The branch, v3-5-stable has been updated via 052b65e WHWATSNEW: Prepare release notes for Samba 3.5.18. via fa8b1fa docs: clarify the idmap_rid manpage (bug #7788) via 1d5b8aa s3:winbindd: make sure we only call static_init_idmap once via 536be09 quota: fix build of sysquote_xfs on via 5463fcf nsswitch: fix crash on null pam change pw response via f919d07 Fix bug #9147 - winbind can't fetch user or group info from AD via LDAP via 3709ac8 s3: delete requests are not special via f482604 s3: Fix bug #9085. via 9c48ee2 Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain. via 805992f Fix bug #9098 - winbind does not refresh kerberos tickets. via aca082e Fix bug #9104 - winbindd can mis-identify idle clients - can cause crashes and NDR parsing errors. via 83148e2 Ensure we keep last_access up to date when processing a request. (cherry picked from commit e01df21a5dbe8f3d401d58de6cffa4d4ba340a24) via 988118c s3: Fix a crash in reply_lockingX_error from 6c50a54 WHATSNEW: Start release notes for Samba 3.5.18.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable - Log ----------------------------------------------------------------- commit 052b65e15293b62520f3a35d4681ffeaf7499cae Author: Karolin Seeger <ksee...@samba.org> Date: Fri Sep 21 10:19:07 2012 +0200 WHWATSNEW: Prepare release notes for Samba 3.5.18. Karolin (cherry picked from commit e9e21faae567370f05432462cf25a3df6cf8e07f) commit fa8b1fa084a0695e949bf5d473faf6ef523900ee Author: Michael Adam <ob...@samba.org> Date: Tue Dec 7 17:30:27 2010 +0100 docs: clarify the idmap_rid manpage (bug #7788) The idmap_rid module should not be used as a default backend. Also mention that the old snytax "idmap backend = rid:domain=range ..." is not supported any more. Autobuild-User: Michael Adam <ob...@samba.org> Autobuild-Date: Tue Dec 7 19:07:57 CET 2010 on sn-devel-104 (cherry picked from commit a4f48b3da0081845336c55ff230179caeab5195c) commit 1d5b8aa6a8c242e6b40e8a984a04bcd76bfdd884 Author: Björn Jacke <b...@sernet.de> Date: Wed Aug 24 10:57:49 2011 +0200 s3:winbindd: make sure we only call static_init_idmap once this is a backport of 3f14d03adbda03b821210115af4fae044a9b4a3e Fix bug #8402 - winbind log spammed with idmap messages. (cherry picked from commit 04e4325642d029e604c31b371811fafdf2b61cf8) commit 536be09e802db2f93ed02690d219ed6ccec908c3 Author: Björn Jacke <b...@sernet.de> Date: Thu Sep 13 01:23:12 2012 +0200 quota: fix build of sysquote_xfs on linux header files renamed some XFS_* defines to FS_* around kernel v2.6.36 This fixes bug #7814 (cherry picked from commit a3eb8d765e48bcbe86458791ec61325a517bd7dd) commit 5463fcf7dca60c902946f36437c034137d9078b0 Author: Luca Lorenzetto <lorenzetto-l...@ubuntu-it.org> Date: Tue Sep 11 18:35:42 2012 +0200 nsswitch: fix crash on null pam change pw response The function _pam_winbind_change_pwd crashes due to a null value passed to the function strcasecmp and denies to login via graphical login manager. Check for a null value before doing a strcasecmp. Bug-Ubuntu: https://bugs.launchpad.net/bugs/1003296 Bug: https://bugzilla.samba.org/show_bug.cgi?id=9013 (Desktop Managers (xdm, gdm, lightdm...) crashes with SIGSEGV in _pam_winbind_change_pwd() when password is expiring) (cherry picked from commit 47f2211f137688a7c46c4a38571a9f94e59dbf6a) (cherry picked from commit 25bf057288d5e77c07a5ed3d3c3fb7f5f33f62b6) commit f919d070b1dc9c210e9b402806372fd2f041b35a Author: Jeremy Allison <j...