[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Thu Aug 29 10:55:02 MDT 2013


The branch, master has been updated
       via  91910fe s3:winbind: fail ads_cached_connection_connect() if realm == NULL
       via  9d08ac4 s3-winbindd: remove unneded include of secrets.h from idmap_ad.c
       via  77d7e2a s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code.
       via  b66ce75 s3-winbindd: make sure also the idmap code can deal with trusted domains.
       via  576c597 s3-winbindd: use find_domain_from_name() instead of find_domain_from_name_no_init().
       via  26ab219 s3-winbindd: Fix winbind on DC crash with trusted AD domains.
       via  57d5336 s3-winbindd: Fix memory leak in ads_cached_connection().
       via  edca1f9 s3-winbindd: remove pointless variable assigment, see the strdup below.
      from  0ca9c74 provision: Rewrite named.txt to be more useful

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 91910fe898e2f8ad405c5790aa1a20e82a9f8aac
Author: Michael Adam <obnox at samba.org>
Date:   Thu Aug 29 16:38:08 2013 +0200

    s3:winbind: fail ads_cached_connection_connect() if realm == NULL
    
    This prevents segfaults when e.g. a previous SMB_STRDUP failed..
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104

commit 9d08ac424cdf3166110370e94799693bdbb201af
Author: Günther Deschner <gd at samba.org>
Date:   Wed Aug 28 14:53:08 2013 +0200

    s3-winbindd: remove unneded include of secrets.h from idmap_ad.c
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 77d7e2ad5a88dbe4c16e8b829d5bd0a2a5aea9bc
Author: Günther Deschner <gd at samba.org>
Date:   Wed Aug 28 14:53:08 2013 +0200

    s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code.
    
    This avoids calling secrets functions directly.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit b66ce754a327a5bdb7600fb67ffb7aaac03cb7db
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 23 14:56:17 2013 +0200

    s3-winbindd: make sure also the idmap code can deal with trusted domains.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 576c597ae38e788bc3c16efc5417e7481c673add
Author: Günther Deschner <gd at samba.org>
Date:   Wed Aug 28 15:00:06 2013 +0200

    s3-winbindd: use find_domain_from_name() instead of find_domain_from_name_no_init().
    
    Otherwise there is a good chance the domain has not been connected and we don't
    know the realm name yet.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 26ab2194f96cee80438c7917bc7de3bb7d48aa64
Author: Günther Deschner <gd at samba.org>
Date:   Thu Aug 22 16:36:27 2013 +0200

    s3-winbindd: Fix winbind on DC crash with trusted AD domains.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 57d5336969d089d063abce8db2fe090e7a363bc9
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 23 12:33:53 2013 +0200

    s3-winbindd: Fix memory leak in ads_cached_connection().
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit edca1f9d4828281eb69b606dafd92f75f66fc984
Author: Günther Deschner <gd at samba.org>
Date:   Thu Aug 22 15:39:08 2013 +0200

    s3-winbindd: remove pointless variable assigment, see the strdup below.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/idmap_ad.c     |    1 -
 source3/winbindd/winbindd_ads.c |   62 ++++++++++++++++++++++++++------------
 2 files changed, 42 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 1ed6570..8b63801 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -31,7 +31,6 @@
 #include "ads.h"
 #include "libads/ldap_schema.h"
 #include "nss_info.h"
-#include "secrets.h"
 #include "idmap.h"
 #include "../libcli/ldap/ldap_ndr.h"
 #include "../libcli/security/security.h"
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 1e45ad9..4c26389 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -27,7 +27,6 @@
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
 #include "../libds/common/flags.h"
 #include "ads.h"
-#include "secrets.h"
 #include "../libcli/ldap/ldap_ndr.h"
 #include "../libcli/security/security.h"
 #include "../libds/common/flag_mapping.h"
@@ -87,6 +86,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	struct sockaddr_storage dc_ss;
 	fstring dc_name;
 
+	if (realm == NULL) {
+		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+	}
+
 	/* we don't want this to affect the users ccache */
 	setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
 
@@ -101,7 +104,6 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 
 	ads->auth.renewable = renewable;
 	ads->auth.password = password;
-	ads->auth.realm = realm;
 
 	ads->auth.realm = SMB_STRDUP(realm);
 	if (!strupper_m(ads->auth.realm)) {
@@ -137,6 +139,7 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
 {
 	char *ldap_server, *realm, *password;
 	struct winbindd_domain *wb_dom;
+	ADS_STATUS status;
 
 	ads_cached_connection_reuse(adsp);
 	if (*adsp != NULL) {
@@ -152,22 +155,43 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
 	DEBUG(10, ("ldap_server from saf cache: '%s'\n",
 		   ldap_server ? ldap_server : ""));
 
-	wb_dom = find_domain_from_name_noinit(dom_name);
+	wb_dom = find_domain_from_name(dom_name);
 	if (wb_dom == NULL) {
 		DEBUG(10, ("could not find domain '%s'\n", dom_name));
-		realm = NULL;
-	} else {
-		DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
+		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+	}
+
+	DEBUG(10, ("find_domain_from_name found realm '%s' for "
 			  " domain '%s'\n", wb_dom->alt_name, dom_name));
-		realm = wb_dom->alt_name;
+
+	if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
+		return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
 	}
 
-	/* the machine acct password might have change - fetch it every time */
-	password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-	realm = SMB_STRDUP(lp_realm());
+	if (IS_DC) {
+		realm = SMB_STRDUP(wb_dom->alt_name);
+	} else {
+		struct winbindd_domain *our_domain = wb_dom;
 
-	return ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
-					     password, realm, 0);
+		/* always give preference to the alt_name in our
+		   primary domain if possible */
+
+		if (!wb_dom->primary) {
+			our_domain = find_our_domain();
+		}
+
+		if (our_domain->alt_name != NULL) {
+			realm = SMB_STRDUP(our_domain->alt_name);
+		} else {
+			realm = SMB_STRDUP(lp_realm());
+		}
+	}
+
+	status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
+					       password, realm, 0);
+	SAFE_FREE(realm);
+
+	return status;
 }
 
 /*
@@ -188,20 +212,18 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 
 	/* the machine acct password might have change - fetch it every time */
 
+	if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
+		return NULL;
+	}
+
 	if ( IS_DC ) {
 
-		if ( !pdb_get_trusteddom_pw( domain->name, &password, NULL,
-					     NULL ) ) {
-			return NULL;
-		}
-		realm = NULL;
+		realm = SMB_STRDUP(domain->alt_name);
 	}
 	else {
 		struct winbindd_domain *our_domain = domain;
 
 
-		password = secrets_fetch_machine_password(lp_workgroup(), NULL,
-							  NULL);
 		/* always give preference to the alt_name in our
 		   primary domain if possible */
 
@@ -221,7 +243,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 					domain->name, NULL,
 					password, realm,
 					WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
-
+	SAFE_FREE(realm);
 
 	if (!ADS_ERR_OK(status)) {
 		/* if we get ECONNREFUSED then it might be a NT4


-- 
Samba Shared Repository


More information about the samba-cvs mailing list