Winbindd domain prefix fixes and additional tests for 4.2 as an AD DC
Stefan (metze) Metzmacher
metze at samba.org
Tue May 5 08:12:30 MDT 2015
Hi Andrew,
> I saw the changes you had in your master4-forest branches to fix up the
> regression due to the change from winbind to winbindd in Samba 4.2, that
> you have filed bug https://bugzilla.samba.org/show_bug.cgi?id=11183 for.
>
> I first wish to apologise, as I looked into this area with Garming a
> number of months back, while we were working in a related area, and were
> trying to get all our winbind tests running against all our
> environments. We then identified the same issue you just fixed.
>
> Here is your patches reviewed, and the other patches we were working on,
> rebased on current master.
>
> Please carefully consider, then push.
There were some minor issues with this patchset.
see the wb_opts = wb_opts_default[:] fix
What about the attached set?
Can we push that to master?
metze
-------------- next part --------------
From d80ed01b536e66cb195a8d1933fe50bc6c8bdb3c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 9 Apr 2015 13:22:37 +0000
Subject: [PATCH 01/10] lsa.idl: add LSA_*_DISABLED_MASK helper defines
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
librpc/idl/lsa.idl | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 4ab7bc2..0823707 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1269,6 +1269,17 @@ import "misc.idl", "security.idl";
LSA_NB_DISABLED_CONFLICT = 0x00000008
} lsa_ForestTrustRecordFlags;
+ const uint32 LSA_TLN_DISABLED_MASK = (
+ LSA_TLN_DISABLED_NEW |
+ LSA_TLN_DISABLED_ADMIN |
+ LSA_TLN_DISABLED_CONFLICT);
+ const uint32 LSA_SID_DISABLED_MASK = (
+ LSA_SID_DISABLED_ADMIN |
+ LSA_SID_DISABLED_CONFLICT);
+ const uint32 LSA_NB_DISABLED_MASK = (
+ LSA_NB_DISABLED_ADMIN |
+ LSA_NB_DISABLED_CONFLICT);
+
typedef enum {
LSA_FOREST_TRUST_TOP_LEVEL_NAME = 0,
LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX = 1,
--
1.9.1
From 462c033fbf546586f24d4c9bb5932e33f8a23f4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 5 May 2015 10:37:14 +0200
Subject: [PATCH 02/10] s4:selftest: correctly copy a python list into a
temporary variable
This fixes a bug in commit 0c6c081dc4e743c142a59d90c9e7f5b6e4cf5bd1.
We need to wb_opts should be a temporary copy of wb_opts_default
and the following wb_opts += should only change wb_opts and not wb_opts_default.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 015e902..ad6e1d1 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -373,7 +373,7 @@ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:ti
winbind_ad_client_tests = smbtorture4_testsuites("winbind.struct") + smbtorture4_testsuites("winbind.pac")
winbind_wbclient_tests = smbtorture4_testsuites("winbind.wbclient")
for env in ["ad_dc", "s4member", "ad_member"]:
- wb_opts = wb_opts_default
+ wb_opts = wb_opts_default[:]
wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
for t in winbind_ad_client_tests:
plansmbtorture4testsuite(t, "%s:local" % env, wb_opts + ['//$SERVER/tmp', '--realm=$REALM', '--machine-pass', '--option=torture:addc=$DC_SERVER'])
--
1.9.1
From cf7d9500c1d3b6216f169e925c70fe63ccaa2b98 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 28 Mar 2015 08:31:05 +0000
Subject: [PATCH 03/10] s3:winbindd: don't remove the DOMAIN\ prefix for
principals of our own domain as AD DC
This also matches the behaviour of the source4/winbind code.