@samba.org> Date: Mon Sep 10 16:07:37 2012 -0700 Fix bug #9147 - winbind can't fetch user or group info from AD via LDAP Don't use "isprint" in ldb_binary_encode(). This is locale specific. Restrict to ASCII only, hex encode everything else. (cherry picked from commit 9258a7b9cfd5fb85e5361d1b49c3bb8655e97159) commit 3709ac83a0671fc8ac546031f4992165a886de0d Author: Volker Lendecke <v...@samba.org> Date: Mon Sep 10 11:25:03 2012 +0200 s3: delete requests are not special The only difference between batch and exclusive oplocks is the time of the check: Batch is checked before the share mode check, exclusive after. Signed-off-by: Jeremy Allison <j...@samba.org> Fix bug #9150 - Valid open requests can cause smbd assert due to incorrect oplock handling on delete requests. (cherry picked from commit b20ca77e2a9d111eb2e77d0b804fe7505b07e418) commit f4826046d01bf702044a1664400989a631acf65f Author: hargagan <sharga...@novell.com> Date: Tue Aug 28 09:29:52 2012 +0200 s3: Fix bug #9085. NMB registration for a duplicate workstation fails with registration refuse. (cherry picked from commit 71c4227fd0a741984fb273ad1973ad1724ecb04b) (cherry picked from commit 30567b8f9bc0f5a39a3a65039277aa5f839622cd) commit 9c48ee2bc85867bf30bb71a26edf9300ee081094 Author: Goldberg, Neil R <ngold...@mitre.org> Date: Fri Aug 17 13:52:07 2012 -0700 Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain. Back-port of fix for 3.6.x from bug #9052. (cherry picked from commit 38444389c39d5c5adca1c9f300bded47407fd0b5) commit 805992fc98a2cacf9d5e5d02f49dc0866f5a2083 Author: Jeremy Allison <j...@samba.org> Date: Tue Aug 21 14:08:24 2012 -0700 Fix bug #9098 - winbind does not refresh kerberos tickets. Based on work from Ian Gordon <ian.gor...@strath.ac.uk>. (cherry picked from commit 51c5f84d2496b5117a2fe6afc061594cf33b5fc1) commit aca082e6df0ae46b3c2267f0a5ebed91893aaef8 Author: Herb Lewis <hle...@panasas.com> Date: Mon Aug 20 16:03:28 2012 -0700 Fix bug #9104 - winbindd can mis-identify idle clients - can cause crashes and NDR parsing errors. A connection is idle when both struct winbindd_cli_state->request AND struct winbindd_cli_state->response are NULL. Otherwise we can flag as idle a connection in the state of having sent the request to the winbindd child (request != NULL) but not yet received a reply (response == NULL). (cherry picked from commit 36dc8a0f40a38d9c03570856cb4c843b74c1c7bd) commit 83148e290f436783dc24b7349be38e40049ce080 Author: Jeremy Allison <j...@samba.org> Date: Mon Aug 20 15:21:26 2012 -0700 Ensure we keep last_access up to date when processing a request. (cherry picked from commit e01df21a5dbe8f3d401d58de6cffa4d4ba340a24) commit 988118c2358204eab5bb5907d0f5390cfece9538 Author: Volker Lendecke <v...@samba.org> Date: Tue Aug 7 16:49:52 2012 -0700 s3: Fix a crash in reply_lockingX_error A timed brlock with 2 locks comes in and the second one blocks, file is closed. smbd_cancel_pending_lock_requests_by_fid sets blr->fsp to NULL. reply_lockingX_error (called via MSG_SMB_BLOCKING_LOCK_CANCEL) deferences blr->fsp because blr->lock_num==1 (the second one blocked). This patch fixes the bug by only undoing the locks if fsp!=NULL. fsp==NULL is the close case where everything is undone anyway. Thanks to Peter Somogyi, somo...