[PATCHES] some offline operation fixes
Jeremy Allison
jra at samba.org
Thu Jul 20 21:59:31 UTC 2017
On Wed, Jun 07, 2017 at 09:42:24PM +0300, Uri Simchoni wrote:
> Hi,
>
> Per Jeremy's request on a samba list thread, I'm sending some patches
> from my attic that clean some corners required for file server offline
> operation (smbd authenticating users and serving files based on Kerberos
> ticket with no AD connectivity).
>
> The first is a small fix relevant to multi-domain operation
> The second avoids resolving primary group name if not required
> The third fixes (hopefully with no regressions...) the inhibition of
> domain requests while offline, if "winbind offline logon" is disabled.
>
> Those are just small fixes, and they still don't allow for full offline
> operation. The bigger issues are how to avoid SID resolution if the
> id-mapping backend doesn't require so, and coming up with a backend that
> handles well-known SIDs without SID resolution.
>
> Please review and maybe push :)
Finally got the time to go through these *really* carfully :-).
LGTM except I changed the strstr() calls in patch #2 to
strstr_m() calls as that's what talloc_sub_specified()
uses to look for the '%g' or '%G'.
Reviewed-by: Jeremy Allison <jra at samba.org>
Sorry for the delay Uri !
Jeremy.
> From d711ff18067ed51091848f69743dec6ef8dc992f Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:33:24 +0300
> Subject: [PATCH 1/3] winbindd: cache name-to-sid from PAC based on lookup
> domain
>
> The name-to-sid lookup for trusted domains is not necessarily
> done against the domain - in AD member case it is done
> against the primary domain. Therefore the caching should also
> be done against the lookup domain.
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/winbindd/winbindd_pam.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> index 4d3a7ee..bd800f2 100644
> --- a/source3/winbindd/winbindd_pam.c
> +++ b/source3/winbindd/winbindd_pam.c
> @@ -2664,7 +2664,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> * We're in the parent here, so find the child
> * pointer from the PAC domain name.
> */
> - domain = find_domain_from_name_noinit(
> + domain = find_lookup_domain_from_name(
> info3_copy->base.logon_domain.string);
> if (domain && domain->primary ) {
> struct dom_sid user_sid;
> --
> 2.9.4
>
>
> From 6d49e30ab63701d519f3fe18fb629f749baf6aec Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:33:57 +0300
> Subject: [PATCH 2/3] winbindd: queryuser - only get group name if needed
>
> When calculating the user entry for a user, the
> primary group id *name* might be needed if it is
> part of a home dir / shell template (%g or %G).
>
> Only resolve primary group SID to primary group name
> if it is needed, thereby saving a round-trip to the DC
> (and better handling situations where it is disconnected).
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/winbindd/wb_queryuser.c | 26 ++++++++++++++++++++++++--
> 1 file changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
> index 69b4c8d..ecc7c73 100644
> --- a/source3/winbindd/wb_queryuser.c
> +++ b/source3/winbindd/wb_queryuser.c
> @@ -202,6 +202,8 @@ static void wb_queryuser_done(struct tevent_req *subreq)
> req, struct wb_queryuser_state);
> struct wbint_userinfo *info = state->info;
> NTSTATUS status, result;
> + bool need_group_name = false;
> + const char *tmpl = NULL;
>
> status = dcerpc_wbint_GetNssInfo_recv(subreq, info, &result);
> TALLOC_FREE(subreq);
> @@ -236,7 +238,16 @@ static void wb_queryuser_done(struct tevent_req *subreq)
> return;
> }
>
> - if (state->info->primary_group_name == NULL) {
> + tmpl = lp_template_homedir();
> + if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> + need_group_name = true;
> + }
> + tmpl = lp_template_shell();
> + if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> + need_group_name = true;
> + }
> +
> + if (need_group_name && state->info->primary_group_name == NULL) {
> subreq = wb_lookupsid_send(state, state->ev, &info->group_sid);
> if (tevent_req_nomem(subreq, req)) {
> return;
> @@ -291,6 +302,8 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
> req, struct wb_queryuser_state);
> struct unixid xid;
> NTSTATUS status;
> + bool need_group_name = false;
> + const char *tmpl = NULL;
>
> status = wb_sids2xids_recv(subreq, &xid, 1);
> TALLOC_FREE(subreq);
> @@ -305,7 +318,16 @@ static void wb_queryuser_got_gid(struct tevent_req *subreq)
>
> state->info->primary_gid = xid.id;
>
> - if (state->info->primary_group_name == NULL) {
> + tmpl = lp_template_homedir();
> + if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> + need_group_name = true;
> + }
> + tmpl = lp_template_shell();
> + if(strstr(tmpl, "%g") || strstr(tmpl, "%G")) {
> + need_group_name = true;
> + }
> +
> + if (need_group_name && state->info->primary_group_name == NULL) {
> subreq = wb_lookupsid_send(state, state->ev,
> &state->info->group_sid);
> if (tevent_req_nomem(subreq, req)) {
> --
> 2.9.4
>
>
> From 684236415bb77ef307da3347ebb1eea7a148661f Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Wed, 7 Jun 2017 20:34:33 +0300
> Subject: [PATCH 3/3] winbindd: avoid refreshing sequence number when domain is
> offline
>
> When there's no connectivity to the domain, avoid attempt to
> refresh sequence number. Before the change, this was avoided
> only if winbind offline logon was enabled. However, being
> able to operate based on cached data is desired even when
> offline logons are disabled (offline logons are about caching
> credentials for PAM authentication, a user may not want this
> and still want service from the SMB server during short
> AD disconnects).
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/winbindd/winbindd_util.c | 3 ---
> 1 file changed, 3 deletions(-)
>
> diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
> index d2a091a..6eed02e 100644
> --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -1619,9 +1619,6 @@ void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
>
> bool is_domain_offline(const struct winbindd_domain *domain)
> {
> - if (!lp_winbind_offline_logon()) {
> - return false;
> - }
> if (get_global_winbindd_state_offline()) {
> return true;
> }
> --
> 2.9.4
>
More information about the samba-technical
mailing list