[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Mon Jan 2 20:53:04 UTC 2017


The branch, master has been updated
       via  ec62194 winbind: Remove find_builtin_domain helper function
       via  7981c6f winbind: Remove wb_fill_pwent
       via  c4e9ec5 winbind: Go throught wb_getpwsid for listing users
       via  901d2bd winbind: Add wbint_QueryUserRidList
       via  a1ba988 winbind: Fix a confusing indentation
       via  730b176 winbind: Simplify wb_gettoken
       via  7bc161d winbind: Don't do supplementary group lookup manually
       via  cff1924 idmap_ad: Restore querying SFU nss info
       via  bce19a6 winbind: Restructure wb_getpwsid
       via  d0f1d76 winbind: Adapt cache to extended wbint_userinfo
       via  2022ec8 winbind: Add a GetNssInfo parent/child call
       via  c98ad0a winbind: Make "idmap_find_domain" public
       via  2702114 winbind: It's legitmate to have 0 groups in info3
       via  2562d19 idmap: Simplify idmap_ad_nss_init()
       via  c2e1f4e winbind: Fix wb_lookupsids for AD DCs
       via  22b2151 winbind4: Remove unused code
       via  2481584 winbind: Initialize user list info to 0
       via  7c3ea9f s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
       via  b61a937 s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
       via  6f029d5 s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails
       via  e838347 s4:librpc/rpc: make sure we handle DCERPC_PACKET before DCERPC_CONNECT
       via  94fc5c4 s4:librpc/rpc: don't do an anonymous bind over ncacn_np:server[packet]
      from  59abfcb WAF: Fix detection of IPv6

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ec621945670bc023ad4a849f2e9af4eb8c299c20
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Dec 30 11:51:37 2016 +0000

    winbind: Remove find_builtin_domain helper function
    
    There was only one caller, and the function was pretty small anyway.
    
    This makes a "git grep find_domain_from" more obvious :-)
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Mon Jan  2 21:52:02 CET 2017 on sn-devel-144

commit 7981c6f9b5ce7ce294bfc9932286b7da03390c01
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Dec 30 11:47:45 2016 +0000

    winbind: Remove wb_fill_pwent
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c4e9ec55f10efb1d8eb39ed54580194973bb26ad
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 19:05:40 2016 +0000

    winbind: Go throught wb_getpwsid for listing users
    
    This makes sure we get the same results for getpwnam and getpwent.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 901d2bd99b208cf3a87243da2a2c7e8a8656efab
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 18:13:28 2016 +0000

    winbind: Add wbint_QueryUserRidList
    
    This is an equivalent of QueryUserList with simpler output. The next
    commit will use it to go through wb_getpwsid for getent passwd, to
    make sure we get the same results. Eventually, this might get a simpler
    backend.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit a1ba988c03f45ee21d04d4b27409ebdb3db9fa4c
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 15:34:41 2016 +0000

    winbind: Fix a confusing indentation
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 730b176ffb3ba2e1452d04e1c75a4405b90132e6
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Dec 25 10:19:38 2016 +0000

    winbind: Simplify wb_gettoken
    
    All we need from the domain struct is it's sid. Directly use it.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 7bc161db7a5c5c3b05160a92abfd5f646c4ea8f0
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Dec 25 10:16:31 2016 +0000

    winbind: Don't do supplementary group lookup manually
    
    This can never be done successfully without a valid samlogon_cache entry.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit cff192413031a8bafe0b2b27e1aecd162422f855
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 10:27:58 2016 +0000

    idmap_ad: Restore querying SFU nss info
    
    With the last commit the getpwsid call did not look at the winbind
    nss info parameter anymore. This restores it for the idmap ad backend
    with slightly different semantics and configuration: We now have the
    unix_primary_group and unix_nss_info domain-specific parameters for
    idmap config. This enables overriding the Windows primary group with
    the unix one.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit bce19a6efe11980933531f0349c8f5212419366a
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 10:05:28 2016 +0000

    winbind: Restructure wb_getpwsid
    
    This patch moves the responsibility to create a winbind user from the
    winbind backends into wb_queryuser.c. The name comes from lsa_lookupsids,
    the uid from idmap. If we have a netsamlogon_cache, we get the primary
    group sid from there. Without netsamlogon_cache, we default to -513, as
    we do right now as default for non-reachable ADS domains anyway. Shell
    and homedir default to template. This can all be done in the parent
    without contacting any LDAP-related calls and is correct once we have
    a netsamlogon_cache.
    
