The branch, master has been updated
via 73528f26eea winbind: remove legacy flags fallback
via df5fe2d8351 s3/auth: implement "winbind:ignore domains"
via da474ddd13d winbind: check for allowed domains in
winbindd_pam_auth_pac_verify()
via 88e92faace7 winbind: check for allowed domains in
winbindd_dual_pam_chauthtok()
via 4bc17600bc5 winbind: check for allowed domains in
winbindd_dual_pam_chng_pswd_auth_crap()
via c17bc9c6115 winbind: check for allowed domains in
winbindd_dual_pam_auth_crap()
via 4cefdf03fec winbind: check for allowed domains in
winbindd_dual_pam_auth()
via 894caca7947 winbind: move "winbind:ignore domain" logic to a
seperate function
via 32197d21dab selftest: add a test for "winbind:ignore domains"
via 072ef480017 winbind: handle MSG_SMB_CONF_UPDATED in the winbinds
children
via 0c4497f8c66 winbind: set logfile after reloading config
via 81edc65e79a winbind: move config-reloading code to winbindd_dual.c
via e1fc84138ca selftest: use correct DNS domain name for wrapper hosts
file
via e02b3484ad9 VFS: unityed_media: Fixup um_mknodat() to correctly use
the dirfsp path.
via 83686ff1e17 VFS: unityed_media: Fix um_mkdirat() to correctly look
at the full pathname.
via 9884d178432 VFS: time_audit: Fixup smb_time_audit_mknodat() to log
the dirfsp path.
via 4c004d1633a VFS: syncops: Fixup all uses of the
SYNCOPS_NEXT_SMB_FNAME macro to correctly use the dirfsp path.
via 2f74056a916 VFS: shadow_copy2: Fixup shadow_copy2_mknodat() to
correctly use the dirfsp path.
via db5744f0abc VFS: media_harmony: Fixup mh_mknodat() to correctly use
the dirfsp path.
via 4135a5cc814 VFS: full_audit: Fixup smb_full_audit_mknodat() to log
the dirfsp path.
via e6af33960c8 VFS: cap: Fixup cap_mknodat() to cope with translating
dirfsp path.
from 480516e3b85 vfs_fruit: make use of
adouble_open_from_base_fsp(ADOUBLE_RSRC) in fruit_open_rsrc_adouble()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 73528f26eea24033a7093e5591b8f89ad2b8644e
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 14:59:46 2021 +0100
winbind: remove legacy flags fallback
Some very old NT4 DCs might have not returned the account flags filled in.
This
shouldn't be a problem anymore. Additionally, on a typical domain member
server,
this request is (and can only be) send to the primary domain, so this will
not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
commit df5fe2d835169161d3930acf1e9c750dd2bc64b6
Author: Ralph Boehme <s...@samba.org>
Date: Fri Jan 15 12:56:25 2021 +0100
s3/auth: implement "winbind:ignore domains"
Under the following conditions a user from an ignored domain might be able
to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are
filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth
fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token
for
the user fails because an LSA lookupname RPC call fails (because winbindd
is not
running).