In Samba 4.0 and 4.1 we had the following
> getent passwd administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
With Samba 4.2.0 we have:
> getent passwd administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
With the patches we have:
> getent passwd administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
---
selftest/knownfail | 1 -
source3/winbindd/winbindd_util.c | 10 ++++++++++
source4/selftest/tests.py | 3 ++-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index ab77e0f..3e78002 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -265,7 +265,6 @@
#
^samba4.winbind.struct.domain_info\(s4member:local\)
^samba4.winbind.struct.getdcname\(s4member:local\)
-^samba4.winbind.struct.lookup_name_sid\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
^samba4.winbind.struct.getpwent\(ad_dc:local\)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d4a1cf3..88c7568 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1052,12 +1052,18 @@ bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
username is then unqualified in unix
+ On an AD DC we always fill DOMAIN\\USERNAME.
+
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
*/
void fill_domain_username(fstring name, const char *domain, const char *user, bool can_assume)
{
fstring tmp_user;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
fstrcpy(tmp_user, user);
(void)strlower_m(tmp_user);
@@ -1081,6 +1087,10 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx,
{
char *tmp_user, *name;
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ can_assume = false;
+ }
+
tmp_user = talloc_strdup(mem_ctx, user);
if (!strlower_m(tmp_user)) {
TALLOC_FREE(tmp_user);
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ad6e1d1..4855c6b 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -374,7 +374,8 @@ winbind_ad_client_tests = smbtorture4_testsuites("winbind.struct") + smbtorture4
winbind_wbclient_tests = smbtorture4_testsuites("winbind.wbclient")
for env in ["ad_dc", "s4member", "ad_member"]:
wb_opts = wb_opts_default[:]
- wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
+ if env in ["ad_member"]:
+ wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
for t in winbind_ad_client_tests:
plansmbtorture4testsuite(t, "%s:local" % env, wb_opts + ['//$SERVER/tmp', '--realm=$REALM', '--machine-pass', '--option=torture:addc=$DC_SERVER'])
--
1.9.1
From ae259a6218689eaf23e408a84dfdca3b4ad8a899 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Fri, 24 Oct 2014 10:32:20 +1300
Subject: [PATCH 04/10] s4-winbind: Correctly reject the unsupported
WBFLAG_PAM_AUTH_PAC flag
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source4/winbind/wb_samba3_cmd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c
index 9ec3c4b..4c4033d 100644
--- a/source4/winbind/wb_samba3_cmd.c
+++ b/source4/winbind/wb_samba3_cmd.c
@@ -640,6 +640,10 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
DATA_BLOB chal, nt_resp, lm_resp;
DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n"));
+ if (s3call->request->flags & WBFLAG_PAM_AUTH_PAC) {
+ DEBUG(3, ("PAC validation not supported in this winbind implementation\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
chal.data = s3call->request->data.auth_crap.chal;
chal.length = sizeof(s3call->request->data.auth_crap.chal);
--
1.9.1
From 184ae5dd44005d2187973fa637db0490d5827ca7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Tue, 28 Apr 2015 14:20:35 +1200
Subject: [PATCH 05/10] torture-winbind: Assert that the list of trusted
domains is not NULL
By doing this, we avoid the test being dependent on if the lsa trusted domains tests have run.