    Once the parent has filled in the userinfo, the idmap child is queried
    with the GetNssInfo call, taking the userinfo [in,out]. The child is
    free to override the whole thing, something the AD backend will do in
    the next patch.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit d0f1d761b5765df8525f991554ffd333d4a247d6
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Dec 30 10:57:50 2016 +0000

    winbind: Adapt cache to extended wbint_userinfo
    
    Separate commit, UL/ was missing some fields already
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2022ec8770ff05d91f6eaf2ae3da7a4150697d56
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 09:56:29 2016 +0000

    winbind: Add a GetNssInfo parent/child call
    
    This call will be done in the idmap child. It is not 100% the right place,
    but there is no better one available to me. It will become a replacement
    for the "winbind nss info" parameter: This global parameter is good
    for just one domain. It might be possible to have idmap backend AD for
    different domains, and the NSS info like primary gid, homedir and shell
    might be done with different policies per domain. As we already have a
    domain-specific idmap configuration, doing the NSS info configuration
    there also is the closest way to do it.
    
    The alternative, if we did not want to put this call into the idmap child
    would be to establish an equivalent engine like the whole "idmap config
    *" just for the nss info. But as I believe this is closely related,
    I'll just keep it in the idmap child.
    
    This also extends the wbint_userinfo structure with pretty much all user
    related fields. The idea is that the GetNssInfo call can do whatever it
    wants with it.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c98ad0accae2b32526cfdc4577cc6d5adafc5f00
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Dec 29 09:54:56 2016 +0000

    winbind: Make "idmap_find_domain" public
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2702114a94100fd07696438a6acc73c7f934ccd1
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Dec 25 10:12:59 2016 +0000

    winbind: It's legitmate to have 0 groups in info3
    
    At least a Samba DC can send an info3 struct with base.groups.count==0. We
    should not fail with that and just return 0 groups.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2562d195802d69d9f485a6c59a1854fc9345d5f5
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Dec 17 15:03:59 2016 +0100

    idmap: Simplify idmap_ad_nss_init()
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c2e1f4eec972ba31b225d5941c1d491fdb75ffaa
Author: Volker Lendecke <vl at samba.org>
Date:   Sun Dec 25 11:33:53 2016 +0000

    winbind: Fix wb_lookupsids for AD DCs
    
    Not yet a fix, but the IS_DC macro also contains the
    ROLE_ACTIVE_DIRECTORY_DC, and once we start to fully do this we'll
    need it.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 22b2151fb52655b06e62edcda080ea9392045237
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Dec 27 14:01:13 2016 +0000

    winbind4: Remove unused code
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2481584b8b5c6d0b742fb9b5cc5e72223a80028b
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Dec 30 11:08:22 2016 +0000

    winbind: Initialize user list info to 0
    
    Further down wbint_userinfo will be extended. Make sure we don't
    have uninitialized memory hanging around
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 7c3ea9fe96336483752adb821f8062a883d52998
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 22 08:49:38 2016 +0100

    s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
    
    This avoids the usage of the ccselect_realm logic in MIT krb5,
    which leads to unpredictable results.
    
    The problem is the usage of gss_acquire_cred(), that just creates
    a credential handle without ccache.
    
    As result gss_init_sec_context() will trigger a code path
    where it use "ccselect" plugins. And the ccselect_realm
    module just chooses a random ccache from a global list
    where the realm of the provides target principal matches
    the realm of the ccache user principal.
    
    In the winbindd case we're using MEMORY:cliconnect to setup
    the smb connection to the DC. For ldap connections we use
    MEMORY:winbind_ccache.
    
    The typical case is that we do the smb connection first.
    If we try to create a new ldap connection, while the
    credentials in MEMORY:cliconnect are expired,
    we'll do the required kinit into MEMORY:winbind_ccache,
    but the ccselect_realm module will select MEMORY:cliconnect
    and tries to get a service ticket for the ldap server
    using the already expired TGT from MEMORY:cliconnect.
    
    The solution will be to use gss_krb5_import_cred() and explicitly
    pass the desired ccache, which avoids the ccselect logic.
    