All of this makes a successfull authentication unlikelly, but that is more
by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can
not
enforce the restriction, also implement the ignored domains check in the
auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit da474ddd13d84f07f5da81c843e651844f33a003
Author: Ralph Boehme <s...@samba.org>
Date: Thu Jan 14 10:42:53 2021 +0100
winbind: check for allowed domains in winbindd_pam_auth_pac_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 88e92faace7ec17810903166fa3433aa4842a4e3
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 17:59:48 2021 +0100
winbind: check for allowed domains in winbindd_dual_pam_chauthtok()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 17:19:05 2021 +0100
winbind: check for allowed domains in
winbindd_dual_pam_chng_pswd_auth_crap()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit c17bc9c6115e4e92132f3cb912547eac78227938
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 17:10:19 2021 +0100
winbind: check for allowed domains in winbindd_dual_pam_auth_crap()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 4cefdf03fec91cdcf700922b1a5ceca02407e259
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 16:50:31 2021 +0100
winbind: check for allowed domains in winbindd_dual_pam_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 894caca79476d25a0268d89b2ad8a5758b7e31f3
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jan 11 16:15:15 2021 +0100
winbind: move "winbind:ignore domain" logic to a seperate function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 32197d21dabecaee9bc1d6cd557578892220fe4c
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jan 13 11:54:40 2021 +0100
selftest: add a test for "winbind:ignore domains"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 072ef48001710ed8326c83295f2d3cc301d27cfe
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jan 20 12:00:16 2021 +0100
winbind: handle MSG_SMB_CONF_UPDATED in the winbinds children
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jan 20 12:27:23 2021 +0100
winbind: set logfile after reloading config
lp_load_global() will overwrite whatever we've set with lp_set_logfile().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 81edc65e79aba121db800ec53aadd766e61a0001
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jan 20 11:17:22 2021 +0100
winbind: move config-reloading code to winbindd_dual.c
In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit e1fc84138ca118c4187d87b7be4a7e6dd771dc4f
Author: Ralph Boehme <s...@samba.org>
Date: Thu Jan 14 08:14:46 2021 +0100
selftest: use correct DNS domain name for wrapper hosts file
For some reason the join fails to register the DNS records when
provisioning the
member env:
Using short domain name -- SAMBA2008R2
Joined 'IDMAPADMEMBER' to dns domain 'samba2008r2.example.com'
DNS Update for idmapadmember.samba.example.com failed:
ERROR_DNS_UPDATE_FAILED
At the same time the hosts file used by the wrappers contains the wrong
fqdn. As
a result the test that the next commit is going do add fails due do the
broken
DNS resolution:
...
UNEXPECTED(failure):
samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_ok_krb5(ad_member_idmap_ad:local)
REASON: Exception: Exception: do_connect: Connection to
idmapadmember.samba2008r2.example.com failed (Error NT_STATUS_UNSUCCESSFUL)
...
Checking DNS in the testenv, first the working record for the main DC:
testenv$ dig @10.53.57.64 dc7.samba2008r2.example.com +short
10.53.57.27
testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com dc7 A -U
Administrator%locDCpass7
Name=, Records=1, Children=0
A: 10.53.57.27 (flags=f0, serial=1, ttl=900)
Now the failing idmapadmember:
testenv$ dig @10.53.57.64 idmapadmember.samba2008r2.example.com +short
testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com idmapadmember
A -U Administrator%locDCpass7
ERROR: Record or zone does not exist.
Fixing the hosts file lets the tests work, fixing the broken DNS record
registration is a task for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit e02b3484ad964702cd2c1e5b6b44d05f6f2325a8
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 12:30:10 2021 -0800
VFS: unityed_media: Fixup um_mknodat() to correctly use the dirfsp path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit 83686ff1e17273cf02b5ded418cd0b11e98548d8
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 12:27:16 2021 -0800
VFS: unityed_media: Fix um_mkdirat() to correctly look at the full pathname.
Missed in the original mkdirat fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit 9884d178432a0552af4170b5c4e3df968570f9bd
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 12:22:29 2021 -0800
VFS: time_audit: Fixup smb_time_audit_mknodat() to log the dirfsp path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit 4c004d1633a3ea358d2c929d5a29ec475945efff
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 12:11:01 2021 -0800
VFS: syncops: Fixup all uses of the SYNCOPS_NEXT_SMB_FNAME macro to
correctly use the dirfsp path.
Remove the temp solution added to syncops_mkdirat()
as we now have a generic fix.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit 2f74056a916aef9925cae76016378b993560e22b
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 11:59:16 2021 -0800
VFS: shadow_copy2: Fixup shadow_copy2_mknodat() to correctly use the dirfsp
path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit db5744f0abce2f886bc8f9ba422cdd18cdb2bf6d
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 11:56:36 2021 -0800
VFS: media_harmony: Fixup mh_mknodat() to correctly use the dirfsp path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit 4135a5cc81412ee10b7836647777240e3f61b5f3
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 11:51:16 2021 -0800
VFS: full_audit: Fixup smb_full_audit_mknodat() to log the dirfsp path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
commit e6af33960c842f2a6a8abaf7d4b0ad7234ed0cd7
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jan 20 11:33:03 2021 -0800
VFS: cap: Fixup cap_mknodat() to cope with translating dirfsp path.
