[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue May 5 20:14:03 MDT 2015
The branch, master has been updated
via 3278b69 s3:winbindd: list local groups for our internal domains too (as AD DC)
via 9eb6450 s3:winbindd: list users/groups of our own domain as AD DC
via e1aca8d selftest: Add tests for expected output of wbinfo -i and wbinfo --uid-info
via 7fcaa07 winbindd4: Force home directory in internal winbind to use a lower-case username
via 4aa2246 selftest: Run more winbind tests against more environments
via a62e78c torture-winbind: Assert that the list of trusted domains is not NULL
via 406cd32 s4-winbind: Correctly reject the unsupported WBFLAG_PAM_AUTH_PAC flag
via 4199105 s3:winbindd: don't remove the DOMAIN\ prefix for principals of our own domain as AD DC
via d3f1306 s4:selftest: correctly copy a python list into a temporary variable
via 9bba2f6 lsa.idl: add LSA_*_DISABLED_MASK helper defines
from 9928d98 s3: torture: Add regression test for bug #11249.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3278b6900d5d66e86c243af2ab9e9b670db294d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 28 08:36:11 2015 +0000
s3:winbindd: list local groups for our internal domains too (as AD DC)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed May 6 04:13:36 CEST 2015 on sn-devel-104
commit 9eb64502f0f3d7b0a86488452740ad8184ae3e37
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 28 08:31:05 2015 +0000
s3:winbindd: list users/groups of our own domain as AD DC
The AD users/groups of the local domain of an AD DC
only exist via winbindd and not in /etc/passwd or /etc/group.
This also matches the behaviour of the source4/winbind code.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e1aca8d69e9b825c449f0b0050d7bfd51fd6baa0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 23 16:27:22 2014 +1300
selftest: Add tests for expected output of wbinfo -i and wbinfo --uid-info
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7fcaa07e2009066647b2e6c71ab82ce5724b43b5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 23 17:58:40 2014 +1300
winbindd4: Force home directory in internal winbind to use a lower-case username
This is a BEHAVIOUR CHANGE from Samba 4.0 and 4.1, if mixed-case
usernames were in use.
However, it matches the behaviour in winbindd in all other use cases.
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4aa2246dd9a463e84fdf21a63581a98f2031fd2f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 23 22:02:57 2014 +1300
selftest: Run more winbind tests against more environments
This ensures we still test the internal winbind on the AD DC
and winbindd as a member server.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a62e78cef61c1f3f602db39027433e6a1b71c110
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 28 14:20:35 2015 +1200
torture-winbind: Assert that the list of trusted domains is not NULL
By doing this, we avoid the test being dependent on if the lsa trusted domains tests have run.
Otherwise, we may have a non-null extra_data against the internal winbind, but
only 1 trusted domain (torturedom), but not the local domains that were expected
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 406cd32126d223d79bdb4328f5404889b4f11d52
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 24 10:32:20 2014 +1300
s4-winbind: Correctly reject the unsupported WBFLAG_PAM_AUTH_PAC flag
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 419910532f13c7966dfbf21f9ac274f07a69f8b5
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 28 08:31:05 2015 +0000
s3:winbindd: don't remove the DOMAIN\ prefix for principals of our own domain as AD DC
This also matches the behaviour of the source4/winbind code.
In Samba 4.0 and 4.1 we had the following
> getent passwd administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
With Samba 4.2.0 we have:
> getent passwd administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
With the patches we have:
> getent passwd administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d3f13063cf69e9de569b0487925692ae136fb62b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 5 10:37:14 2015 +0200
s4:selftest: correctly copy a python list into a temporary variable
This fixes a bug in commit 0c6c081dc4e743c142a59d90c9e7f5b6e4cf5bd1.