    We could also use gss_acquire_cred_from(), but that's only available
    in modern MIT krb5 versions, while gss_krb5_import_cred() is available
    in heimdal and all supported MIT versions (>=1.9).
    As far as I can see both call the same internal function in MIT
    (at least for the ccache case).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b61a93755ca59a58775c1c8c21baee49fef42fbf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 22 08:47:32 2016 +0100

    s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
    
    We always have gss_krb5_import_cred(), it available in heimdal
    and also the oldest version (1.9) of MIT krb5 that we support.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6f029d58703f657e46fee35fc663128157db4d9f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 22 08:46:21 2016 +0100

    s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit e8383471056805233588e1ecc79c1d590cbc93f0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 29 11:13:55 2016 +0100

    s4:librpc/rpc: make sure we handle DCERPC_PACKET before DCERPC_CONNECT
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 94fc5c48b756d2938589c0b9363f29995a08ea2f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 29 11:11:50 2016 +0100

    s4:librpc/rpc: don't do an anonymous bind over ncacn_np:server[packet]
    
    DCERPC_AUTH_LEVEL_PACKET is basically the same as
    DCERPC_AUTH_LEVEL_INTEGRITY.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/idmap_ad.8.xml     |  14 +
 librpc/idl/winbind.idl               |  11 +
 source3/include/idmap.h              |   4 +
 source3/librpc/crypto/gse.c          |  38 +--
 source3/winbindd/idmap.c             |   2 +-
 source3/winbindd/idmap_ad.c          | 110 ++++++++
 source3/winbindd/idmap_ad_nss.c      |  31 +--
 source3/winbindd/idmap_proto.h       |   1 +
 source3/winbindd/wb_fill_pwent.c     | 248 ------------------
 source3/winbindd/wb_getpwsid.c       | 117 +++------
 source3/winbindd/wb_gettoken.c       |  72 ++---
 source3/winbindd/wb_lookupsids.c     |   3 +-
 source3/winbindd/wb_next_pwent.c     |  36 +--
 source3/winbindd/wb_queryuser.c      | 286 +++++++++++++++++++-
 source3/winbindd/winbindd.h          |   5 +-
 source3/winbindd/winbindd_cache.c    |  23 +-
 source3/winbindd/winbindd_dual_srv.c |  61 +++++
 source3/winbindd/winbindd_proto.h    |   8 -
 source3/winbindd/winbindd_rpc.c      |   2 +
 source3/winbindd/winbindd_util.c     |  17 --
 source3/winbindd/wscript_build       |   1 -
 source4/librpc/rpc/dcerpc.c          |   4 +-
 source4/librpc/rpc/dcerpc_util.c     |   2 +-
 source4/winbind/wb_async_helpers.c   | 494 -----------------------------------
 source4/winbind/wb_async_helpers.h   |  37 ---
 source4/winbind/wb_utils.c           |   1 -
 source4/winbind/wscript_build        |   2 +-
 27 files changed, 630 insertions(+), 1000 deletions(-)
 delete mode 100644 source3/winbindd/wb_fill_pwent.c
 delete mode 100644 source4/winbind/wb_async_helpers.c
 delete mode 100644 source4/winbind/wb_async_helpers.h


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 5876c46..58e7f52 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -74,6 +74,20 @@
 			via the "primaryGroupID" LDAP attribute.
 		</para></listitem>
 		</varlistentry>
+		<varlistentry>
+		<term>unix_primary_group = yes/no</term>
+		<listitem><para>
+		  Defines whether to retrieve the user's primary group
+		  from the SFU attributes.
+		</para></listitem>
+		</varlistentry>
+		<varlistentry>
+		<term>unix_nss_info = yes/no</term>
+		<listitem><para>
+		  Defines whether to retrieve the login shell and
+		  home directory from the SFU attributes.
+		</para></listitem>
+		</varlistentry>
 	</variablelist>
 </refsect1>
 
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index ec472c5..d38b17a 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -72,11 +72,14 @@ interface winbind
 	);
 
     typedef [public] struct {
+	[string,charset(UTF8)] char *domain_name;
 	[string,charset(UTF8)] char *acct_name;
 	[string,charset(UTF8)] char *full_name;
 	[string,charset(UTF8)] char *homedir;
 	[string,charset(UTF8)] char *shell;
+	hyper uid;
 	hyper primary_gid;
+	[string,charset(UTF8)] char *primary_group_name;
 	dom_sid user_sid;
 	dom_sid group_sid;
     } wbint_userinfo;
@@ -86,6 +89,10 @@ interface winbind
 	[out] wbint_userinfo *info
 	);
 
