The branch, master has been updated
via cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e (commit)
via 8c7a579bdcca32897bd9ee716a488568b721ed90 (commit)
via e65aa34078f5c2c969103a23d6693071d88672a2 (commit)
from 000da55dd930d151db14ee8eed58e82806522692 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e
Author: Bo Yang <boy...@samba.org>
Date: Fri May 22 02:12:59 2009 +0800
s3: Fix onlinestatus msg to return status of all domain instead of omitting
trusted domains
Signed-off-by: Bo Yang <boy...@samba.org>
commit 8c7a579bdcca32897bd9ee716a488568b721ed90
Author: Bo Yang <boy...@samba.org>
Date: Fri May 22 02:03:32 2009 +0800
s3: set winbindd request flags in ntlm_auth to make it contact trusted
domain when krb5 auth is enabled
Signed-off-by: Bo Yang <boy...@samba.org>
commit e65aa34078f5c2c969103a23d6693071d88672a2
Author: Bo Yang <boy...@samba.org>
Date: Fri May 22 01:39:03 2009 +0800
s3: Fix request flags in wbinfo when perform krb5 authentication
Signed-off-by: Bo Yang <boy...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
nsswitch/wbinfo.c | 3 +-
source3/Makefile.in | 2 +-
source3/utils/ntlm_auth.c | 57 ++++++++++++++++-
source3/utils/ntlm_auth_proto.h | 1 +
source3/winbindd/winbindd_dual.c | 129 +++++++++++++++-----------------------
5 files changed, 111 insertions(+), 81 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9ee0e01..04addda 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2031,7 +2031,8 @@ int main(int argc, char **argv, char **envp)
uint32 flags = WBFLAG_PAM_KRB5 |
WBFLAG_PAM_CACHED_LOGIN |
WBFLAG_PAM_FALLBACK_AFTER_KRB5 |
- WBFLAG_PAM_INFO3_TEXT;
+ WBFLAG_PAM_INFO3_TEXT |
+ WBFLAG_PAM_CONTACT_TRUSTDOM;
if (!wbinfo_auth_krb5(string_arg, "FILE",
flags)) {
d_fprintf(stderr, "Could not
authenticate user [%s] with "
diff --git a/source3/Makefile.in b/source3/Makefile.in
index fdcd86a..585bd5d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2813,7 +2813,7 @@ bin/ntlm_a...@exeext@: $(BINARY_PREREQS) $(NTLM_AUTH_OBJ)
$(PARAM_OBJ) \
@$(CC) -o $@ $(LDFLAGS) $(DYNEXP) $(NTLM_AUTH_OBJ) \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) \
$(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \
- $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
+ $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS)
@INIPARSERLIBS@
bin/pam_smbpa...@shlibext@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ)
@LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ @LIBTDB_TARGET@
@echo "Linking shared library $@"
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 50688bf..6de5ea6 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -26,6 +26,13 @@
#include "includes.h"
#include "utils/ntlm_auth.h"
#include "../libcli/auth/libcli_auth.h"
+#include <iniparser.h>
+
+#ifndef PAM_WINBIND_CONFIG_FILE
+#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
+#endif
+
+#define WINBIND_KRB5_AUTH 0x00000080
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -125,6 +132,7 @@ static int use_cached_creds;
static const char *require_membership_of;
static const char *require_membership_of_sid;
+static const char *opt_pam_winbind_conf;
static char winbind_separator(void)
{
@@ -279,6 +287,36 @@ static bool get_require_membership_sid(void) {
return False;
}
+
+/*
+ * Get some configuration from pam_winbind.conf to see if we
+ * need to contact trusted domain
+ */
+
+int get_pam_winbind_config()
+{
+ int ctrl = 0;
+ dictionary *d = NULL;
+