We need to wb_opts should be a temporary copy of wb_opts_default
and the following wb_opts += should only change wb_opts and not wb_opts_default.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9bba2f6d6f8692f61a7853f52f4c1d5d06a725fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 13:22:37 2015 +0000
lsa.idl: add LSA_*_DISABLED_MASK helper defines
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/lsa.idl | 11 +++++
nsswitch/tests/test_wbinfo.sh | 49 +++++++++++++++++--
selftest/knownfail | 21 ++++++--
source3/winbindd/winbindd_dual_srv.c | 87 +++++++++++++++++++++++++++++-----
source3/winbindd/winbindd_util.c | 17 ++++++-
source4/selftest/tests.py | 7 +--
source4/torture/winbind/struct_based.c | 12 ++---
source4/winbind/wb_cmd_getpwnam.c | 10 +++-
source4/winbind/wb_cmd_getpwuid.c | 10 +++-
source4/winbind/wb_samba3_cmd.c | 4 ++
10 files changed, 195 insertions(+), 33 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 4ab7bc2..0823707 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1269,6 +1269,17 @@ import "misc.idl", "security.idl";
LSA_NB_DISABLED_CONFLICT = 0x00000008
} lsa_ForestTrustRecordFlags;
+ const uint32 LSA_TLN_DISABLED_MASK = (
+ LSA_TLN_DISABLED_NEW |
+ LSA_TLN_DISABLED_ADMIN |
+ LSA_TLN_DISABLED_CONFLICT);
+ const uint32 LSA_SID_DISABLED_MASK = (
+ LSA_SID_DISABLED_ADMIN |
+ LSA_SID_DISABLED_CONFLICT);
+ const uint32 LSA_NB_DISABLED_MASK = (
+ LSA_NB_DISABLED_ADMIN |
+ LSA_NB_DISABLED_CONFLICT);
+
typedef enum {
LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0,
LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1,
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index c9758b8..1d14ca3 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -174,10 +174,8 @@ testit "wbinfo -D against $TARGET" $wbinfo -D $DOMAIN || failed=`expr $failed +
testit "wbinfo -i against $TARGET" $wbinfo -i "$DOMAIN/$USERNAME" || failed=`expr $failed + 1`
-testit "wbinfo --uid-info against $TARGET" $wbinfo --uid-info $admin_uid || failed=`expr $failed + 1`
-
echo "test: wbinfo --group-info against $TARGET"
-gid=`$wbinfo --group-info "$DOMAIN/Domain admins" | cut -d: -f3`
+gid=`$wbinfo --group-info "$DOMAIN/Domain users" | cut -d: -f3`
if test x$? = x0; then
echo "success: wbinfo --group-info against $TARGET"
else
@@ -185,6 +183,51 @@ else
failed=`expr $failed + 1`
fi
+test_name="wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=`$wbinfo -i "$DOMAIN/$USERNAME"`
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="confirm output of wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+
+# The full name (GECOS) is based on name (the RDN, in this case CN)
+# and displayName in winbindd_ads, and is based only on displayName in
+# winbindd_msrpc and winbindd_rpc. Allow both versions.
+expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+
+if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=`$wbinfo --uid-info=$admin_uid`
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="confirm output of wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
testfail "wbinfo --group-info against $TARGET with $USERNAME" $wbinfo --group-info $USERNAME && failed=`expr $failed + 1`
testit "wbinfo --gid-info against $TARGET" $wbinfo --gid-info $gid || failed=`expr $failed + 1`
diff --git a/selftest/knownfail b/selftest/knownfail
index ab77e0f..3262c9c 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -253,7 +253,7 @@
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G against ad_member
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U check for sane mapping
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping
-^samba4.winbind.struct.show_sequence\(ad_dc_ntvfs\)
+^samba4.winbind.struct.show_sequence\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--allocate-uid
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--allocate-gid
^samba.wbinfo_simple.\(s4member:local\).--allocate-uid
@@ -265,10 +265,8 @@
#
^samba4.winbind.struct.domain_info\(s4member:local\)
^samba4.winbind.struct.getdcname\(s4member:local\)
-^samba4.winbind.struct.lookup_name_sid\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
-^samba4.winbind.struct.getpwent\(ad_dc:local\)
^samba.wbinfo_simple.\(s4member:local\).--user-groups
^samba.nss.test using winbind\(s4member:local\)
#
@@ -278,6 +276,9 @@
^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc_ntvfs:local\)
^samba3.local.nss.reentrant enumeration\(ad_dc_ntvfs:local\)
^samba3.local.nss.enumeration\(ad_dc_ntvfs:local\)
+^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc:local\)
+^samba3.local.nss.reentrant enumeration\(ad_dc:local\)
+^samba3.local.nss.enumeration\(ad_dc:local\)
