The branch, master has been updated
via 3c3725a340ffe20ab679cf2f9d41ccd0b51b4b3a (commit)
via 7b3501200c55d7844c4d697456dbfa2b86cfdcc8 (commit)
via 2df47b0a54ad0a973b81911ee507ab50555b24a6 (commit)
from 3d3134a7d6a4d49b891a446f6cc7b38fd953739a (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3c3725a340ffe20ab679cf2f9d41ccd0b51b4b3a
Author: Günther Deschner <[email protected]>
Date: Tue Oct 6 17:46:25 2009 +0200
s3-winbindd: libwbclient: implement secure channel verification for
specific domains in wbcCheckTrustCredentials().
Guenther
commit 7b3501200c55d7844c4d697456dbfa2b86cfdcc8
Author: Günther Deschner <[email protected]>
Date: Wed Oct 7 10:43:53 2009 +0200
wbinfo: allow to check trusts via "wbinfo -t --domain DOMAINNAME".
Guenther
commit 2df47b0a54ad0a973b81911ee507ab50555b24a6
Author: Günther Deschner <[email protected]>
Date: Tue Oct 6 17:45:24 2009 +0200
libwbclient: implement secure channel verification for specific domains in
wbcCheckTrustCredentials().
Guenther
-----------------------------------------------------------------------
Summary of changes:
nsswitch/libwbclient/wbc_pam.c | 14 +++++---------
nsswitch/libwbclient/wbclient.h | 4 +---
nsswitch/wbinfo.c | 18 +++++++++++++-----
source3/winbindd/winbindd_check_machine_acct.c | 11 ++++++++++-
source3/winbindd/winbindd_dual_srv.c | 8 ++++----
5 files changed, 33 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 33044b2..4cd212a 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -502,18 +502,14 @@ wbcErr wbcCheckTrustCredentials(const char *domain,
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
- if (domain) {
- /*
- * the current protocol doesn't support
- * specifying a domain
- */
- wbc_status = WBC_ERR_NOT_IMPLEMENTED;
- BAIL_ON_WBC_ERROR(wbc_status);
- }
-
ZERO_STRUCT(request);
ZERO_STRUCT(response);
+ if (domain) {
+ strncpy(request.domain_name, domain,
+ sizeof(request.domain_name)-1);
+ }
+
/* Send request */
wbc_status = wbcRequestResponse(WINBINDD_CHECK_MACHACC,
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index a87cad3..4dc6d23 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -1183,9 +1183,7 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name);
/**
* @brief Trigger a verification of the trust credentials of a specific domain
*
- * @param *domain The name of the domain, only NULL for the default
domain is
- * supported yet. Other values than NULL will result in
- * WBC_ERR_NOT_IMPLEMENTED.
+ * @param *domain The name of the domain.
* @param error Output details on WBC_ERR_AUTH_ERROR
*
* @return #wbcErr
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index a80b69f..7410a74 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -724,15 +724,23 @@ static bool wbinfo_dsgetdcname(const char *domain_name,
uint32_t flags)
/* Check trust account password */
-static bool wbinfo_check_secret(void)
+static bool wbinfo_check_secret(const char *domain)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcAuthErrorInfo *error = NULL;
+ const char *domain_name;
- wbc_status = wbcCheckTrustCredentials(NULL, &error);
+ if (domain) {
+ domain_name = domain;
+ } else {
+ domain_name = get_winbind_domain();
+ }
- d_printf("checking the trust secret via RPC calls %s\n",
- WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
+ wbc_status = wbcCheckTrustCredentials(domain_name, &error);
+
+ d_printf("checking the trust secret for domain %s via RPC calls %s\n",
+ domain_name,
+ WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
if (wbc_status == WBC_ERR_AUTH_ERROR) {
d_fprintf(stderr, "error code was %s (0x%x)\n",
@@ -1950,7 +1958,7 @@ int main(int argc, char **argv, char **envp)
}
break;
case 't':
- if (!wbinfo_check_secret()) {
+ if (!wbinfo_check_secret(opt_domain_name)) {
d_fprintf(stderr, "Could not check secret\n");
goto done;
}
diff --git a/source3/winbindd/winbindd_check_machine_acct.c
b/source3/winbindd/winbindd_check_machine_acct.c
index e3505cb..610e9ed 100644
--- a/source3/winbindd/winbindd_check_machine_acct.c
+++ b/source3/winbindd/winbindd_check_machine_acct.c
@@ -42,7 +42,16 @@ struct tevent_req
*winbindd_check_machine_acct_send(TALLOC_CTX *mem_ctx,
return NULL;
}
- domain = find_our_domain();
+ if (request->domain_name[0] == '0') {
+ /* preserve old behavior, when no domain name is given */
+ domain = find_our_domain();
+ } else {
+ domain = find_domain_from_name(request->domain_name);
+ }
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
if (domain->internal) {
/*
* Internal domains are passdb based, we can always
diff --git a/source3/winbindd/winbindd_dual_srv.c
b/source3/winbindd/winbindd_dual_srv.c
index 179a771..3374861 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -437,13 +437,13 @@ again:
/* Pass back result code - zero for success, other values for
specific failures. */
- DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(status) ?
- "good" : "bad"));
+ DEBUG(3,("domain %s secret is %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "good" : "bad"));
done:
DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
- ("Checking the trust account password returned %s\n",
- nt_errstr(status)));
+ ("Checking the trust account password for domain %s returned
%s\n",
+ domain->name, nt_errstr(status)));
return status;
}
--
Samba Shared Repository