+    NTSTATUS wbint_GetNssInfo(
+	[in,out] wbint_userinfo *info
+	);
+
     typedef [public] struct {
 	uint32 num_sids;
 	[size_is(num_sids)] dom_sid sids[];
@@ -140,6 +147,10 @@ interface winbind
 	[out] wbint_Principals *groups
 	);
 
+    NTSTATUS wbint_QueryUserRidList(
+	[out] wbint_RidArray *rids
+	);
+
     NTSTATUS wbint_DsGetDcName(
 	[in,string,charset(UTF8)]		char *domain_name,
 	[in,unique]				GUID *domain_guid,
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
index 800e694..c379eba 100644
--- a/source3/include/idmap.h
+++ b/source3/include/idmap.h
@@ -32,9 +32,13 @@
 
 #include "librpc/gen_ndr/idmap.h"
 
+struct wbint_userinfo;
+
 struct idmap_domain {
 	const char *name;
 	struct idmap_methods *methods;
+	NTSTATUS (*query_user)(struct idmap_domain *domain,
+			       struct wbint_userinfo *info);
 	uint32_t low_id;
 	uint32_t high_id;
 	bool read_only;
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index e4ceed1..792700e 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 	k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
 				&gse_ctx->ccache);
 	if (k5ret) {
-		DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
-			  error_message(k5ret)));
+		DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n",
+			  ccache_name, error_message(k5ret)));
 		status = NT_STATUS_INTERNAL_ERROR;
 		goto err_out;
 	}
@@ -204,7 +204,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 	struct gse_context *gse_ctx;
 	OM_uint32 gss_maj, gss_min;
 	gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
-	gss_OID_set_desc mech_set;
 #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
 	gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
 	gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
@@ -253,20 +252,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 	/* TODO: get krb5 ticket using username/password, if no valid
 	 * one already available in ccache */
 
-	mech_set.count = 1;
-	mech_set.elements = &gse_ctx->gss_mech;
-
-	gss_maj = gss_acquire_cred(&gss_min,
-				   GSS_C_NO_NAME,
-				   GSS_C_INDEFINITE,
-				   &mech_set,
-				   GSS_C_INITIATE,
-				   &gse_ctx->creds,
-				   NULL, NULL);
+	gss_maj = gss_krb5_import_cred(&gss_min,
+				       gse_ctx->ccache,
+				       NULL, /* keytab_principal */
+				       NULL, /* keytab */
+				       &gse_ctx->creds);
 	if (gss_maj) {
-		DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -"
+		char *ccache = NULL;
+		int kret;
+
+		kret = krb5_cc_get_full_name(gse_ctx->k5ctx,
+					     gse_ctx->ccache,
+					     &ccache);
+		if (kret != 0) {
+			ccache = NULL;
+		}
+
+		DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
 			  "the caller may retry after a kinit.\n",
-			  gse_errstr(gse_ctx, gss_maj, gss_min)));
+			  ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+		SAFE_FREE(ccache);
 		status = NT_STATUS_INTERNAL_ERROR;
 		goto err_out;
 	}
@@ -390,8 +395,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
-
 	/* This creates a GSSAPI cred_id_t with the keytab set */
 	gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, 
 				       &gse_ctx->creds);
@@ -410,7 +413,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 		 * principal in request'.  Work around the issue by
 		 * falling back to the alternate approach below. */
 	} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
-#endif
 	/* FIXME!!!
 	 * This call sets the default keytab for the whole server, not
 	 * just for this context. Need to find a way that does not alter
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 84834f1..6a52633 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -500,7 +500,7 @@ fail:
  * add_trusted_domain.
  */
 
-static struct idmap_domain *idmap_find_domain(const char *domname)
+struct idmap_domain *idmap_find_domain(const char *domname)
 {
 	bool ok;
 	int i;
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index c385cf0..f406392 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -39,8 +39,14 @@ struct idmap_ad_context {
 	struct tldap_context *ld;
 	struct idmap_ad_schema_names *schema;
 	const char *default_nc;
+
+	bool unix_primary_group;
+	bool unix_nss_info;
 };
 