#
# These fail only if we run the unix.whoami test before them
# in the member and ad_member environments. ==> Strange!!!
@@ -290,6 +291,11 @@
#
^samba4.winbind.struct.getdcname\(ad_member:local\)
^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
+^samba4.winbind.struct.lookup_name_sid\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.list_trustdom\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.domain_info\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.getdcname\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.dsgetdcname\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--all-domains.wbinfo\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--trusted-domains.wbinfo\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--online-status.wbinfo\(ad_dc_ntvfs:local\)
@@ -301,6 +307,10 @@
^samba.blackbox.wbinfo\(ad_dc_ntvfs:local\).wbinfo --trusted-domains against ad_dc_ntvfs\(ad_dc_ntvfs:local\)
^samba.blackbox.wbinfo\(ad_dc_ntvfs:local\).wbinfo --all-domains against ad_dc_ntvfs\(ad_dc_ntvfs:local\)
#
+# This will fail against the NTVFS DC, because it requires functionality only in winbindd
+#
+^samba4.winbind.pac.*\(ad_dc_ntvfs:local\) # Not implemented
+#
# These do not work against winbindd in member mode for unknown reasons
#
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U against ad_member\(ad_member:local\)
@@ -309,7 +319,12 @@
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping\(ad_member:local\)
^samba.ntlm_auth.\(ad_dc_ntvfs:local\).ntlm_auth against winbindd with failed require-membership-of
^samba.ntlm_auth.\(ad_dc_ntvfs:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of
+^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
#
# Differences in our KDC compared to windows
#
^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
+#
+# This will fail against the classic DC, because it requires kerberos
+#
+^samba4.winbind.pac.*\(nt4_member:local\) # No KDC on a classic DC
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 061de72..97d8a1b 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -380,43 +380,106 @@ NTSTATUS _wbint_QueryGroupList(struct pipes_struct *p,
struct wbint_QueryGroupList *r)
{
struct winbindd_domain *domain = wb_child_domain();
- uint32_t i, num_groups;
- struct wb_acct_info *groups;
+ uint32_t i;
+ uint32_t num_local_groups = 0;
+ struct wb_acct_info *local_groups = NULL;
+ uint32_t num_dom_groups = 0;
+ struct wb_acct_info *dom_groups = NULL;
+ uint32_t ti = 0;
+ uint64_t num_total = 0;
struct wbint_Principal *result;
NTSTATUS status;
+ bool include_local_groups = false;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ switch (lp_server_role()) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ if (domain->internal) {
+ /*
+ * we want to include local groups
+ * for BUILTIN and WORKGROUP
+ */
+ include_local_groups = true;
+ }
+ break;
+ default:
+ /*
+ * We might include local groups in more
+ * setups later, but that requires more work
+ * elsewhere.