Otherwise, we may have a non-null extra_data against the internal winbind, but
only 1 trusted domain (torturedom), but not the local domains that were expected
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source4/torture/winbind/struct_based.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
index be6ca51..a7b6bfd 100644
--- a/source4/torture/winbind/struct_based.c
+++ b/source4/torture/winbind/struct_based.c
@@ -285,11 +285,10 @@ static bool get_trusted_domains(struct torture_context *torture,
DO_STRUCT_REQ_REP(WINBINDD_LIST_TRUSTDOM, &req, &rep);
extra_data = (char *)rep.extra_data.data;
- if (!extra_data) {
- return true;
- }
-
- torture_assert(torture, extra_data, "NULL trust list");
+ torture_assert(torture, extra_data != NULL,
+ "Trust list was NULL: the list of trusted domain "
+ "should be returned, with at least 2 entries "
+ "(BUILTIN, and the local domain)");
while (next_token(&extra_data, line, "\n", sizeof(line))) {
char *p, *lp;
@@ -324,7 +323,8 @@ static bool get_trusted_domains(struct torture_context *torture,
SAFE_FREE(rep.extra_data.data);
torture_assert(torture, dcount >= 2,
- "The list of trusted domain should contain 2 entries");
+ "The list of trusted domain should contain 2 entries "
+ "(BUILTIN, and the local domain)");
*_d = d;
return true;
--
1.9.1
From e0f3e2dbbbce5ce1e22458b3f22da46e5722a6a2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 23 Oct 2014 22:02:57 +1300
Subject: [PATCH 06/10] selftest: Run more winbind tests against more
environments
This ensures we still test the internal winbind on the AD DC
and winbindd as a member server.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
selftest/knownfail | 16 +++++++++++++++-
source4/selftest/tests.py | 2 +-
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 3e78002..777a4e4 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -253,7 +253,7 @@
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G against ad_member
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U check for sane mapping
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping
-^samba4.winbind.struct.show_sequence\(ad_dc_ntvfs\)
+^samba4.winbind.struct.show_sequence\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--allocate-uid
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--allocate-gid
^samba.wbinfo_simple.\(s4member:local\).--allocate-uid
@@ -289,6 +289,11 @@
#
^samba4.winbind.struct.getdcname\(ad_member:local\)
^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
+^samba4.winbind.struct.lookup_name_sid\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.list_trustdom\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.domain_info\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.getdcname\(ad_dc_ntvfs:local\)
+^samba4.winbind.struct.dsgetdcname\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--all-domains.wbinfo\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--trusted-domains.wbinfo\(ad_dc_ntvfs:local\)
^samba.wbinfo_simple.\(ad_dc_ntvfs:local\).--online-status.wbinfo\(ad_dc_ntvfs:local\)
@@ -300,6 +305,10 @@
^samba.blackbox.wbinfo\(ad_dc_ntvfs:local\).wbinfo --trusted-domains against ad_dc_ntvfs\(ad_dc_ntvfs:local\)
^samba.blackbox.wbinfo\(ad_dc_ntvfs:local\).wbinfo --all-domains against ad_dc_ntvfs\(ad_dc_ntvfs:local\)
#
+# This will fail against the NTVFS DC, because it requires functionality only in winbindd
+#
+^samba4.winbind.pac.*\(ad_dc_ntvfs:local\) # Not implemented
+#
# These do not work against winbindd in member mode for unknown reasons
#
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U against ad_member\(ad_member:local\)
@@ -308,7 +317,12 @@
^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping\(ad_member:local\)
^samba.ntlm_auth.\(ad_dc_ntvfs:local\).ntlm_auth against winbindd with failed require-membership-of
^samba.ntlm_auth.\(ad_dc_ntvfs:local\).ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of
+^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
#
# Differences in our KDC compared to windows
#
^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
+#
+# This will fail against the classic DC, because it requires kerberos
+#
+^samba4.winbind.pac.*\(nt4_member:local\) # No KDC on a classic DC
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 4855c6b..2ce01a1 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -372,7 +372,7 @@ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:ti
winbind_ad_client_tests = smbtorture4_testsuites("winbind.struct") + smbtorture4_testsuites("winbind.pac")
winbind_wbclient_tests = smbtorture4_testsuites("winbind.wbclient")
-for env in ["ad_dc", "s4member", "ad_member"]:
+for env in ["ad_dc", "ad_dc_ntvfs", "s4member", "ad_member", "nt4_member"]:
wb_opts = wb_opts_default[:]
if env in ["ad_member"]:
wb_opts += ["--option=\"torture:winbindd_domain_without_prefix=$DOMAIN\""]
--
1.9.1
From 9445f67264bdad1a8e50efc9f7e013e6cb42c1e7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 23 Oct 2014 17:58:40 +1300
Subject: [PATCH 07/10] winbindd4: Force home directory in internal winbind to
use a lower-case username
This is a BEHAVIOUR CHANGE from Samba 4.0 and 4.1, if mixed-case
usernames were in use.
