[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Oct 21 18:49:01 UTC 2022
The branch, master has been updated
via 284afec29ff winbind: Enforce user group policy when enabled
via 211a6a63cc6 winbind: Fix potential memory leak in winbind gpupdate
from 37831c9e507 docs-xml: Fix outdated comment in documentation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 284afec29ff5a97612aa5950e08ac8104997a596
Author: David Mulder <dmulder at samba.org>
Date: Fri Oct 14 09:00:45 2022 -0600
winbind: Enforce user group policy when enabled
This only enforces user group policy at logon.
We should also enforce this policy every 90 to
120 minutes, but a logoff will need to cancel the
timer and we cannot have multiple timers if there
are multiple sessions for the same user.
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184
commit 211a6a63cc62b2569958f18c3b11de8ac9fc97c8
Author: David Mulder <dmulder at samba.org>
Date: Fri Oct 21 11:01:41 2022 -0600
winbind: Fix potential memory leak in winbind gpupdate
Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_gpupdate.c | 61 ++++++++++++++++++++++++++++++++++++
source3/winbindd/winbindd_pam.c | 4 +++
source3/winbindd/winbindd_proto.h | 1 +
3 files changed, 66 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c
index 1032251d401..475569ee9b4 100644
--- a/source3/winbindd/winbindd_gpupdate.c
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -44,6 +44,8 @@ struct gpupdate_state {
struct loadparm_context *lp_ctx;
};
+static void gpupdate_cmd_done(struct tevent_req *subreq);
+
static void gpupdate_callback(struct tevent_context *ev,
struct tevent_timer *tim,
struct timeval current_time,
@@ -71,6 +73,8 @@ static void gpupdate_callback(struct tevent_context *ev,
return;
}
+ tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+
/* Schedule the next event */
schedule = tevent_timeval_current_ofs(gpupdate_interval(), 0);
time_event = tevent_add_timer(ev, data->ctx, schedule,
@@ -115,3 +119,60 @@ void gpupdate_init(void)
}
}
+void gpupdate_user_init(const char *user)
+{
+ struct tevent_req *req = NULL;
+ TALLOC_CTX *ctx = talloc_new(global_event_context());
+ struct loadparm_context *lp_ctx =
+ loadparm_init_s3(NULL, loadparm_s3_helpers());
+ const char *const *gpupdate_cmd = lpcfg_gpo_update_command(lp_ctx);
+ const char *smbconf = lpcfg_configfile(lp_ctx);
+
+ if (ctx == NULL) {
+ DBG_ERR("talloc_new failed\n");
+ return;
+ }
+
+ /*
+ * Check if gpupdate is enabled for winbind, if not
+ * return without applying user policy.
+ */
+ if (!lpcfg_apply_group_policies(lp_ctx)) {
+ return;
+ }
+
+ /*
+ * Execute gpupdate for the user immediately.
+ * TODO: This should be scheduled to reapply every 90 to 120 minutes.
+ * Logoff will need to handle cancelling these events though, and
+ * multiple timers cannot be run for the same user, even if there are
+ * multiple active sessions.
+ */
+ req = samba_runcmd_send(ctx, global_event_context(),
+ timeval_zero(), 2, 0,
+ gpupdate_cmd,
+ "-s",
+ smbconf,
+ "--target=User",
+ "-U",
+ user,
+ NULL);
+ if (req == NULL) {
+ DBG_ERR("Failed to execute the gpupdate command\n");
+ return;
+ }
+
+ tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+}
+
+static void gpupdate_cmd_done(struct tevent_req *subreq)
+{
+ int sys_errno;
+ int ret;
+
+ ret = samba_runcmd_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret != 0) {
+ DBG_ERR("gpupdate failed with exit status %d\n", sys_errno);
+ }
+}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9805d90fef0..f306bdad0f8 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2580,6 +2580,10 @@ done:
local,
result);
+ if (NT_STATUS_IS_OK(result)) {
+ gpupdate_user_init(r->in.info->username);
+ }
+
return result;
}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0da731d564d..bfa114c3291 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -987,6 +987,7 @@ bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
/* The following definitions come from winbindd/winbindd_gpupdate.c */
void gpupdate_init(void);
+void gpupdate_user_init(const char *user);
/* The following comes from winbindd/winbindd_dual_srv.c */
bool reset_cm_connection_on_error(struct winbindd_domain *domain,
--
Samba Shared Repository
More information about the samba-cvs
mailing list