+ */
+ break;
+ }
+
+ if (include_local_groups) {
+ status = domain->methods->enum_local_groups(domain, talloc_tos(),
+ &num_local_groups,
+ &local_groups);
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
status = domain->methods->enum_dom_groups(domain, talloc_tos(),
- &num_groups, &groups);
+ &num_dom_groups,
+ &dom_groups);
reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ num_total = num_local_groups + num_dom_groups;
+ if (num_total > UINT32_MAX) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
result = talloc_array(r->out.groups, struct wbint_Principal,
- num_groups);
+ num_total);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- for (i=0; i<num_groups; i++) {
- sid_compose(&result[i].sid, &domain->sid, groups[i].rid);
- result[i].type = SID_NAME_DOM_GRP;
- result[i].name = talloc_strdup(result, groups[i].acct_name);
- if (result[i].name == NULL) {
+ for (i = 0; i < num_local_groups; i++) {
+ struct wb_acct_info *lg = &local_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, lg->rid);
+ rg->type = SID_NAME_ALIAS;
+ rg->name = talloc_strdup(result, lg->acct_name);
+ if (rg->name == NULL) {
+ TALLOC_FREE(result);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ num_local_groups = 0;
+ TALLOC_FREE(local_groups);
+
+ for (i = 0; i < num_dom_groups; i++) {
+ struct wb_acct_info *dg = &dom_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, dg->rid);
+ rg->type = SID_NAME_DOM_GRP;
+ rg->name = talloc_strdup(result, dg->acct_name);
+ if (rg->name == NULL) {
TALLOC_FREE(result);
- TALLOC_FREE(groups);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
return NT_STATUS_NO_MEMORY;
}
}
+ num_dom_groups = 0;
+ TALLOC_FREE(dom_groups);
- r->out.groups->num_principals = num_groups;
+ r->out.groups->num_principals = ti;
r->out.groups->principals = result;
- TALLOC_FREE(groups);
return NT_STATUS_OK;
}
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d4a1cf3..021f5ca 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -87,10 +87,13 @@ struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
domain = domain->next;
}
- if ((domain != NULL)
- && sid_check_is_our_sam(&domain->sid)) {
+ if ((domain != NULL) &&
+ (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
+ sid_check_is_our_sam(&domain->sid))
+ {
domain = domain->next;
}
+
return domain;
}
@@ -1052,12 +1055,18 @@ bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
username is then unqualified in unix
+ On an AD DC we always fill DOMAIN\\USERNAME.
+
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
*/
void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
{
fstring tmp_user;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
fstrcpy(tmp_user, user);
(void)strlower_m(tmp_user);
@@ -1081,6 +1090,10 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
{
char *tmp_user, *name;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
tmp_user = talloc_strdup(mem_ctx, user);
if (!strlower_m(tmp_user)) {
TALLOC_FREE(tmp_user);
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 015e902..2ce01a1 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -372,9 +372,10 @@ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:ti
winbind_ad_client_tests = smbtorture4_testsuites("winbind.struct") + smbtorture4_testsuites("winbind.pac")
winbind_wbclient_tests = smbtorture4_testsuites("winbind.wbclient")
-for env in ["ad_dc", "s4member", "ad_member"]:
- wb_opts = wb_opts_default
- wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
+for env in ["ad_dc", "ad_dc_ntvfs", "s4member", "ad_member", "nt4_member"]:
+ wb_opts = wb_opts_default[:]
+ if env in ["ad_member"]:
+ wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
for t in winbind_ad_client_tests:
plansmbtorture4testsuite(t, "%s:local" % env, wb_opts + ['//$SERVER/tmp', '--realm=$REALM', '--machine-pass', '--option=torture:addc=$DC_SERVER'])
diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
index be6ca51..a7b6bfd 100644
--- a/source4/torture/winbind/struct_based.c
+++ b/source4/torture/winbind/struct_based.c
@@ -285,11 +285,10 @@ static bool get_trusted_domains(struct torture_context *torture,
DO_STRUCT_REQ_REP(WINBINDD_LIST_TRUSTDOM, &req, &rep);
extra_data = (char *)rep.extra_data.data;
- if (!extra_data) {
- return true;
- }
-
- torture_assert(torture, extra_data, "NULL trust list");