+ if (!opt_pam_winbind_conf || !*opt_pam_winbind_conf) {
+ opt_pam_winbind_conf = PAM_WINBIND_CONFIG_FILE;
+ }
+
+ d = iniparser_load(CONST_DISCARD(char *, opt_pam_winbind_conf));
+
+ if (!d) {
+ return 0;
+ }
+
+ if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"),
false)) {
+ ctrl |= WINBIND_KRB5_AUTH;
+ }
+
+ iniparser_freedict(d);
+
+ return ctrl;
+}
+
/* Authenticate a user with a plaintext password */
static bool check_plaintext_auth(const char *user, const char *pass,
@@ -677,12 +715,27 @@ static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB
initial_msg, DATA_BLOB challenge_m
{
struct winbindd_request wb_request;
struct winbindd_response wb_response;
+ int ctrl = 0;
NSS_STATUS result;
/* get winbindd to do the ntlmssp step on our behalf */
ZERO_STRUCT(wb_request);
ZERO_STRUCT(wb_response);
+ /*
+ * This is tricky here. If we set krb5_auth in pam_winbind.conf
+ * creds for users in trusted domain will be stored the winbindd
+ * child of the trusted domain. If we ask the primary domain for
+ * ntlm_ccache_auth, it will fail. So, we have to ask the trusted
+ * domain's child for ccache_ntlm_auth. that is to say, we have to
+ * set WBFALG_PAM_CONTACT_TRUSTDOM in request.flags.
+ */
+ ctrl = get_pam_winbind_config();
+
+ if (ctrl | WINBIND_KRB5_AUTH) {
+ wb_request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM;
+ }
+
fstr_sprintf(wb_request.data.ccache_ntlm_auth.user,
"%s%c%s", opt_domain, winbind_separator(), opt_username);
wb_request.data.ccache_ntlm_auth.uid = geteuid();
@@ -2308,7 +2361,8 @@ enum {
OPT_USER_SESSION_KEY,
OPT_DIAGNOSTICS,
OPT_REQUIRE_MEMBERSHIP,
- OPT_USE_CACHED_CREDS
+ OPT_USE_CACHED_CREDS,
+ OPT_PAM_WINBIND_CONF
};
int main(int argc, const char **argv)
@@ -2347,6 +2401,7 @@ enum {
{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds,
OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics,
OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
{ "require-membership-of", 0, POPT_ARG_STRING,
&require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a
member of this group (either name or SID) for authentication to succeed" },
+ { "pam-winbind-conf", 0, POPT_ARG_STRING,
&opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set
WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" },
POPT_COMMON_CONFIGFILE
POPT_COMMON_VERSION
POPT_TABLEEND
diff --git a/source3/utils/ntlm_auth_proto.h b/source3/utils/ntlm_auth_proto.h
index e48a190..5f8d264 100644
--- a/source3/utils/ntlm_auth_proto.h
+++ b/source3/utils/ntlm_auth_proto.h
@@ -44,5 +44,6 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
/* The following definitions come from utils/ntlm_auth_diagnostics.c */
bool diagnose_ntlm_auth(void);
+int get_pam_winbind_config(void);
#endif /* _NTLM_AUTH_PROTO_H_ */
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 893303e..a69d34f 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -692,29 +692,66 @@ void winbind_msg_online(struct messaging_context *msg_ctx,
}
}
-/* Forward the online/offline messages to our children. */
+static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
+{
+ struct winbindd_domain *domain;
+ char *buf = NULL;
+
+ if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
+ get_global_winbindd_state_offline() ?
+ "Offline":"Online")) == NULL) {
+ return NULL;
+ }
+
+ for (domain = domain_list(); domain; domain = domain->next) {
+ if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
+ domain->name,
+ domain->online ?
