[PATCHES] some offline operation fixes
Uri Simchoni
uri at samba.org
Wed Jun 7 18:42:24 UTC 2017
Hi,
Per Jeremy's request on a samba list thread, I'm sending some patches
from my attic that clean some corners required for file server offline
operation (smbd authenticating users and serving files based on Kerberos
ticket with no AD connectivity).
The first is a small fix relevant to multi-domain operation
The second avoids resolving primary group name if not required
The third fixes (hopefully with no regressions...) the inhibition of
domain requests while offline, if "winbind offline logon" is disabled.
Those are just small fixes, and they still don't allow for full offline
operation. The bigger issues are how to avoid SID resolution if the
id-mapping backend doesn't require so, and coming up with a backend that
handles well-known SIDs without SID resolution.
Please review and maybe push :)
Thanks,
Uri.
-------------- next part --------------
From d711ff18067ed51091848f69743dec6ef8dc992f Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 7 Jun 2017 20:33:24 +0300
Subject: [PATCH 1/3] winbindd: cache name-to-sid from PAC based on lookup
domain
The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/winbindd/winbindd_pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4d3a7ee..bd800f2 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2664,7 +2664,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
* We're in the parent here, so find the child
* pointer from the PAC domain name.
*/
- domain = find_domain_from_name_noinit(
+ domain = find_lookup_domain_from_name(
info3_copy->base.logon_domain.string);
if (domain && domain->primary ) {
struct dom_sid user_sid;
--
2.9.4
From 6d49e30ab63701d519f3fe18fb629f749baf6aec Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 7 Jun 2017 20:33:57 +0300
Subject: [PATCH 2/3] winbindd: queryuser - only get group name if needed
When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).
Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/winbindd/wb_queryuser.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 69b4c8d..ecc7c73 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -202,6 +202,8 @@ static void wb_queryuser_done(struct tevent_req *subreq)
req, struct wb_queryuser_state);
struct wbint_userinfo *info = state->info;
NTSTATUS status, result;
+ bool need_group_name = false;
+ const char *tmpl = NULL;
status = dcerpc_wbint_GetNssInfo_recv(subreq, info, &result);
TALLOC_FREE(subreq);
@@ -236,7 +238,16 @@ static void wb_queryuser_done(struct tevent_req *subreq)
return;
}
- if (state->info->primary_group_name == NULL) {
+ tmpl = lp_template_homedir();
+ if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
+ need_group_name = true;
+ }
+ tmpl = lp_template_shell();
+ if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
+ need_group_name = true;
+ }
+
+ if (need_group_name && state->info->primary_group_name == NULL) {
subreq = wb_lookupsid_send(state, state->ev, &info->group_sid);
if (tevent_req_nomem(subreq, req)) {
return;
@@ -291,6 +302,8 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
req, struct wb_queryuser_state);
struct unixid xid;
NTSTATUS status;
+ bool need_group_name = false;
+ const char *tmpl = NULL;
status = wb_sids2xids_recv(subreq, &xid, 1);
TALLOC_FREE(subreq);
@@ -305,7 +318,16 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
state->info->primary_gid = xid.id;
- if (state->info->primary_group_name == NULL) {
+ tmpl = lp_template_homedir();
+ if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
+ need_group_name = true;
+ }
+ tmpl = lp_template_shell();
+ if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
+ need_group_name = true;
+ }
+
+ if (need_group_name && state->info->primary_group_name == NULL) {
subreq = wb_lookupsid_send(state, state->ev,
&state->info->group_sid);
if (tevent_req_nomem(subreq, req)) {
--
2.9.4
From 684236415bb77ef307da3347ebb1eea7a148661f Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 7 Jun 2017 20:34:33 +0300
Subject: [PATCH 3/3] winbindd: avoid refreshing sequence number when domain is
offline
When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/winbindd/winbindd_util.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index d2a091a..6eed02e 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1619,9 +1619,6 @@ void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
bool is_domain_offline(const struct winbindd_domain *domain)
{
- if (!lp_winbind_offline_logon()) {
- return false;
- }
if (get_global_winbindd_state_offline()) {
return true;
}
--
2.9.4
More information about the samba-technical
mailing list