+ torture_assert(torture, extra_data != NULL,
+ "Trust list was NULL: the list of trusted domain "
+ "should be returned, with at least 2 entries "
+ "(BUILTIN, and the local domain)");
while (next_token(&extra_data, line, "\n", sizeof(line))) {
char *p, *lp;
@@ -324,7 +323,8 @@ static bool get_trusted_domains(struct torture_context *torture,
SAFE_FREE(rep.extra_data.data);
torture_assert(torture, dcount >= 2,
- "The list of trusted domain should contain 2 entries");
+ "The list of trusted domain should contain 2 entries "
+ "(BUILTIN, and the local domain)");
*_d = d;
return true;
diff --git a/source4/winbind/wb_cmd_getpwnam.c b/source4/winbind/wb_cmd_getpwnam.c
index c4f3db8..2a25ba3 100644
--- a/source4/winbind/wb_cmd_getpwnam.c
+++ b/source4/winbind/wb_cmd_getpwnam.c
@@ -110,6 +110,7 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
struct libnet_UserInfo *user_info;
struct winbindd_pw *pw;
char *username_with_domain;
+ char *lowercase_username;
DEBUG(5, ("cmd_getpwnam_recv_user_info called\n"));
@@ -122,10 +123,15 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
state->ctx->status = libnet_UserInfo_recv(ctx, state, user_info);
if(!composite_is_ok(state->ctx)) return;
+ lowercase_username = strlower_talloc(state, user_info->out.account_name);
+ if (composite_nomem(lowercase_username, state->ctx)) {
+ return;
+ }
+
username_with_domain = talloc_asprintf(pw, "%s%s%s",
state->workgroup_name,
lpcfg_winbind_separator(state->service->task->lp_ctx),
- user_info->out.account_name);
+ lowercase_username);
if(composite_nomem(username_with_domain, state->ctx)) return;
WBSRV_SAMBA3_SET_STRING(pw->pw_name, username_with_domain);
@@ -135,7 +141,7 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
lpcfg_template_homedir(state->service->task->lp_ctx));
all_string_sub(pw->pw_dir, "%D", state->workgroup_name,
sizeof(fstring) - 1);
- all_string_sub(pw->pw_dir, "%U", user_info->out.account_name,
+ all_string_sub(pw->pw_dir, "%U", lowercase_username,
sizeof(fstring) - 1);
WBSRV_SAMBA3_SET_STRING(pw->pw_shell,
lpcfg_template_shell(state->service->task->lp_ctx));
diff --git a/source4/winbind/wb_cmd_getpwuid.c b/source4/winbind/wb_cmd_getpwuid.c
index 9977767..6da3c08 100644
--- a/source4/winbind/wb_cmd_getpwuid.c
+++ b/source4/winbind/wb_cmd_getpwuid.c
@@ -130,6 +130,7 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
struct libnet_UserInfo *user_info;
struct winbindd_pw *pw;
char *username_with_domain;
+ char *lowercase_username;
DEBUG(5, ("cmd_getpwuid_recv_user_info called\n"));
@@ -142,10 +143,15 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
state->ctx->status = libnet_UserInfo_recv(ctx, state, user_info);
if (!composite_is_ok(state->ctx)) return;
+ lowercase_username = strlower_talloc(state, user_info->out.account_name);
+ if (composite_nomem(lowercase_username, state->ctx)) {
+ return;
+ }
+
username_with_domain = talloc_asprintf(pw, "%s%s%s",
state->workgroup,
lpcfg_winbind_separator(state->service->task->lp_ctx),
- user_info->out.account_name);
+ lowercase_username);
if(composite_nomem(username_with_domain, state->ctx)) return;
WBSRV_SAMBA3_SET_STRING(pw->pw_name, username_with_domain);
@@ -155,7 +161,7 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
lpcfg_template_homedir(state->service->task->lp_ctx));
all_string_sub(pw->pw_dir, "%D", state->workgroup,
sizeof(fstring) - 1);
- all_string_sub(pw->pw_dir, "%U", user_info->out.account_name,
+ all_string_sub(pw->pw_dir, "%U", lowercase_username,
sizeof(fstring) - 1);
WBSRV_SAMBA3_SET_STRING(pw->pw_shell,
lpcfg_template_shell(state->service->task->lp_ctx));
diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c
index 9ec3c4b..4c4033d 100644
--- a/source4/winbind/wb_samba3_cmd.c
+++ b/source4/winbind/wb_samba3_cmd.c
@@ -640,6 +640,10 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
DATA_BLOB chal, nt_resp, lm_resp;
DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n"));
+ if (s3call->request->flags & WBFLAG_PAM_AUTH_PAC) {
+ DEBUG(3, ("PAC validation not supported in this winbind implementation\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
chal.data = s3call->request->data.auth_crap.chal;
chal.length = sizeof(s3call->request->data.auth_crap.chal);
--
Samba Shared Repository
More information about the samba-cvs
mailing list