However, it matches the behaviour in winbindd in all other use cases.
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source4/winbind/wb_cmd_getpwnam.c | 10 ++++++++--
source4/winbind/wb_cmd_getpwuid.c | 10 ++++++++--
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/source4/winbind/wb_cmd_getpwnam.c b/source4/winbind/wb_cmd_getpwnam.c
index c4f3db8..2a25ba3 100644
--- a/source4/winbind/wb_cmd_getpwnam.c
+++ b/source4/winbind/wb_cmd_getpwnam.c
@@ -110,6 +110,7 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
struct libnet_UserInfo *user_info;
struct winbindd_pw *pw;
char *username_with_domain;
+ char *lowercase_username;
DEBUG(5, ("cmd_getpwnam_recv_user_info called\n"));
@@ -122,10 +123,15 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
state->ctx->status = libnet_UserInfo_recv(ctx, state, user_info);
if(!composite_is_ok(state->ctx)) return;
+ lowercase_username = strlower_talloc(state, user_info->out.account_name);
+ if (composite_nomem(lowercase_username, state->ctx)) {
+ return;
+ }
+
username_with_domain = talloc_asprintf(pw, "%s%s%s",
state->workgroup_name,
lpcfg_winbind_separator(state->service->task->lp_ctx),
- user_info->out.account_name);
+ lowercase_username);
if(composite_nomem(username_with_domain, state->ctx)) return;
WBSRV_SAMBA3_SET_STRING(pw->pw_name, username_with_domain);
@@ -135,7 +141,7 @@ static void cmd_getpwnam_recv_user_info(struct composite_context *ctx)
lpcfg_template_homedir(state->service->task->lp_ctx));
all_string_sub(pw->pw_dir, "%D", state->workgroup_name,
sizeof(fstring) - 1);
- all_string_sub(pw->pw_dir, "%U", user_info->out.account_name,
+ all_string_sub(pw->pw_dir, "%U", lowercase_username,
sizeof(fstring) - 1);
WBSRV_SAMBA3_SET_STRING(pw->pw_shell,
lpcfg_template_shell(state->service->task->lp_ctx));
diff --git a/source4/winbind/wb_cmd_getpwuid.c b/source4/winbind/wb_cmd_getpwuid.c
index 9977767..6da3c08 100644
--- a/source4/winbind/wb_cmd_getpwuid.c
+++ b/source4/winbind/wb_cmd_getpwuid.c
@@ -130,6 +130,7 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
struct libnet_UserInfo *user_info;
struct winbindd_pw *pw;
char *username_with_domain;
+ char *lowercase_username;
DEBUG(5, ("cmd_getpwuid_recv_user_info called\n"));
@@ -142,10 +143,15 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
state->ctx->status = libnet_UserInfo_recv(ctx, state, user_info);
if (!composite_is_ok(state->ctx)) return;
+ lowercase_username = strlower_talloc(state, user_info->out.account_name);
+ if (composite_nomem(lowercase_username, state->ctx)) {
+ return;
+ }
+
username_with_domain = talloc_asprintf(pw, "%s%s%s",
state->workgroup,
lpcfg_winbind_separator(state->service->task->lp_ctx),
- user_info->out.account_name);
+ lowercase_username);
if(composite_nomem(username_with_domain, state->ctx)) return;
WBSRV_SAMBA3_SET_STRING(pw->pw_name, username_with_domain);
@@ -155,7 +161,7 @@ static void cmd_getpwuid_recv_user_info(struct composite_context *ctx)
lpcfg_template_homedir(state->service->task->lp_ctx));
all_string_sub(pw->pw_dir, "%D", state->workgroup,
sizeof(fstring) - 1);
- all_string_sub(pw->pw_dir, "%U", user_info->out.account_name,
+ all_string_sub(pw->pw_dir, "%U", lowercase_username,
sizeof(fstring) - 1);
WBSRV_SAMBA3_SET_STRING(pw->pw_shell,
lpcfg_template_shell(state->service->task->lp_ctx));
--
1.9.1
From d1b95e7720493f36b2193ff54227a3d6cb68a8b4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 23 Oct 2014 16:27:22 +1300
