[SCM] Samba Shared Repository - branch master updated

Alexander Bokovoy ab at samba.org
Thu Dec 20 11:16:02 UTC 2018


The branch, master has been updated
       via  63dc60767eb s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
       via  ec3adc1e5b3 s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
       via  f3bac8c9112 s3:auth_winbind: remove fallback to optional backend
       via  865538fabae s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
      from  1b263ed631c s3-vfs-streams_xattr: add close call

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 8 23:25:40 2018 +0100

    s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    
    Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
    Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144

commit ec3adc1e5b3cc953576efa795dfb25af08a8ab79
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 8 22:53:21 2018 +0100

    s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

commit f3bac8c91121871bf8ce852bc3e3ea2e834d3f27
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 8 22:48:33 2018 +0100

    s3:auth_winbind: remove fallback to optional backend
    
    This is not possible anymore, as the trustdomain backend
    was removed in commit 75c152c0d764165a4a9dd0a85390af063dd0192a.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

commit 865538fabaea33741f5fa542dbc3f2e08308c2c1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Dec 19 09:38:33 2018 +0100

    s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
    
    This happens on standalone servers, where winbindd is automatically
    started by init scripts if it's installed. But it's not really
    used and may not have a valid idmap configuration (
    "idmap config * : range" has no default!)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth.c         |  2 +-
 source3/auth/auth_winbind.c | 47 ++++++++++++++++++++++++++++++---------------
 source3/auth/token_util.c   | 18 ++++++++++++++++-
 3 files changed, 49 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index d13d0fe471c..0a96d591808 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -557,7 +557,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
 	switch (lp_server_role()) {
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
-		methods = "sam_netlogon3 winbind:trustdomain";
+		methods = "sam_netlogon3 winbind";
 		break;
 
 	default:
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 6bf2118037d..93b832265cf 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "auth.h"
+#include "passdb.h"
 #include "nsswitch/libwbclient/wbclient.h"
 
 #undef DBGC_CLASS
@@ -110,13 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 	}
 
 	if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
-		struct auth_methods *auth_method =
-			(struct auth_methods *)my_private_data;
+		struct pdb_trusted_domain **domains = NULL;
+		uint32_t num_domains = 0;
+		NTSTATUS status;
+
+		if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+			status = NT_STATUS_NO_LOGON_SERVERS;
+			DBG_ERR("winbindd not running - "
+				"but required as domain member: %s\n",
+				nt_errstr(status));
+			return status;
+		}
 
-		if ( auth_method )
-			return auth_method->auth(auth_context, auth_method->private_data, 
-				mem_ctx, user_info, server_info);
-		return NT_STATUS_LOGON_FAILURE;
+		status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+		if (!NT_STATUS_IS_OK(status)) {
+			DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+				nt_errstr(status));
+			return status;
+		}
+		TALLOC_FREE(domains);
+
+		if (num_domains == 0) {
+			DBG_DEBUG("winbindd not running - ignoring without "
+				  "trusted domains\n");
+			return NT_STATUS_NOT_IMPLEMENTED;
+		}
+
+		status = NT_STATUS_NO_LOGON_SERVERS;
+		DBG_ERR("winbindd not running - "
+			"but required as DC with trusts: %s\n",
+			nt_errstr(status));
+		return status;
 	}
 
 	if (wbc_status == WBC_ERR_AUTH_ERROR) {
@@ -164,16 +189,6 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char
 	result->name = "winbind";
 	result->auth = check_winbind_security;
 
-	if (param && *param) {
-		/* we load the 'fallback' module - if winbind isn't here, call this
-		   module */
-		auth_methods *priv;
-		if (!load_auth_module(auth_context, param, &priv)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-		result->private_data = (void *)priv;
-	}
-
 	*auth_method = result;
 	return NT_STATUS_OK;
 }
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index c95d54db671..21ccb0d1fe7 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -743,7 +743,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
 		status = create_builtin_guests(domain_sid);
 		unbecome_root();
 
-		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+		/*
+		 * NT_STATUS_PROTOCOL_UNREACHABLE:
+		 * => winbindd is not running.
+		 *
+		 * NT_STATUS_ACCESS_DENIED:
+		 * => no idmap config at all
+		 * and wbint_AllocateGid()/winbind_allocate_gid()
+		 * failed.
+		 *
+		 * NT_STATUS_NO_SUCH_GROUP:
+		 * => no idmap config at all and
+		 * "tdbsam:map builtin = no" means
+		 * wbint_Sids2UnixIDs() fails.
+		 */
+		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
 			/*
 			 * Add BUILTIN\Guests directly to token.
 			 * But only if the token already indicates


-- 
Samba Shared Repository



More information about the samba-cvs mailing list