Missed in my original fixes.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Ralph Böhme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba3.pm | 15 +-
source3/auth/auth_util.c | 8 ++
source3/include/proto.h | 1 +
source3/lib/util_names.c | 20 +++
source3/modules/vfs_cap.c | 16 ++-
source3/modules/vfs_full_audit.c | 12 +-
source3/modules/vfs_media_harmony.c | 17 ++-
source3/modules/vfs_shadow_copy2.c | 12 +-
source3/modules/vfs_syncops.c | 22 ++-
source3/modules/vfs_time_audit.c | 12 +-
source3/modules/vfs_unityed_media.c | 36 +++--
.../script/tests/test_winbind_ignore_domains.sh | 104 ++++++++++++++
source3/selftest/tests.py | 3 +
source3/winbindd/winbindd.c | 29 ++--
source3/winbindd/winbindd_dual.c | 37 +++++
source3/winbindd/winbindd_pam.c | 159 ++++++++-------------
source3/winbindd/winbindd_proto.h | 7 +
source3/winbindd/winbindd_util.c | 10 +-
18 files changed, 357 insertions(+), 163 deletions(-)
create mode 100755 source3/script/tests/test_winbind_ignore_domains.sh
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ee20528a325..b3f0bca0110 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -761,6 +761,7 @@ sub provision_ad_member
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "LOCALADMEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
@@ -911,6 +912,7 @@ sub setup_ad_member_rfc2307
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "RFC2307MEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
@@ -1008,6 +1010,7 @@ sub setup_ad_member_idmap_rid
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "IDMAPRIDMEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
@@ -1107,6 +1110,7 @@ sub setup_ad_member_idmap_ad
my $ret = $self->provision(
prefix => $prefix,
domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
server => "IDMAPADMEMBER",
password => "loCalMemberPass",
extra_options => $member_options,
@@ -1965,6 +1969,7 @@ sub provision($$)
my $prefix = $args{prefix};
my $domain = $args{domain};
+ my $realm = $args{realm};
my $server = $args{server};
my $password = $args{password};
my $extra_options = $args{extra_options};
@@ -1982,6 +1987,12 @@ sub provision($$)
my %createuser_env = ();
my $server_ip = Samba::get_ipv4_addr($server);
my $server_ipv6 = Samba::get_ipv6_addr($server);
+ my $dns_domain;
+ if (defined($realm)) {
+ $dns_domain = lc($realm);
+ } else {
+ $dns_domain = "samba.example.com";
+ }
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or
`PATH=/usr/ucb:$ENV{PATH} whoami`);
chomp $unix_name;
@@ -2987,8 +2998,8 @@ force_user:x:$gid_force_user:
warn("Unable to open $nss_wrapper_hosts");
return undef;
}
- print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n";
- print HOSTS "${server_ipv6} ${hostname}.samba.example.com
${hostname}\n";
+ print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n";
+ print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n";
close(HOSTS);
$resolv_conf = "$privatedir/no_resolv.conf" unless
defined($resolv_conf);
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 9427c05f573..4686b29111e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -485,6 +485,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
+ if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ server_info->info3->base.account_name.string,
+ server_info->info3->base.logon_domain.string);
+ return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ }
+
if (server_info->cached_session_info != NULL) {
session_info = copy_session_info(mem_ctx,
server_info->cached_session_info);
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 6c9cf130d04..16cd587ed30 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -304,6 +304,7 @@ struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const
char *user);
/* The following definitions come from lib/util_names.c */
const char *get_global_sam_name(void);
const char *my_sam_name(void);
+bool is_allowed_domain(const char *domain_name);
/* The following definitions come from lib/util.c */
diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
index 15236c913df..630a25875c7 100644
--- a/source3/lib/util_names.c
+++ b/source3/lib/util_names.c
@@ -182,3 +182,23 @@ const char *my_sam_name(void)
return lp_workgroup();
}
+
+bool is_allowed_domain(const char *domain_name)
+{
+ const char **ignored_domains = NULL;
+ const char **dom = NULL;
+
+ ignored_domains = lp_parm_string_list(-1,
+ "winbind",
+ "ignore domains",
+ NULL);
+
+ for (dom = ignored_domains; dom != NULL && *dom != NULL; dom++) {
+ if (gen_fnmatch(*dom, domain_name) == 0) {
+ DBG_NOTICE("Ignoring domain '%s'\n", domain_name);
+ return false;
+ }
+ }
+
+ return true;
+}
diff --git a/source3/modules/vfs_cap.c b/source3/modules/vfs_cap.c
index b7cdd0d8131..3593ef589d8 100644
--- a/source3/modules/vfs_cap.c
+++ b/source3/modules/vfs_cap.c
@@ -629,12 +629,22 @@ static int cap_mknodat(vfs_handle_struct *handle,
mode_t mode,
SMB_DEV_T dev)
{
+ struct smb_filename *full_fname = NULL;
struct smb_filename *cap_smb_fname = NULL;
- char *cappath = capencode(talloc_tos(), smb_fname->base_name);
+ char *cappath = NULL;
int ret;
int saved_errno = 0;
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ return -1;
+ }
+
+ cappath = capencode(talloc_tos(), full_fname->base_name);
if (!cappath) {
+ TALLOC_FREE(full_fname);
errno = ENOMEM;
return -1;
}
@@ -645,18 +655,20 @@ static int cap_mknodat(vfs_handle_struct *handle,
smb_fname->twrp,
smb_fname->flags);
if (cap_smb_fname == NULL) {
+ TALLOC_FREE(full_fname);
TALLOC_FREE(cappath);
errno = ENOMEM;
return -1;
}
ret = SMB_VFS_NEXT_MKNODAT(handle,
- dirfsp,
+ handle->conn->cwd_fsp,
cap_smb_fname,
mode,
dev);
if (ret == -1) {
saved_errno = errno;
}
+ TALLOC_FREE(full_fname);
TALLOC_FREE(cappath);
TALLOC_FREE(cap_smb_fname);
if (saved_errno != 0) {
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index 5e1572bcb47..9e1df735468 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -1876,8 +1876,16 @@ static int smb_full_audit_mknodat(vfs_handle_struct
*handle,
mode_t mode,
SMB_DEV_T dev)
{
+ struct smb_filename *full_fname = NULL;
int result;
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ return -1;
+ }
+
result = SMB_VFS_NEXT_MKNODAT(handle,
dirfsp,
smb_fname,
@@ -1888,7 +1896,9 @@ static int smb_full_audit_mknodat(vfs_handle_struct
*handle,
(result >= 0),
handle,
"%s",
- smb_fname_str_do_log(handle->conn, smb_fname));
+ smb_fname_str_do_log(handle->conn, full_fname));
+
+ TALLOC_FREE(full_fname);
return result;
}
diff --git a/source3/modules/vfs_media_harmony.c
b/source3/modules/vfs_media_harmony.c
index 7b3db36d4cb..40eb81c677b 100644
--- a/source3/modules/vfs_media_harmony.c
+++ b/source3/modules/vfs_media_harmony.c
@@ -1752,11 +1752,21 @@ static int mh_mknodat(vfs_handle_struct *handle,
