[SCM] Samba Shared Repository - branch master updated
Uri Simchoni
uri at samba.org
Wed Apr 12 14:44:02 UTC 2017
The branch, master has been updated
via 9d419c3 winbindd: only use the domain name from lookup sids if the domain matches
via 63698da waf: Only build pam_wrapper if we build with pam
via 2fa9346 build: refuse to build without PAM support if enabled
from d92a23e winbind_msrpc: Use any_nt_status_not_ok
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9d419c3fe3654f038fbc978ecb7fa87cf8a5cc3b
Author: Ralph Boehme <slow at samba.org>
Date: Mon Apr 10 14:28:18 2017 +0200
winbindd: only use the domain name from lookup sids if the domain matches
With the use of sIDHistory it happens that two sids map to the same name:
S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)
On the net it looks like this:
lsa_LookupSids: struct lsa_LookupSids
in: struct lsa_LookupSids
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000002 (2)
sids : *
sids: ARRAY(2)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351-1115
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-3293503978-489118715-2763867031-1106
names : *
names: struct lsa_TransNameArray
count : 0x00000000 (0)
names : NULL
level : LSA_LOOKUP_NAMES_ALL (1)
count : *
count : 0x00000000 (0)
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN2'
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000002 (2)
names : *
names: ARRAY(7)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
count : *
count : 0x00000002 (2)
result : NT_STATUS_OK
So the name for S-1-5-21-3293503978-489118715-2763867031-1106 has
S-1-5-21-1387724271-3540671778-1971508351 in referenced lsa_DomainInfo
structure. In that case we should not use the domain name from lsa_DomainInfo,
because we would use the wrong idmap backend.
For the case where the domain part of the sIDHistory sid is a still existing
domain, which can be found our internal list of trusted domains, we now use the
correct idmap backend: the idmap domain from the historic SID.
If the historic domain does no longer exist, we will fallback to the default
idmap domain.
The next step would be doing a lookup sid call for the domain sid, which may
help with one-way trusts.
The long term goal needs to be that idmap backends are based on sids only and
only the smb.conf allows names to be used which will be converted to sids on
startup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Wed Apr 12 16:43:30 CEST 2017 on sn-devel-144
commit 63698da6e26965a539b623064ff34d4cb177f2ff
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 10 07:50:41 2017 +0200
waf: Only build pam_wrapper if we build with pam
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit 2fa9346333bab34a5bf1ad1ec26da2d9b6a291dd
Author: Uri Simchoni <uri at samba.org>
Date: Wed Apr 12 10:32:39 2017 +0300
build: refuse to build without PAM support if enabled
If PAM support is enabled, refuse to build if the prerequisite
libraries are not in place, instead of silently disabling PAM
support and continuing with the build.
This simplifies inclusion of pam_wrapper in the tree.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/tests.py | 6 ++++--
source3/winbindd/wb_sids2xids.c | 6 +++++-
source3/wscript | 4 ++++
wscript | 3 ++-
wscript_build | 2 +-
5 files changed, 16 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/tests.py b/selftest/tests.py
index d962a66..e3dd914 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -39,6 +39,7 @@ finally:
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
with_cmocka = ("HAVE_CMOCKA" in config_hash)
+with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
planpythontestsuite("none", "samba.tests.source")
@@ -137,8 +138,9 @@ plantestsuite(
configuration])
planpythontestsuite("none", "samba.tests.glue", py3_compatible=True)
-plantestsuite("samba.tests.pam_winbind", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path])
+if with_pam:
+ plantestsuite("samba.tests.pam_winbind", "ad_member",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path])
if with_cmocka:
plantestsuite("samba.unittests.krb5samba", "none",
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index dc90bdf..b8ad300 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -194,9 +194,13 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq)
if (n->sid_index != UINT32_MAX) {
const struct lsa_DomainInfo *info;
+ bool match;
info = &domains->domains[n->sid_index];
- domain_name = info->name.string;
+ match = dom_sid_in_domain(info->sid, sid);
+ if (match) {
+ domain_name = info->name.string;
+ }
}
if (domain_name == NULL) {
struct winbindd_domain *wb_domain = NULL;
diff --git a/source3/wscript b/source3/wscript
index 7875368..c526fc5 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -947,6 +947,10 @@ int i; i = PAM_RADIO_TYPE;
if use_pam:
conf.DEFINE('WITH_PAM', 1)
conf.DEFINE('WITH_PAM_MODULES', 1)
+ else:
+ conf.fatal("PAM support is enabled but prerequisite libraries "
+ "or headers not found. Use --without-pam to disable "
+ "PAM support.");
seteuid = False
diff --git a/wscript b/wscript
index 5a82c61..de85591 100644
--- a/wscript
+++ b/wscript
@@ -179,10 +179,11 @@ def configure(conf):
conf.RECURSE('selftest')
if conf.CONFIG_GET('ENABLE_SELFTEST'):
conf.RECURSE('lib/nss_wrapper')
- conf.RECURSE('lib/pam_wrapper')
conf.RECURSE('lib/resolv_wrapper')
conf.RECURSE('lib/socket_wrapper')
conf.RECURSE('lib/uid_wrapper')
+ if Options.options.with_pam:
+ conf.RECURSE('lib/pam_wrapper')
if Options.options.with_ntvfs_fileserver != False:
if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
conf.DEFINE('WITH_NTVFS_FILESERVER', 1)
diff --git a/wscript_build b/wscript_build
index 59e0bdf..2ddcdcc 100644
--- a/wscript_build
+++ b/wscript_build
@@ -69,7 +69,7 @@ bld.RECURSE('source4/lib/cmdline')
bld.RECURSE('source4/lib/http')
if bld.CONFIG_GET('NSS_WRAPPER'):
bld.RECURSE('lib/nss_wrapper')
-if bld.CONFIG_GET('PAM_WRAPPER'):
+if bld.CONFIG_GET('PAM_WRAPPER') and Options.options.with_pam:
bld.RECURSE('lib/pam_wrapper')
if bld.CONFIG_GET('SOCKET_WRAPPER'):
bld.RECURSE('lib/socket_wrapper')
--
Samba Shared Repository
More information about the samba-cvs
mailing list