Subject: [PATCH 08/10] selftest: Add tests for expected output of wbinfo -i
and wbinfo --uid-info
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
nsswitch/tests/test_wbinfo.sh | 49 ++++++++++++++++++++++++++++++++++++++++---
1 file changed, 46 insertions(+), 3 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index c9758b8..1d14ca3 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -174,10 +174,8 @@ testit "wbinfo -D against $TARGET" $wbinfo -D $DOMAIN || failed=`expr $failed +
testit "wbinfo -i against $TARGET" $wbinfo -i "$DOMAIN/$USERNAME" || failed=`expr $failed + 1`
-testit "wbinfo --uid-info against $TARGET" $wbinfo --uid-info $admin_uid || failed=`expr $failed + 1`
-
echo "test: wbinfo --group-info against $TARGET"
-gid=`$wbinfo --group-info "$DOMAIN/Domain admins" | cut -d: -f3`
+gid=`$wbinfo --group-info "$DOMAIN/Domain users" | cut -d: -f3`
if test x$? = x0; then
echo "success: wbinfo --group-info against $TARGET"
else
@@ -185,6 +183,51 @@ else
failed=`expr $failed + 1`
fi
+test_name="wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=`$wbinfo -i "$DOMAIN/$USERNAME"`
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="confirm output of wbinfo -i against $TARGET"
+subunit_start_test "$test_name"
+
+# The full name (GECOS) is based on name (the RDN, in this case CN)
+# and displayName in winbindd_ads, and is based only on displayName in
+# winbindd_msrpc and winbindd_rpc. Allow both versions.
+expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+
+if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+passwd_line=`$wbinfo --uid-info=$admin_uid`
+if test x$? = x0; then
+ subunit_pass_test "$test_name"
+else
+ subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
+test_name="confirm output of wbinfo --uid-info against $TARGET"
+subunit_start_test "$test_name"
+if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+ subunit_pass_test "$test_name"
+else
+ echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+fi
+
testfail "wbinfo --group-info against $TARGET with $USERNAME" $wbinfo --group-info $USERNAME && failed=`expr $failed + 1`
testit "wbinfo --gid-info against $TARGET" $wbinfo --gid-info $gid || failed=`expr $failed + 1`
--
1.9.1
From da6ba4fe5e579f6847651fa7c4996c77315bdd1f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 28 Mar 2015 08:31:05 +0000
Subject: [PATCH 09/10] s3:winbindd: list users/groups of our own domain as AD
DC
The AD users/groups of the local domain of an AD DC
only exist via winbindd and not in /etc/passwd or /etc/group.
This also matches the behaviour of the source4/winbind code.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
selftest/knownfail | 4 +++-
source3/winbindd/winbindd_util.c | 7 +++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 777a4e4..3262c9c 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -267,7 +267,6 @@
^samba4.winbind.struct.getdcname\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
-^samba4.winbind.struct.getpwent\(ad_dc:local\)
^samba.wbinfo_simple.\(s4member:local\).--user-groups
^samba.nss.test using winbind\(s4member:local\)
#
@@ -277,6 +276,9 @@
^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc_ntvfs:local\)
^samba3.local.nss.reentrant enumeration\(ad_dc_ntvfs:local\)
^samba3.local.nss.enumeration\(ad_dc_ntvfs:local\)
+^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc:local\)
+^samba3.local.nss.reentrant enumeration\(ad_dc:local\)
+^samba3.local.nss.enumeration\(ad_dc:local\)