SMB_DEV_T dev)
{
int status;
+ struct smb_filename *full_fname = NULL;
struct smb_filename *clientFname = NULL;
TALLOC_CTX *ctx;
DEBUG(MH_INFO_DEBUG, ("Entering mh_mknodat\n"));
- if (!is_in_media_files(smb_fname->base_name)) {
+
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ status = -1;
+ goto err;
+ }
+
+ if (!is_in_media_files(full_fname->base_name)) {
status = SMB_VFS_NEXT_MKNODAT(handle,
dirfsp,
smb_fname,
@@ -1768,13 +1778,13 @@ static int mh_mknodat(vfs_handle_struct *handle,
ctx = talloc_tos();
if ((status = alloc_get_client_smb_fname(handle, ctx,
- smb_fname,
+ full_fname,
&clientFname))) {
goto err;
}
status = SMB_VFS_NEXT_MKNODAT(handle,
- dirfsp,
+ handle->conn->cwd_fsp,
clientFname,
mode,
dev);
@@ -1782,6 +1792,7 @@ static int mh_mknodat(vfs_handle_struct *handle,
err:
TALLOC_FREE(clientFname);
out:
+ TALLOC_FREE(full_fname);
return status;
}
diff --git a/source3/modules/vfs_shadow_copy2.c
b/source3/modules/vfs_shadow_copy2.c
index 227ac148260..174f246bdad 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -1625,13 +1625,23 @@ static int shadow_copy2_mknodat(vfs_handle_struct
*handle,
mode_t mode,
SMB_DEV_T dev)
{
+ struct smb_filename *full_fname = NULL;
time_t timestamp = 0;
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ return -1;
+ }
+
if (!shadow_copy2_strip_snapshot(talloc_tos(), handle,
- smb_fname,
+ full_fname,
×tamp, NULL)) {
+ TALLOC_FREE(full_fname);
return -1;
}
+ TALLOC_FREE(full_fname);
if (timestamp != 0) {
errno = EROFS;
return -1;
diff --git a/source3/modules/vfs_syncops.c b/source3/modules/vfs_syncops.c
index 6fb05e52e30..043304feb3c 100644
--- a/source3/modules/vfs_syncops.c
+++ b/source3/modules/vfs_syncops.c
@@ -155,14 +155,22 @@ static int syncops_renameat(vfs_handle_struct *handle,
#define SYNCOPS_NEXT_SMB_FNAME(op, fname, args) do { \
int ret; \
+ struct smb_filename *full_fname = NULL; \
struct syncops_config_data *config; \
SMB_VFS_HANDLE_GET_DATA(handle, config, \
struct syncops_config_data, \
return -1); \
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(), \
+ dirfsp, \
+ smb_fname); \
+ if (full_fname == NULL) { \
+ return -1; \
+ } \
ret = SMB_VFS_NEXT_ ## op args; \
if (ret == 0 \
&& config->onmeta && !config->disable \
- && fname) syncops_smb_fname(fname); \
+ && fname) syncops_smb_fname(full_fname); \
+ TALLOC_FREE(full_fname); \
return ret; \
} while (0)
@@ -265,24 +273,12 @@ static int syncops_mkdirat(vfs_handle_struct *handle,
const struct smb_filename *smb_fname,
mode_t mode)
{
- struct smb_filename *full_fname = NULL;
-
- full_fname = full_path_from_dirfsp_atname(talloc_tos(),
- dirfsp,
- smb_fname);
- if (full_fname == NULL) {
- errno = ENOMEM;
- return -1;
- }
-
SYNCOPS_NEXT_SMB_FNAME(MKDIRAT,
full_fname,
(handle,
dirfsp,
smb_fname,
mode));
-
- TALLOC_FREE(full_fname);
}
/* close needs to be handled specially */
diff --git a/source3/modules/vfs_time_audit.c b/source3/modules/vfs_time_audit.c
index 05ba4865219..cc5039fed7c 100644
--- a/source3/modules/vfs_time_audit.c
+++ b/source3/modules/vfs_time_audit.c
@@ -1506,10 +1506,19 @@ static int smb_time_audit_mknodat(vfs_handle_struct
*handle,
mode_t mode,
SMB_DEV_T dev)
{
+ struct smb_filename *full_fname = NULL;
int result;
struct timespec ts1,ts2;
double timediff;
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ errno = ENOMEM;
+ return -1;
+ }
+
