cache. The type of credential cache can be controlled with this
+ option. The supported values are: <parameter>FILE</parameter>
+ and <parameter>DIR</parameter> (when the DIR type is supported
+ by the system's Kerberos library). In case of FILE a credential
+ cache in the form of /tmp/krb5cc_UID will be created - in case
+ of DIR it will be located under the /run/user/UID/krb5cc
+ directory. UID is replaced with the numeric user id.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitue the numeric user id.
+ Examples:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para> Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.
</para></listitem>
</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112..87bc388 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
#
# /etc/security/pam_winbind.conf
#
+# For more details see man pam_winbind.conf(5)
[global]
@@ -19,7 +20,7 @@
# authenticate using kerberos
;krb5_auth = no
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
diff --git a/file_server/file_server.c b/file_server/file_server.c
index 430782c..43618f5 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -28,6 +28,7 @@
#include "source4/smbd/process_model.h"
#include "file_server/file_server.h"
#include "dynconfig.h"
+#include "nsswitch/winbind_client.h"
/*
called if smbd exits
@@ -64,6 +65,8 @@ static void s3fs_task_init(struct task_server *task)
smbd_path = talloc_asprintf(task, "%s/smbd", dyn_SBINDIR);
smbd_cmd[0] = smbd_path;
+ /* the child should be able to call through nss_winbind */
+ (void)winbind_on();
/* start it as a child process */
subreq = samba_runcmd_send(task, task->event_ctx, timeval_zero(), 1, 0,
smbd_cmd,
@@ -71,6 +74,12 @@ static void s3fs_task_init(struct task_server *task)
"--foreground",
debug_get_output_is_stdout()?"--log-stdout":NULL,
NULL);
+ /* the parent should not be able to call through nss_winbind */
+ if (!winbind_off()) {
+ DEBUG(0,("Failed to re-disable recursive winbindd calls after forking smbd\n"));
+ task_server_terminate(task, "Failed to re-disable recursive winbindd calls", true);
+ return;
+ }
if (subreq == NULL) {
DEBUG(0, ("Failed to start smbd as child daemon\n"));
task_server_terminate(task, "Failed to startup s3fs smb task", true);
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 762382c..abe4844 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2071,6 +2071,7 @@ int main(int argc, char **argv, char **envp)
bool use_lanman = false;
char *logoff_user = getenv("USER");
int logoff_uid = geteuid();
+ const char *opt_krb5ccname = "FILE";
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -2152,6 +2153,7 @@ int main(int argc, char **argv, char **envp)
{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
/* destroys wbinfo --help output */
/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
#endif
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2521,13 +2523,13 @@ int main(int argc, char **argv, char **envp)
WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_CONTACT_TRUSTDOM;
- if (!wbinfo_auth_krb5(string_arg, "FILE",
+ if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
flags)) {
d_fprintf(stderr,
"Could not authenticate user "
"[%s] with Kerberos "
"(ccache: %s)\n", string_arg,
- "FILE");
+ opt_krb5ccname);
goto done;
}
break;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 99794e6..6fbad72 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
}
+ if (strequal(type, "DIR")) {
+ gen_cc = talloc_asprintf(
+ mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+ }
+
+ if (strnequal(type, "FILE:/", 6) ||
+ strnequal(type, "WRFILE:/", 8) ||
+ strnequal(type, "DIR:/", 5)) {
+
+ /* we allow only one "%u" substitution */
+
+ char *p;
+
+ p = strchr(type, '%');
+ if (p != NULL) {
+
+ p++;
+
+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+ gen_cc = talloc_asprintf(mem_ctx, type, uid);
+ }
+ }
+ }
}
*user_ccache_file = gen_cc;
diff --git a/source4/lib/socket/socket_unix.c b/source4/lib/socket/socket_unix.c
index 0774b12..6876e39 100644
--- a/source4/lib/socket/socket_unix.c
+++ b/source4/lib/socket/socket_unix.c
@@ -323,7 +323,7 @@ static char *unixdom_get_peer_name(struct socket_context *sock, TALLOC_CTX *mem_
static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx)
{
- struct sockaddr_in *peer_addr;
+ struct sockaddr_un *peer_addr;
socklen_t len = sizeof(*peer_addr);
struct socket_address *peer;
int ret;
@@ -334,7 +334,7 @@ static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock,
}
peer->family = sock->backend_name;
- peer_addr = talloc(peer, struct sockaddr_in);
+ peer_addr = talloc(peer, struct sockaddr_un);
if (!peer_addr) {
talloc_free(peer);
return NULL;
@@ -362,7 +362,7 @@ static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock,