+ "Online":"Offline")) == NULL)
{
+ return NULL;
+ }
+ }
+
+ buf = talloc_asprintf_append_buffer(buf, "\n");
+
+ DEBUG(5,("collect_onlinestatus: %s", buf));
+
+ return buf;
+}
+
void winbind_msg_onlinestatus(struct messaging_context *msg_ctx,
void *private_data,
uint32_t msg_type,
struct server_id server_id,
DATA_BLOB *data)
{
- struct winbindd_child *child;
+ TALLOC_CTX *mem_ctx;
+ const char *message;
+ struct server_id *sender;
+
+ DEBUG(5,("winbind_msg_onlinestatus received.\n"));
+
+ if (!data->data) {
+ return;
+ }
- DEBUG(10,("winbind_msg_onlinestatus: got onlinestatus message.\n"));
+ sender = (struct server_id *)data->data;
- for (child = children; child != NULL; child = child->next) {
- if (child->domain && child->domain->primary) {
- DEBUG(10,("winbind_msg_onlinestatus: "
- "sending message to pid %u of primary
domain.\n",
- (unsigned int)child->pid));
- messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
- MSG_WINBIND_ONLINESTATUS,
- (uint8 *)data->data,
- data->length);
- break;
- }
+ mem_ctx = talloc_init("winbind_msg_onlinestatus");
+ if (mem_ctx == NULL) {
+ return;
}
+
+ message = collect_onlinestatus(mem_ctx);
+ if (message == NULL) {
+ talloc_destroy(mem_ctx);
+ return;
+ }
+
+ messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
+ (uint8 *)message, strlen(message) + 1);
+
+ talloc_destroy(mem_ctx);
}
void winbind_msg_dump_event_list(struct messaging_context *msg_ctx,
@@ -1068,68 +1105,6 @@ static void child_msg_online(struct messaging_context
*msg,
}
}
-static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx)
-{
- struct winbindd_domain *domain;
- char *buf = NULL;
-
- if ((buf = talloc_asprintf(mem_ctx, "global:%s ",
- get_global_winbindd_state_offline() ?
- "Offline":"Online")) == NULL) {
- return NULL;
- }
-
- for (domain = domain_list(); domain; domain = domain->next) {
- if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ",
- domain->name,
- domain->online ?
- "Online":"Offline")) == NULL)
{
- return NULL;
- }
- }
-
- buf = talloc_asprintf_append_buffer(buf, "\n");
-
- DEBUG(5,("collect_onlinestatus: %s", buf));
-
- return buf;
-}
-
-static void child_msg_onlinestatus(struct messaging_context *msg_ctx,
- void *private_data,
- uint32_t msg_type,
- struct server_id server_id,
- DATA_BLOB *data)
-{
- TALLOC_CTX *mem_ctx;
- const char *message;
- struct server_id *sender;
-
- DEBUG(5,("winbind_msg_onlinestatus received.\n"));
-
- if (!data->data) {
- return;
- }
-
- sender = (struct server_id *)data->data;
-
- mem_ctx = talloc_init("winbind_msg_onlinestatus");
- if (mem_ctx == NULL) {
- return;
- }
-
- message = collect_onlinestatus(mem_ctx);
- if (message == NULL) {
- talloc_destroy(mem_ctx);
- return;
- }
-
- messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS,
- (uint8 *)message, strlen(message) + 1);
-
- talloc_destroy(mem_ctx);
-}
-
static void child_msg_dump_event_list(struct messaging_context *msg,
void *private_data,
uint32_t msg_type,
@@ -1296,8 +1271,6 @@ static bool fork_domain_child(struct winbindd_child
*child)
messaging_register(winbind_messaging_context(), NULL,
MSG_WINBIND_ONLINE, child_msg_online);
messaging_register(winbind_messaging_context(), NULL,
- MSG_WINBIND_ONLINESTATUS, child_msg_onlinestatus);
- messaging_register(winbind_messaging_context(), NULL,
MSG_DUMP_EVENT_LIST, child_msg_dump_event_list);
messaging_register(winbind_messaging_context(), NULL,
MSG_DEBUG, debug_message);
--
Samba Shared Repository