clock_gettime_mono(&ts1);
result = SMB_VFS_NEXT_MKNODAT(handle,
dirfsp,
@@ -1520,9 +1529,10 @@ static int smb_time_audit_mknodat(vfs_handle_struct
*handle,
timediff = nsec_time_diff(&ts2,&ts1)*1.0e-9;
if (timediff > audit_timeout) {
- smb_time_audit_log_smb_fname("mknodat", timediff, smb_fname);
+ smb_time_audit_log_smb_fname("mknodat", timediff, full_fname);
}
+ TALLOC_FREE(full_fname);
return result;
}
diff --git a/source3/modules/vfs_unityed_media.c
b/source3/modules/vfs_unityed_media.c
index ac7ea4b404d..9c4f2baf691 100644
--- a/source3/modules/vfs_unityed_media.c
+++ b/source3/modules/vfs_unityed_media.c
@@ -742,26 +742,28 @@ static int um_mkdirat(vfs_handle_struct *handle,
mode_t mode)
{
int status;
- const char *path = smb_fname->base_name;
+ const char *path = NULL;
struct smb_filename *client_fname = NULL;
struct smb_filename *full_fname = NULL;
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ return -1;
+ }
+
+ path = full_fname->base_name;
DEBUG(10, ("Entering with path '%s'\n", path));
if (!is_in_media_files(path) || !is_in_media_dir(path)) {
+ TALLOC_FREE(full_fname);
return SMB_VFS_NEXT_MKDIRAT(handle,
dirfsp,
smb_fname,
mode);
}
- full_fname = full_path_from_dirfsp_atname(talloc_tos(),
- dirfsp,
- smb_fname);
- if (full_fname == NULL) {
- return -1;
- }
-
status = alloc_get_client_smb_fname(handle,
talloc_tos(),
full_fname,
@@ -775,9 +777,9 @@ static int um_mkdirat(vfs_handle_struct *handle,
client_fname,
mode);
err:
+ DEBUG(10, ("Leaving with path '%s'\n", path));
TALLOC_FREE(client_fname);
TALLOC_FREE(full_fname);
- DEBUG(10, ("Leaving with path '%s'\n", path));
return status;
}
@@ -1383,9 +1385,18 @@ static int um_mknodat(vfs_handle_struct *handle,
{
int status;
struct smb_filename *client_fname = NULL;
+ struct smb_filename *full_fname = NULL;
+
+ full_fname = full_path_from_dirfsp_atname(talloc_tos(),
+ dirfsp,
+ smb_fname);
+ if (full_fname == NULL) {
+ return -1;
+ }
DEBUG(10, ("Entering um_mknodat\n"));
- if (!is_in_media_files(smb_fname->base_name)) {
+ if (!is_in_media_files(full_fname->base_name)) {
+ TALLOC_FREE(full_fname);
return SMB_VFS_NEXT_MKNODAT(handle,
dirfsp,
smb_fname,
@@ -1394,19 +1405,20 @@ static int um_mknodat(vfs_handle_struct *handle,
}
status = alloc_get_client_smb_fname(handle, talloc_tos(),
- smb_fname, &client_fname);
+ full_fname, &client_fname);
if (status != 0) {
goto err;
}
status = SMB_VFS_NEXT_MKNODAT(handle,
- dirfsp,
+ handle->conn->cwd_fsp,
client_fname,
mode,
dev);
err:
TALLOC_FREE(client_fname);
+ TALLOC_FREE(full_fname);
return status;
}
diff --git a/source3/script/tests/test_winbind_ignore_domains.sh
b/source3/script/tests/test_winbind_ignore_domains.sh
new file mode 100755
index 00000000000..adce8abb09c
--- /dev/null
+++ b/source3/script/tests/test_winbind_ignore_domains.sh
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+smbclient="$BINDIR/smbclient"
+smbcontrol="$BINDIR/smbcontrol"
+ldbmodify="$BINDIR/ldbmodify"
+ldbsearch="$BINDIR/ldbsearch"
+wbinfo="$BINDIR/wbinfo"
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+SERVER_FQDN=$(echo "$SERVER.$REALM" | awk '{print tolower($0)}')
+
+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base
defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
+if [ $? -ne 0 ] ; then
+ echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad"
+ exit 1
+fi
--
Samba Shared Repository