+static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
+				     struct idmap_ad_context **pctx);
+
 static char *get_schema_path(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
 {
 	struct tldap_message *rootdse;
@@ -396,6 +402,11 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	ctx->unix_primary_group = lp_parm_bool(
+		-1, schema_config_option, "unix_primary_group", false);
+	ctx->unix_nss_info = lp_parm_bool(
+		-1, schema_config_option, "unix_nss_info", false);
+
 	schema_mode = lp_parm_const_string(
 		-1, schema_config_option, "schema_mode", "rfc2307");
 	TALLOC_FREE(schema_config_option);
@@ -412,8 +423,107 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS idmap_ad_query_user(struct idmap_domain *domain,
+				    struct wbint_userinfo *info)
+{
+	struct idmap_ad_context *ctx;
+	TLDAPRC rc;
+	NTSTATUS status;
+	char *sidstr, *filter;
+	const char *attrs[4];
+	size_t i, num_msgs;
+	struct tldap_message **msgs;
+
+	status = idmap_ad_get_context(domain, &ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	if (!(ctx->unix_primary_group || ctx->unix_nss_info)) {
+		return NT_STATUS_OK;
+	}
+
+	attrs[0] = ctx->schema->gid;
+	attrs[1] = ctx->schema->gecos;
+	attrs[2] = ctx->schema->dir;
+	attrs[3] = ctx->schema->shell;
+
+	sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), &info->user_sid);
+	if (sidstr == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	filter = talloc_asprintf(talloc_tos(), "(objectsid=%s)", sidstr);
+	TALLOC_FREE(sidstr);
+	if (filter == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	DBG_DEBUG("Filter: [%s]\n", filter);
+
+	rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
+			  attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+			  0, 0, 0, talloc_tos(), &msgs);
+	if (!TLDAP_RC_IS_SUCCESS(rc)) {
+		return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+	}
+
+	TALLOC_FREE(filter);
+
+	num_msgs = talloc_array_length(msgs);
+
+	for (i=0; i<num_msgs; i++) {
+		struct tldap_message *msg = msgs[i];
+
+		if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+			continue;
+		}
+
+		if (ctx->unix_primary_group) {
+			bool ok;
+			uint32_t gid;
+
+			ok = tldap_pull_uint32(msg, ctx->schema->gid, &gid);
+			if (ok) {
+				DBG_DEBUG("Setting primary group "
+					  "to %"PRIu32" from attr %s\n",
+					  gid, ctx->schema->gid);
+				info->primary_gid = gid;
+			}
+		}
+
+		if (ctx->unix_nss_info) {
+			char *attr;
+
+			attr = tldap_talloc_single_attribute(
+				msg, ctx->schema->dir, talloc_tos());
+			if (attr != NULL) {
+				info->homedir = talloc_move(info, &attr);
+			}
+			TALLOC_FREE(attr);
+
+			attr = tldap_talloc_single_attribute(
+				msg, ctx->schema->shell, talloc_tos());
+			if (attr != NULL) {
+				info->shell = talloc_move(info, &attr);
+			}
+			TALLOC_FREE(attr);
+
+			attr = tldap_talloc_single_attribute(
+				msg, ctx->schema->gecos, talloc_tos());
+			if (attr != NULL) {
+				info->full_name = talloc_move(info, &attr);
+			}
+			TALLOC_FREE(attr);
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
 {
+	dom->query_user = idmap_ad_query_user;
 	dom->private_data = NULL;
 	return NT_STATUS_OK;
 }
diff --git a/source3/winbindd/idmap_ad_nss.c b/source3/winbindd/idmap_ad_nss.c
index 8c5a13d..d979231 100644
--- a/source3/winbindd/idmap_ad_nss.c
+++ b/source3/winbindd/idmap_ad_nss.c
@@ -502,29 +502,24 @@ static struct nss_info_methods nss_sfu20_methods = {
 
 NTSTATUS idmap_ad_nss_init(void)
 {
-	static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
-	static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
-	static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
+	NTSTATUS status;
 
