The branch, master has been updated via cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e (commit) via 8c7a579bdcca32897bd9ee716a488568b721ed90 (commit) via e65aa34078f5c2c969103a23d6693071d88672a2 (commit) from 000da55dd930d151db14ee8eed58e82806522692 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cbe3dabb9d1fe4e16e14c50550df2afab7e4a21e Author: Bo Yang <boy...@samba.org> Date: Fri May 22 02:12:59 2009 +0800 s3: Fix onlinestatus msg to return status of all domain instead of omitting trusted domains Signed-off-by: Bo Yang <boy...@samba.org> commit 8c7a579bdcca32897bd9ee716a488568b721ed90 Author: Bo Yang <boy...@samba.org> Date: Fri May 22 02:03:32 2009 +0800 s3: set winbindd request flags in ntlm_auth to make it contact trusted domain when krb5 auth is enabled Signed-off-by: Bo Yang <boy...@samba.org> commit e65aa34078f5c2c969103a23d6693071d88672a2 Author: Bo Yang <boy...@samba.org> Date: Fri May 22 01:39:03 2009 +0800 s3: Fix request flags in wbinfo when perform krb5 authentication Signed-off-by: Bo Yang <boy...@samba.org> ----------------------------------------------------------------------- Summary of changes: nsswitch/wbinfo.c | 3 +- source3/Makefile.in | 2 +- source3/utils/ntlm_auth.c | 57 ++++++++++++++++- source3/utils/ntlm_auth_proto.h | 1 + source3/winbindd/winbindd_dual.c | 129 +++++++++++++++----------------------- 5 files changed, 111 insertions(+), 81 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 9ee0e01..04addda 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -2031,7 +2031,8 @@ int main(int argc, char **argv, char **envp) uint32 flags = WBFLAG_PAM_KRB5 | WBFLAG_PAM_CACHED_LOGIN | WBFLAG_PAM_FALLBACK_AFTER_KRB5 | - WBFLAG_PAM_INFO3_TEXT; + WBFLAG_PAM_INFO3_TEXT | + WBFLAG_PAM_CONTACT_TRUSTDOM; if (!wbinfo_auth_krb5(string_arg, "FILE", flags)) { d_fprintf(stderr, "Could not authenticate user [%s] with " diff --git a/source3/Makefile.in b/source3/Makefile.in index fdcd86a..585bd5d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2813,7 +2813,7 @@ bin/ntlm_a...@exeext@: $(BINARY_PREREQS) $(NTLM_AUTH_OBJ) $(PARAM_OBJ) \ @$(CC) -o $@ $(LDFLAGS) $(DYNEXP) $(NTLM_AUTH_OBJ) \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBS) \ $(POPT_LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS) \ - $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) + $(LIBTALLOC_LIBS) $(LIBTDB_LIBS) $(LIBWBCLIENT_LIBS) @INIPARSERLIBS@ bin/pam_smbpa...@shlibext@: $(BINARY_PREREQS) $(PAM_SMBPASS_OBJ) @LIBTALLOC_TARGET@ @LIBWBCLIENT_TARGET@ @LIBTDB_TARGET@ @echo "Linking shared library $@" diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 50688bf..6de5ea6 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -26,6 +26,13 @@ #include "includes.h" #include "utils/ntlm_auth.h" #include "../libcli/auth/libcli_auth.h" +#include <iniparser.h> + +#ifndef PAM_WINBIND_CONFIG_FILE +#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf" +#endif + +#define WINBIND_KRB5_AUTH 0x00000080 #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -125,6 +132,7 @@ static int use_cached_creds; static const char *require_membership_of; static const char *require_membership_of_sid; +static const char *opt_pam_winbind_conf; static char winbind_separator(void) { @@ -279,6 +287,36 @@ static bool get_require_membership_sid(void) { return False; } + +/* + * Get some configuration from pam_winbind.conf to see if we + * need to contact trusted domain + */ + +int get_pam_winbind_config() +{ + int ctrl = 0; + dictionary *d = NULL; + + if (!opt_pam_winbind_conf || !*opt_pam_winbind_conf) { + opt_pam_winbind_conf = PAM_WINBIND_CONFIG_FILE; + } + + d = iniparser_load(CONST_DISCARD(char *, opt_pam_winbind_conf)); + + if (!d) { + return 0; + } + + if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"), false)) { + ctrl |= WINBIND_KRB5_AUTH; + } + + iniparser_freedict(d); + + return ctrl; +} + /* Authenticate a user with a plaintext password */ static bool check_plaintext_auth(const char *user, const char *pass, @@ -677,12 +715,27 @@ static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_m { struct winbindd_request wb_request; struct winbindd_response wb_response; + int ctrl = 0; NSS_STATUS result; /* get winbindd to do the ntlmssp step on our behalf */ ZERO_STRUCT(wb_request); ZERO_STRUCT(wb_response); + /* + * This is tricky here. If we set krb5_auth in pam_winbind.conf + * creds for users in trusted domain will be stored the winbindd + * child of the trusted domain. If we ask the primary domain for + * ntlm_ccache_auth, it will fail. So, we have to ask the trusted + * domain's child for ccache_ntlm_auth. that is to say, we have to + * set WBFALG_PAM_CONTACT_TRUSTDOM in request.flags. + */ + ctrl = get_pam_winbind_config(); + + if (ctrl | WINBIND_KRB5_AUTH) { + wb_request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM; + } + fstr_sprintf(wb_request.data.ccache_ntlm_auth.user, "%s%c%s", opt_domain, winbind_separator(), opt_username); wb_request.data.ccache_ntlm_auth.uid = geteuid(); @@ -2308,7 +2361,8 @@ enum { OPT_USER_SESSION_KEY, OPT_DIAGNOSTICS, OPT_REQUIRE_MEMBERSHIP, - OPT_USE_CACHED_CREDS + OPT_USE_CACHED_CREDS, + OPT_PAM_WINBIND_CONF }; int main(int argc, const char **argv) @@ -2347,6 +2401,7 @@ enum { { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"}, { "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"}, { "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" }, + { "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" }, POPT_COMMON_CONFIGFILE POPT_COMMON_VERSION POPT_TABLEEND diff --git a/source3/utils/ntlm_auth_proto.h b/source3/utils/ntlm_auth_proto.h index e48a190..5f8d264 100644 --- a/source3/utils/ntlm_auth_proto.h +++ b/source3/utils/ntlm_auth_proto.h @@ -44,5 +44,6 @@ NTSTATUS contact_winbind_auth_crap(const char *username, /* The following definitions come from utils/ntlm_auth_diagnostics.c */ bool diagnose_ntlm_auth(void); +int get_pam_winbind_config(void); #endif /* _NTLM_AUTH_PROTO_H_ */ diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 893303e..a69d34f 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -692,29 +692,66 @@ void winbind_msg_online(struct messaging_context *msg_ctx, } } -/* Forward the online/offline messages to our children. */ +static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx) +{ + struct winbindd_domain *domain; + char *buf = NULL; + + if ((buf = talloc_asprintf(mem_ctx, "global:%s ", + get_global_winbindd_state_offline() ? + "Offline":"Online")) == NULL) { + return NULL; + } + + for (domain = domain_list(); domain; domain = domain->next) { + if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ", + domain->name, + domain->online ? + "Online":"Offline")) == NULL) { + return NULL; + } + } + + buf = talloc_asprintf_append_buffer(buf, "\n"); + + DEBUG(5,("collect_onlinestatus: %s", buf)); + + return buf; +} + void winbind_msg_onlinestatus(struct messaging_context *msg_ctx, void *private_data, uint32_t msg_type, struct server_id server_id, DATA_BLOB *data) { - struct winbindd_child *child; + TALLOC_CTX *mem_ctx; + const char *message; + struct server_id *sender; + + DEBUG(5,("winbind_msg_onlinestatus received.\n")); + + if (!data->data) { + return; + } - DEBUG(10,("winbind_msg_onlinestatus: got onlinestatus message.\n")); + sender = (struct server_id *)data->data; - for (child = children; child != NULL; child = child->next) { - if (child->domain && child->domain->primary) { - DEBUG(10,("winbind_msg_onlinestatus: " - "sending message to pid %u of primary domain.\n", - (unsigned int)child->pid)); - messaging_send_buf(msg_ctx, pid_to_procid(child->pid), - MSG_WINBIND_ONLINESTATUS, - (uint8 *)data->data, - data->length); - break; - } + mem_ctx = talloc_init("winbind_msg_onlinestatus"); + if (mem_ctx == NULL) { + return; } + + message = collect_onlinestatus(mem_ctx); + if (message == NULL) { + talloc_destroy(mem_ctx); + return; + } + + messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS, + (uint8 *)message, strlen(message) + 1); + + talloc_destroy(mem_ctx); } void winbind_msg_dump_event_list(struct messaging_context *msg_ctx, @@ -1068,68 +1105,6 @@ static void child_msg_online(struct messaging_context *msg, } } -static const char *collect_onlinestatus(TALLOC_CTX *mem_ctx) -{ - struct winbindd_domain *domain; - char *buf = NULL; - - if ((buf = talloc_asprintf(mem_ctx, "global:%s ", - get_global_winbindd_state_offline() ? - "Offline":"Online")) == NULL) { - return NULL; - } - - for (domain = domain_list(); domain; domain = domain->next) { - if ((buf = talloc_asprintf_append_buffer(buf, "%s:%s ", - domain->name, - domain->online ? - "Online":"Offline")) == NULL) { - return NULL; - } - } - - buf = talloc_asprintf_append_buffer(buf, "\n"); - - DEBUG(5,("collect_onlinestatus: %s", buf)); - - return buf; -} - -static void child_msg_onlinestatus(struct messaging_context *msg_ctx, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - TALLOC_CTX *mem_ctx; - const char *message; - struct server_id *sender; - - DEBUG(5,("winbind_msg_onlinestatus received.\n")); - - if (!data->data) { - return; - } - - sender = (struct server_id *)data->data; - - mem_ctx = talloc_init("winbind_msg_onlinestatus"); - if (mem_ctx == NULL) { - return; - } - - message = collect_onlinestatus(mem_ctx); - if (message == NULL) { - talloc_destroy(mem_ctx); - return; - } - - messaging_send_buf(msg_ctx, *sender, MSG_WINBIND_ONLINESTATUS, - (uint8 *)message, strlen(message) + 1); - - talloc_destroy(mem_ctx); -} - static void child_msg_dump_event_list(struct messaging_context *msg, void *private_data, uint32_t msg_type, @@ -1296,8 +1271,6 @@ static bool fork_domain_child(struct winbindd_child *child) messaging_register(winbind_messaging_context(), NULL, MSG_WINBIND_ONLINE, child_msg_online); messaging_register(winbind_messaging_context(), NULL, - MSG_WINBIND_ONLINESTATUS, child_msg_onlinestatus); - messaging_register(winbind_messaging_context(), NULL, MSG_DUMP_EVENT_LIST, child_msg_dump_event_list); messaging_register(winbind_messaging_context(), NULL, MSG_DEBUG, debug_message); -- Samba Shared Repository