static struct socket_address *unixdom_get_my_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx)
{
- struct sockaddr_in *local_addr;
+ struct sockaddr_un *local_addr;
socklen_t len = sizeof(*local_addr);
struct socket_address *local;
int ret;
@@ -373,7 +373,7 @@ static struct socket_address *unixdom_get_my_addr(struct socket_context *sock, T
}
local->family = sock->backend_name;
- local_addr = talloc(local, struct sockaddr_in);
+ local_addr = talloc(local, struct sockaddr_un);
if (!local_addr) {
talloc_free(local);
return NULL;
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 389cbe3..10e711b 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -386,6 +386,8 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
return NT_STATUS_NO_MEMORY;
}
+ p->prev = NULL;
+ p->next = NULL;
p->dce_ctx = dce_ctx;
p->endpoint = ep;
p->contexts = NULL;
@@ -402,7 +404,7 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
p->event_ctx = event_ctx;
p->msg_ctx = msg_ctx;
p->server_id = server_id;
- p->processing = false;
+ p->terminate = NULL;
p->state_flags = state_flags;
ZERO_STRUCT(p->transport);
@@ -1143,6 +1145,7 @@ _PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
dce_ctx->lp_ctx = lp_ctx;
dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
NT_STATUS_HAVE_NO_MEMORY(dce_ctx->assoc_groups_idr);
+ dce_ctx->broken_connections = NULL;
for (i=0;endpoint_servers[i];i++) {
const struct dcesrv_endpoint_server *ep_server;
@@ -1269,12 +1272,45 @@ const struct dcesrv_critical_sizes *dcerpc_module_version(void)
static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
{
+ struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
struct stream_connection *srv_conn;
srv_conn = talloc_get_type(dce_conn->transport.private_data,
struct stream_connection);
- stream_terminate_connection(srv_conn, reason);
+ if (dce_conn->pending_call_list == NULL) {
+ char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
+
+ DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
+ stream_terminate_connection(srv_conn, full_reason ? full_reason : reason);
+ return;
+ }
+
+ if (dce_conn->terminate != NULL) {
+ return;
+ }
+
+ DEBUG(3,("dcesrv: terminating connection due to '%s' defered due to pending calls\n",
+ reason));
+ dce_conn->terminate = talloc_strdup(dce_conn, reason);
+ if (dce_conn->terminate == NULL) {
+ dce_conn->terminate = "dcesrv: defered terminating connection - no memory";
+ }
+ DLIST_ADD_END(dce_ctx->broken_connections, dce_conn, NULL);
}
+
+static void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
+{
+ struct dcesrv_connection *cur, *next;
+
+ next = dce_ctx->broken_connections;
+ while (next != NULL) {
+ cur = next;
+ next = cur->next;
+
+ dcesrv_terminate_connection(cur, cur->terminate);
+ }
+}
+
/* We need this include to be able to compile on some plateforms
* (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
* correctly.
@@ -1386,6 +1422,8 @@ static void dcesrv_sock_accept(struct stream_connection *srv_conn)
struct tevent_req *subreq;
struct loadparm_context *lp_ctx = dcesrv_sock->dcesrv_ctx->lp_ctx;
+ dcesrv_cleanup_broken_connections(dcesrv_sock->dcesrv_ctx);
+
if (!srv_conn->session_info) {
status = auth_anonymous_session_info(srv_conn,
lp_ctx,
@@ -1473,10 +1511,23 @@ static void dcesrv_read_fragment_done(struct tevent_req *subreq)
{
struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
struct dcesrv_connection);
+ struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
struct ncacn_packet *pkt;
DATA_BLOB buffer;
NTSTATUS status;
+ if (dce_conn->terminate) {
+ /*
+ * if the current connection is broken
+ * we need to clean it up before any other connection
+ */
+ dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
+ dcesrv_cleanup_broken_connections(dce_ctx);
+ return;
+ }
+
+ dcesrv_cleanup_broken_connections(dce_ctx);
+
status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
&pkt, &buffer);
TALLOC_FREE(subreq);
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 4fcb5c5..66fe51e 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -170,6 +170,9 @@ struct dcesrv_connection_context {
/* the state associated with a dcerpc server connection */
struct dcesrv_connection {
+ /* for the broken_connections DLIST */
+ struct dcesrv_connection *prev, *next;
+
/* the top level context for this server */
struct dcesrv_context *dce_ctx;
@@ -208,7 +211,8 @@ struct dcesrv_connection {
/* the transport level session key */
DATA_BLOB transport_session_key;
- bool processing;
+ /* is this connection pending termination? If so, why? */
+ const char *terminate;
const char *packet_log_dir;
@@ -288,6 +292,8 @@ struct dcesrv_context {
struct loadparm_context *lp_ctx;
struct idr_context *assoc_groups_idr;
+
+ struct dcesrv_connection *broken_connections;
};
/* this structure is used by modules to determine the size of some critical types */