-	if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
-		status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
-							    "rfc2307",  &nss_rfc2307_methods );
-		if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
-			return status_nss_rfc2307;
+	status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+					"rfc2307",  &nss_rfc2307_methods);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
-	if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
-		status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
-							"sfu",  &nss_sfu_methods );
-		if ( !NT_STATUS_IS_OK(status_nss_sfu) )
-			return status_nss_sfu;
+	status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+					"sfu",  &nss_sfu_methods);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
-	if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
-		status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
-							"sfu20",  &nss_sfu20_methods );
-		if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
-			return status_nss_sfu20;
+	status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+					"sfu20",  &nss_sfu20_methods);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
 	return NT_STATUS_OK;
diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h
index 84cc2f0..0e25963 100644
--- a/source3/winbindd/idmap_proto.h
+++ b/source3/winbindd/idmap_proto.h
@@ -36,6 +36,7 @@ NTSTATUS idmap_allocate_uid(struct unixid *id);
 NTSTATUS idmap_allocate_gid(struct unixid *id);
 NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
 				       const char *domain_name);
+struct idmap_domain *idmap_find_domain(const char *domname);
 
 /* The following definitions come from winbindd/idmap_nss.c  */
 
diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c
deleted file mode 100644
index 2229b05..0000000
--- a/source3/winbindd/wb_fill_pwent.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-   async fill_pwent
-   Copyright (C) Volker Lendecke 2009
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "winbindd.h"
-#include "librpc/gen_ndr/ndr_winbind_c.h"
-
-struct wb_fill_pwent_state {
-	struct tevent_context *ev;
-	const struct wbint_userinfo *info;
-	struct winbindd_pw *pw;
-};
-
-static bool fillup_pw_field(const char *lp_template,
-			    const char *username,
-			    const char *grpname,
-			    const char *domname,
-			    uid_t uid,
-			    gid_t gid,
-			    const char *in,
-			    fstring out);
-
-static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq);
-static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq);
-
-struct tevent_req *wb_fill_pwent_send(TALLOC_CTX *mem_ctx,
-				      struct tevent_context *ev,
-				      const struct wbint_userinfo *info,
-				      struct winbindd_pw *pw)
-{
-	struct tevent_req *req, *subreq;
-	struct wb_fill_pwent_state *state;
-
-	req = tevent_req_create(mem_ctx, &state, struct wb_fill_pwent_state);
-	if (req == NULL) {
-		return NULL;
-	}
-	state->ev = ev;
-	state->info = info;
-	state->pw = pw;
-
-	subreq = wb_sids2xids_send(state, state->ev, &state->info->user_sid, 1);
-	if (tevent_req_nomem(subreq, req)) {
-		return tevent_req_post(req, ev);
-	}
-	tevent_req_set_callback(subreq, wb_fill_pwent_sid2uid_done, req);
-	return req;
-}
-
-static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq)
-{
-	struct tevent_req *req = tevent_req_callback_data(
-		subreq, struct tevent_req);
-	struct wb_fill_pwent_state *state = tevent_req_data(
-		req, struct wb_fill_pwent_state);
-	NTSTATUS status;
-	struct unixid xids[1];
-
-	status = wb_sids2xids_recv(subreq, xids, ARRAY_SIZE(xids));
-	TALLOC_FREE(subreq);
-	if (tevent_req_nterror(req, status)) {
-		return;
-	}
-
-	/*
-	 * We are filtering further down in sids2xids, but that filtering
-	 * depends on the actual type of the sid handed in (as determined
-	 * by lookupsids). Here we need to filter for the type of object
-	 * actually requested, in this case uid.
-	 */
-	if (!(xids[0].type == ID_TYPE_UID || xids[0].type == ID_TYPE_BOTH)) {
-		tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
-		return;
-	}
-
-	state->pw->pw_uid = (uid_t)xids[0].id;
-
-	subreq = wb_getgrsid_send(state, state->ev, &state->info->group_sid, 0);
-	if (tevent_req_nomem(subreq, req)) {
-		return;
-	}
-	tevent_req_set_callback(subreq, wb_fill_pwent_getgrsid_done, req);
-}
-
-static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq)
-{
-	struct tevent_req *req = tevent_req_callback_data(
-		subreq, struct tevent_req);
-	struct wb_fill_pwent_state *state = tevent_req_data(
-		req, struct wb_fill_pwent_state);
-	struct winbindd_domain *domain;
-	const char *dom_name;
-	const char *grp_name;
-	fstring user_name, output_username;
-	char *mapped_name = NULL;
-	struct talloc_dict *members;
-	TALLOC_CTX *tmp_ctx = talloc_stackframe();
-	NTSTATUS status;
-	bool ok;
-
-	/* xid handling is done in getgrsid() */
-	status = wb_getgrsid_recv(subreq,
-				  tmp_ctx,
-				  &dom_name,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list