[PATCHES] some offline operation fixes

Jeremy Allison jra at samba.org
Thu Jul 20 21:59:31 UTC 2017 

On Wed, Jun 07, 2017 at 09:42:24PM +0300, Uri Simchoni wrote:
> Hi,
> 
> Per Jeremy's request on a samba list thread, I'm sending some patches
> from my attic that clean some corners required for file server offline
> operation (smbd authenticating users and serving files based on Kerberos
> ticket with no AD connectivity).
> 
> The first is a small fix relevant to multi-domain operation
> The second avoids resolving primary group name if not required
> The third fixes (hopefully with no regressions...) the inhibition of
> domain requests while offline, if "winbind offline logon" is disabled.
> 
> Those are just small fixes, and they still don't allow for full offline
> operation. The bigger issues are how to avoid SID resolution if the
> id-mapping backend doesn't require so, and coming up with a backend that
> handles well-known SIDs without SID resolution.
> 
> Please review and maybe push :)

Finally got the time to go through these *really* carfully :-).

LGTM except I changed the strstr() calls in patch #2 to
strstr_m() calls as that's what talloc_sub_specified()
uses to look for the '%g' or '%G'.

Reviewed-by: Jeremy Allison <jra at samba.org>

Sorry for the delay Uri !

Jeremy.

> From d711ff18067ed51091848f69743dec6ef8dc992f Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:33:24 +0300
> Subject: [PATCH 1/3] winbindd: cache name-to-sid from PAC based on lookup
>  domain
> 
> The name-to-sid lookup for trusted domains is not necessarily
> done against the domain - in AD member case it is done
> against the primary domain. Therefore the caching should also
> be done against the lookup domain.
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/winbindd/winbindd_pam.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> index 4d3a7ee..bd800f2 100644
> --- a/source3/winbindd/winbindd_pam.c
> +++ b/source3/winbindd/winbindd_pam.c
> @@ -2664,7 +2664,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
>  		 * We're in the parent here, so find the child
>  		 * pointer from the PAC domain name.
>  		 */
> -		domain = find_domain_from_name_noinit(
> +		domain = find_lookup_domain_from_name(
>  				info3_copy->base.logon_domain.string);
>  		if (domain && domain->primary ) {
>  			struct dom_sid user_sid;
> -- 
> 2.9.4
> 
> 
> From 6d49e30ab63701d519f3fe18fb629f749baf6aec Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:33:57 +0300
> Subject: [PATCH 2/3] winbindd: queryuser - only get group name if needed
> 
> When calculating the user entry for a user, the
> primary group id *name* might be needed if it is
> part of a home dir / shell template (%g or %G).
> 
> Only resolve primary group SID to primary group name
> if it is needed, thereby saving a round-trip to the DC
> (and better handling situations where it is disconnected).
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/winbindd/wb_queryuser.c | 26 ++++++++++++++++++++++++--
>  1 file changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
> index 69b4c8d..ecc7c73 100644
> --- a/source3/winbindd/wb_queryuser.c
> +++ b/source3/winbindd/wb_queryuser.c
> @@ -202,6 +202,8 @@ static void wb_queryuser_done(struct tevent_req *subreq)
>  		req, struct wb_queryuser_state);
>  	struct wbint_userinfo *info = state->info;
>  	NTSTATUS status, result;
> +	bool need_group_name = false;
> +	const char *tmpl = NULL;
>  
>  	status = dcerpc_wbint_GetNssInfo_recv(subreq, info, &result);
>  	TALLOC_FREE(subreq);
> @@ -236,7 +238,16 @@ static void wb_queryuser_done(struct tevent_req *subreq)
>  		return;
>  	}
>  
> -	if (state->info->primary_group_name == NULL) {
> +	tmpl = lp_template_homedir();
> +	if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> +		need_group_name = true;
> +	}
> +	tmpl = lp_template_shell();
> +	if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> +		need_group_name = true;
> +	}
> +
> +	if (need_group_name && state->info->primary_group_name == NULL) {
>  		subreq = wb_lookupsid_send(state, state->ev, &info->group_sid);
>  		if (tevent_req_nomem(subreq, req)) {
>  			return;
> @@ -291,6 +302,8 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
>  		req, struct wb_queryuser_state);
>  	struct unixid xid;
>  	NTSTATUS status;
> +	bool need_group_name = false;
> +	const char *tmpl = NULL;
>  
>  	status = wb_sids2xids_recv(subreq, &xid, 1);
>  	TALLOC_FREE(subreq);
> @@ -305,7 +318,16 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
>  
>  	state->info->primary_gid = xid.id;
>  
> -	if (state->info->primary_group_name == NULL) {
> +	tmpl = lp_template_homedir();
> +	if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> +		need_group_name = true;
> +	}
> +	tmpl = lp_template_shell();
> +	if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> +		need_group_name = true;
> +	}
> +
> +	if (need_group_name && state->info->primary_group_name == NULL) {
>  		subreq = wb_lookupsid_send(state, state->ev,
>  					   &state->info->group_sid);
>  		if (tevent_req_nomem(subreq, req)) {
> -- 
> 2.9.4
> 
> 
> From 684236415bb77ef307da3347ebb1eea7a148661f Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:34:33 +0300
> Subject: [PATCH 3/3] winbindd: avoid refreshing sequence number when domain is
>  offline
> 
> When there's no connectivity to the domain, avoid attempt to
> refresh sequence number. Before the change, this was avoided
> only if winbind offline logon was enabled. However, being
> able to operate based on cached data is desired even when
> offline logons are disabled (offline logons are about caching
> credentials for PAM authentication, a user may not want this
> and still want service from the SMB server during short
> AD disconnects).
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/winbindd/winbindd_util.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index d2a091a..6eed02e 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -1619,9 +1619,6 @@ void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
>  
>  bool is_domain_offline(const struct winbindd_domain *domain)
>  {
> -	if (!lp_winbind_offline_logon()) {
> -		return false;
> -	}
>  	if (get_global_winbindd_state_offline()) {
>  		return true;
>  	}
> -- 
> 2.9.4
>

More information about the samba-technical mailing list