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index b3d8ae5..17b6ce5 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -43,6 +43,7 @@
#include "cluster/cluster.h"
#include "dynconfig/dynconfig.h"
#include "lib/util/samba_modules.h"
+#include "nsswitch/winbind_client.h"
/*
recursively delete a directory tree
@@ -402,6 +403,12 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
}
}
+ /* make sure we won't go through nss_winbind */
+ if (!winbind_off()) {
+ DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n"));
+ exit(1);
+ }
+
gensec_init(); /* FIXME: */
ntptr_init(); /* FIXME: maybe run this in the initialization function
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index 22c4c04..74bb477 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -60,7 +60,11 @@ void stream_terminate_connection(struct stream_connection *srv_conn, const char
if (!reason) reason = "unknown reason";
- DEBUG(3,("Terminating connection - '%s'\n", reason));
+ if (srv_conn->processing) {
+ DEBUG(3,("Terminating connection deferred - '%s'\n", reason));
+ } else {
+ DEBUG(3,("Terminating connection - '%s'\n", reason));
+ }
srv_conn->terminate = reason;
diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c
index e2b5def..8c08c73 100644
--- a/source4/winbind/wb_dom_info.c
+++ b/source4/winbind/wb_dom_info.c
@@ -67,9 +67,10 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
state->info->sid = dom_sid_dup(state->info, sid);
if (state->info->sid == NULL) goto failed;
- if ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
+ if (dom_sid_equal(sid, &global_sid_Builtin) ||
+ ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
dom_sid_equal(sid, service->primary_sid) &&
- service->sec_channel_type != SEC_CHAN_RODC) {
+ service->sec_channel_type != SEC_CHAN_RODC)) {
struct interface *ifaces = NULL;
load_interface_list(state, service->task->lp_ctx, &ifaces);
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 70dbaa9..db5eb1d 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -369,24 +369,26 @@ static void init_domain_recv_queryinfo(struct tevent_req *subreq)
state->ctx->status = state->queryinfo.out.result;
if (!composite_is_ok(state->ctx)) return;
- dominfo = &(*state->queryinfo.out.info)->account_domain;
-
- if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
- DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
- state->domain->info->name,
- dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
- dominfo->name.string));
- composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
- return;
- }
-
- if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
- DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
- dom_sid_string(state, state->domain->info->sid),
- dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
- dom_sid_string(state, dominfo->sid)));
- composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
- return;
+ if (!dom_sid_equal(state->domain->info->sid, &global_sid_Builtin)) {
+ dominfo = &(*state->queryinfo.out.info)->account_domain;
+
+ if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
+ DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
+ state->domain->info->name,
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+ dominfo->name.string));
+ composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+ return;
+ }
+
+ if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
+ DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
+ dom_sid_string(state, state->domain->info->sid),
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+ dom_sid_string(state, dominfo->sid)));
+ composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+ return;
+ }
}
state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);
diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c
index 2846e9c..1b78c99 100644
--- a/source4/winbind/wb_samba3_protocol.c
+++ b/source4/winbind/wb_samba3_protocol.c
@@ -297,6 +297,8 @@ NTSTATUS wbsrv_samba3_send_reply(struct wbsrv_samba3_call *call)
struct tevent_req *subreq;
NTSTATUS status;
+ call->wbconn->pending_calls--;
+
status = wbsrv_samba3_push_reply(call);
NT_STATUS_NOT_OK_RETURN(status);
@@ -355,9 +357,12 @@ NTSTATUS wbsrv_samba3_process(struct wbsrv_samba3_call *call)
return status;
}
+ call->wbconn->pending_calls++;
+
status = wbsrv_samba3_handle_call(call);
if (!NT_STATUS_IS_OK(status)) {
+ call->wbconn->pending_calls--;
talloc_free(call);
return status;
}
diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c
index 3392353..33adb76 100644
--- a/source4/winbind/wb_server.c
+++ b/source4/winbind/wb_server.c
@@ -28,19 +28,66 @@
#include "libcli/util/tstream.h"
#include "param/param.h"
#include "param/secrets.h"
--
Samba Shared Repository
More information about the samba-cvs
mailing list