[SCM] Samba Shared Repository - branch master updated
Alexander Bokovoy
ab at samba.org
Thu Dec 20 11:16:02 UTC 2018
The branch, master has been updated
via 63dc60767eb s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
via ec3adc1e5b3 s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
via f3bac8c9112 s3:auth_winbind: remove fallback to optional backend
via 865538fabae s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
from 1b263ed631c s3-vfs-streams_xattr: add close call
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 8 23:25:40 2018 +0100
s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144
commit ec3adc1e5b3cc953576efa795dfb25af08a8ab79
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 8 22:53:21 2018 +0100
s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit f3bac8c91121871bf8ce852bc3e3ea2e834d3f27
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Dec 8 22:48:33 2018 +0100
s3:auth_winbind: remove fallback to optional backend
This is not possible anymore, as the trustdomain backend
was removed in commit 75c152c0d764165a4a9dd0a85390af063dd0192a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 865538fabaea33741f5fa542dbc3f2e08308c2c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 19 09:38:33 2018 +0100
s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration
This happens on standalone servers, where winbindd is automatically
started by init scripts if it's installed. But it's not really
used and may not have a valid idmap configuration (
"idmap config * : range" has no default!)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth.c | 2 +-
source3/auth/auth_winbind.c | 47 ++++++++++++++++++++++++++++++---------------
source3/auth/token_util.c | 18 ++++++++++++++++-
3 files changed, 49 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index d13d0fe471c..0a96d591808 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -557,7 +557,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
switch (lp_server_role()) {
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
- methods = "sam_netlogon3 winbind:trustdomain";
+ methods = "sam_netlogon3 winbind";
break;
default:
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 6bf2118037d..93b832265cf 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "auth.h"
+#include "passdb.h"
#include "nsswitch/libwbclient/wbclient.h"
#undef DBGC_CLASS
@@ -110,13 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
}
if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
- struct auth_methods *auth_method =
- (struct auth_methods *)my_private_data;
+ struct pdb_trusted_domain **domains = NULL;
+ uint32_t num_domains = 0;
+ NTSTATUS status;
+
+ if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ DBG_ERR("winbindd not running - "
+ "but required as domain member: %s\n",
+ nt_errstr(status));
+ return status;
+ }
- if ( auth_method )
- return auth_method->auth(auth_context, auth_method->private_data,
- mem_ctx, user_info, server_info);
- return NT_STATUS_LOGON_FAILURE;
+ status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ TALLOC_FREE(domains);
+
+ if (num_domains == 0) {
+ DBG_DEBUG("winbindd not running - ignoring without "
+ "trusted domains\n");
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ DBG_ERR("winbindd not running - "
+ "but required as DC with trusts: %s\n",
+ nt_errstr(status));
+ return status;
}
if (wbc_status == WBC_ERR_AUTH_ERROR) {
@@ -164,16 +189,6 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char
result->name = "winbind";
result->auth = check_winbind_security;
- if (param && *param) {
- /* we load the 'fallback' module - if winbind isn't here, call this
- module */
- auth_methods *priv;
- if (!load_auth_module(auth_context, param, &priv)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- result->private_data = (void *)priv;
- }
-
*auth_method = result;
return NT_STATUS_OK;
}
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index c95d54db671..21ccb0d1fe7 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -743,7 +743,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
status = create_builtin_guests(domain_sid);
unbecome_root();
- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+ /*
+ * NT_STATUS_PROTOCOL_UNREACHABLE:
+ * => winbindd is not running.
+ *
+ * NT_STATUS_ACCESS_DENIED:
+ * => no idmap config at all
+ * and wbint_AllocateGid()/winbind_allocate_gid()
+ * failed.
+ *
+ * NT_STATUS_NO_SUCH_GROUP:
+ * => no idmap config at all and
+ * "tdbsam:map builtin = no" means
+ * wbint_Sids2UnixIDs() fails.
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
/*
* Add BUILTIN\Guests directly to token.
* But only if the token already indicates
--
Samba Shared Repository
More information about the samba-cvs
mailing list