[SCM] Samba Shared Repository - branch master updated

Fri Oct 21 18:49:01 UTC 2022

The branch, master has been updated
       via  284afec29ff winbind: Enforce user group policy when enabled
       via  211a6a63cc6 winbind: Fix potential memory leak in winbind gpupdate
      from  37831c9e507 docs-xml: Fix outdated comment in documentation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 284afec29ff5a97612aa5950e08ac8104997a596
Author: David Mulder <dmulder at samba.org>
Date:   Fri Oct 14 09:00:45 2022 -0600

    winbind: Enforce user group policy when enabled
    
    This only enforces user group policy at logon.
    We should also enforce this policy every 90 to
    120 minutes, but a logoff will need to cancel the
    timer and we cannot have multiple timers if there
    are multiple sessions for the same user.
    
    Signed-off-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184

commit 211a6a63cc62b2569958f18c3b11de8ac9fc97c8
Author: David Mulder <dmulder at samba.org>
Date:   Fri Oct 21 11:01:41 2022 -0600

    winbind: Fix potential memory leak in winbind gpupdate
    
    Signed-off-by: David Mulder <dmulder at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_gpupdate.c | 61 ++++++++++++++++++++++++++++++++++++
 source3/winbindd/winbindd_pam.c      |  4 +++
 source3/winbindd/winbindd_proto.h    |  1 +
 3 files changed, 66 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c
index 1032251d401..475569ee9b4 100644
--- a/source3/winbindd/winbindd_gpupdate.c
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -44,6 +44,8 @@ struct gpupdate_state {
 	struct loadparm_context *lp_ctx;
 };
 
+static void gpupdate_cmd_done(struct tevent_req *subreq);
+
 static void gpupdate_callback(struct tevent_context *ev,
 			      struct tevent_timer *tim,
 			      struct timeval current_time,
@@ -71,6 +73,8 @@ static void gpupdate_callback(struct tevent_context *ev,
 		return;
 	}
 
+	tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+
 	/* Schedule the next event */
 	schedule = tevent_timeval_current_ofs(gpupdate_interval(), 0);
 	time_event = tevent_add_timer(ev, data->ctx, schedule,
@@ -115,3 +119,60 @@ void gpupdate_init(void)
 	}
 }
 
+void gpupdate_user_init(const char *user)
+{
+	struct tevent_req *req = NULL;
+	TALLOC_CTX *ctx = talloc_new(global_event_context());
+	struct loadparm_context *lp_ctx =
+		loadparm_init_s3(NULL, loadparm_s3_helpers());
+	const char *const *gpupdate_cmd = lpcfg_gpo_update_command(lp_ctx);
+	const char *smbconf = lpcfg_configfile(lp_ctx);
+
+	if (ctx == NULL) {
+		DBG_ERR("talloc_new failed\n");
+		return;
+	}
+
+	/*
+	 * Check if gpupdate is enabled for winbind, if not
+	 * return without applying user policy.
+	 */
+	if (!lpcfg_apply_group_policies(lp_ctx)) {
+		return;
+	}
+
+	/*
+	 * Execute gpupdate for the user immediately.
+	 * TODO: This should be scheduled to reapply every 90 to 120 minutes.
+	 * Logoff will need to handle cancelling these events though, and
+	 * multiple timers cannot be run for the same user, even if there are
+	 * multiple active sessions.
+	 */
+	req = samba_runcmd_send(ctx, global_event_context(),
+				timeval_zero(), 2, 0,
+				gpupdate_cmd,
+				"-s",
+				smbconf,
+				"--target=User",
+				"-U",
+				user,
+				NULL);
+	if (req == NULL) {
+		DBG_ERR("Failed to execute the gpupdate command\n");
+		return;
+	}
+
+	tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+}
+
+static void gpupdate_cmd_done(struct tevent_req *subreq)
+{
+	int sys_errno;
+	int ret;
+
+	ret = samba_runcmd_recv(subreq, &sys_errno);
+	TALLOC_FREE(subreq);
+	if (ret != 0) {
+		DBG_ERR("gpupdate failed with exit status %d\n", sys_errno);
+	}
+}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9805d90fef0..f306bdad0f8 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2580,6 +2580,10 @@ done:
 	    local,
 	    result);
 
+	if (NT_STATUS_IS_OK(result)) {
+		gpupdate_user_init(r->in.info->username);
+	}
+
 	return result;
 }
 
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0da731d564d..bfa114c3291 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -987,6 +987,7 @@ bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
 
 /* The following definitions come from winbindd/winbindd_gpupdate.c  */
 void gpupdate_init(void);
+void gpupdate_user_init(const char *user);
 
 /* The following comes from winbindd/winbindd_dual_srv.c */
 bool reset_cm_connection_on_error(struct winbindd_domain *domain,


-- 
Samba Shared Repository