#
# These fail only if we run the unix.whoami test before them
# in the member and ad_member environments. ==> Strange!!!
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 88c7568..021f5ca 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -87,10 +87,13 @@ struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain)
domain = domain->next;
}
- if ((domain != NULL)
- && sid_check_is_our_sam(&domain->sid)) {
+ if ((domain != NULL) &&
+ (lp_server_role() != ROLE_ACTIVE_DIRECTORY_DC) &&
+ sid_check_is_our_sam(&domain->sid))
+ {
domain = domain->next;
}
+
return domain;
}
--
1.9.1
From 3565748ec1b27f1c0593982d1851465bbf4937df Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 28 Mar 2015 08:36:11 +0000
Subject: [PATCH 10/10] s3:winbindd: list local groups for our internal domains
too (as AD DC)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_dual_srv.c | 87 +++++++++++++++++++++++++++++++-----
1 file changed, 75 insertions(+), 12 deletions(-)
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 061de72..97d8a1b 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -380,43 +380,106 @@ NTSTATUS _wbint_QueryGroupList(struct pipes_struct *p,
struct wbint_QueryGroupList *r)
{
struct winbindd_domain *domain = wb_child_domain();
- uint32_t i, num_groups;
- struct wb_acct_info *groups;
+ uint32_t i;
+ uint32_t num_local_groups = 0;
+ struct wb_acct_info *local_groups = NULL;
+ uint32_t num_dom_groups = 0;
+ struct wb_acct_info *dom_groups = NULL;
+ uint32_t ti = 0;
+ uint64_t num_total = 0;
struct wbint_Principal *result;
NTSTATUS status;
+ bool include_local_groups = false;
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
+ switch (lp_server_role()) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ if (domain->internal) {
+ /*
+ * we want to include local groups
+ * for BUILTIN and WORKGROUP
+ */
+ include_local_groups = true;
+ }
+ break;
+ default:
+ /*
+ * We might include local groups in more
+ * setups later, but that requires more work
+ * elsewhere.
+ */
+ break;
+ }
+
+ if (include_local_groups) {
+ status = domain->methods->enum_local_groups(domain, talloc_tos(),
+ &num_local_groups,
+ &local_groups);
+ reset_cm_connection_on_error(domain, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
status = domain->methods->enum_dom_groups(domain, talloc_tos(),
- &num_groups, &groups);
+ &num_dom_groups,
+ &dom_groups);
reset_cm_connection_on_error(domain, status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ num_total = num_local_groups + num_dom_groups;
+ if (num_total > UINT32_MAX) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
result = talloc_array(r->out.groups, struct wbint_Principal,
- num_groups);
+ num_total);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
- for (i=0; i<num_groups; i++) {
- sid_compose(&result[i].sid, &domain->sid, groups[i].rid);
- result[i].type = SID_NAME_DOM_GRP;
- result[i].name = talloc_strdup(result, groups[i].acct_name);
- if (result[i].name == NULL) {
+ for (i = 0; i < num_local_groups; i++) {
+ struct wb_acct_info *lg = &local_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, lg->rid);
+ rg->type = SID_NAME_ALIAS;
+ rg->name = talloc_strdup(result, lg->acct_name);
+ if (rg->name == NULL) {
+ TALLOC_FREE(result);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ num_local_groups = 0;
+ TALLOC_FREE(local_groups);
+
+ for (i = 0; i < num_dom_groups; i++) {
+ struct wb_acct_info *dg = &dom_groups[i];
+ struct wbint_Principal *rg = &result[ti++];
+
+ sid_compose(&rg->sid, &domain->sid, dg->rid);
+ rg->type = SID_NAME_DOM_GRP;
+ rg->name = talloc_strdup(result, dg->acct_name);
+ if (rg->name == NULL) {
TALLOC_FREE(result);
- TALLOC_FREE(groups);
+ TALLOC_FREE(dom_groups);
+ TALLOC_FREE(local_groups);
return NT_STATUS_NO_MEMORY;
}
}
+ num_dom_groups = 0;
+ TALLOC_FREE(dom_groups);
- r->out.groups->num_principals = num_groups;
+ r->out.groups->num_principals = ti;
r->out.groups->principals = result;
- TALLOC_FREE(groups);
return NT_STATUS_OK;
}
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150505/2e4102b9/attachment.pgp>
More information about the samba-technical
mailing list