@hu.ibm.com for this bug report. Fix bug #9084 - Blocking lock followed by close can crash smbd. (cherry picked from commit d80fbbea8ec77c0bda0e3fb9eaed2f170784ea7d) (cherry picked from commit b27caac5e077b49f46edf34045bb4fd8d17b4c77) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 44 ++++++++++++++++++++++++++++++- docs-xml/manpages-3/idmap_rid.8.xml | 18 +++++++++++++ nsswitch/pam_winbind.c | 2 +- source3/auth/auth_util.c | 2 +- source3/include/proto.h | 3 +- source3/lib/ldb/common/ldb_parse.c | 11 ++++++- source3/lib/sysquotas_xfs.c | 12 ++++++++ source3/lib/util_sid.c | 20 +++++--------- source3/nmbd/nmbd_winsserver.c | 2 +- source3/smbd/blocking.c | 17 ++++++++--- source3/smbd/open.c | 13 +-------- source3/winbindd/idmap.c | 21 ++++++++++++--- source3/winbindd/winbindd.c | 4 ++- source3/winbindd/winbindd_cred_cache.c | 30 +++++++++++++++++++++- source3/winbindd/winbindd_pam.c | 11 +++++++- source3/winbindd/winbindd_proto.h | 1 + source3/winbindd/winbindd_util.c | 12 ++++++-- source4/lib/ldb/common/ldb_parse.c | 11 ++++++- 18 files changed, 184 insertions(+), 50 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index da49f98..37bbe4b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,18 +1,58 @@ ============================== Release Notes for Samba 3.5.18 - , 2012 + September 24, 2012 ============================== This is the latest stable release of Samba 3.5. -Major enhancements in Samba 3.5.16 include: +Major enhancements in Samba 3.5.18 include: + +o Fix a smbd crash in reply_lockingX_error (bug #9084). +o Fix Winbind crashes caused by mis-identified idle clients (bug #9104). +o Desktop Managers (xdm, gdm, lightdm...) crash with SIGSEGV in + _pam_winbind_change_pwd() when password is expiring (bug #9013). Changes since 3.5.17: --------------------- +o Michael Adam <ob...@samba.org> + * BUG 7788: Clarify the idmap_rid manpage. + + o Jeremy Allison <j...@samba.org> + * BUG 9098: Winbind does not refresh Kerberos tickets. + * BUG 9147: Winbind can't fetch user or group info from AD via LDAP. + * BUG 9150: Valid open requests can cause smbd assert due to incorrect + oplock handling on delete requests. + + +o Neil R. Goldberg <ngold...@mitre.org> + * BUG 9100: Winbind doesn't return "Domain Local" groups from own domain. + + +o Hargagan <sharga...@novell.com> + * BUG 9085: NMB registration for a duplicate workstation fails with + registration refuse. + + +o Björn Jacke <b...@sernet.de> + * BUG 7814: Fix build of sysquote_xfs. + * BUG 8402: Winbind log spammed with idmap messages. + + +o Volker Lendecke <v...@samba.org> + * BUG 9084: Fix a smbd crash in reply_lockingX_error. + + +o Herb Lewis <hle...@panasas.com> + * BUG 9104: Fix Winbind crashes caused by mis-identified idle clients. + + +o Luca Lorenzetto <lorenzetto-l...@ubuntu-it.org> + * BUG 9013: Desktop Managers (xdm, gdm, lightdm...) crash with SIGSEGV in + _pam_winbind_change_pwd() when password is expiring. ###################################################################### diff --git a/docs-xml/manpages-3/idmap_rid.8.xml b/docs-xml/manpages-3/idmap_rid.8.xml index 55aed62..a453e91 100644 --- a/docs-xml/manpages-3/idmap_rid.8.xml +++ b/docs-xml/manpages-3/idmap_rid.8.xml @@ -21,6 +21,24 @@ <para>The idmap_rid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs. No database is required in this case as the mapping is deterministic.</para> + + <para> + Note that the idmap_rid module has changed considerably since Samba + versions 3.0. and 3.2. + Currently, there should to be an explicit idmap configuration for each + domain that should use the idmap_rid backend, using disjoint ranges. + One usually needs to define a writeable default idmap range, using + a backent like <parameter>tdb</parameter> or <parameter>ldap</parameter> + that can create unix ids, in order to be able to map the BUILTIN sids + and other domains, and also in order to be able to create group mappings. + See the example below. + </para> + + <para> + Note that the old syntax + <parameter>idmap backend = rid:"DOM1=range DOM2=range2 ..."</parameter> + is not supported any more since Samba version 3.0.25. + </para> </refsynopsisdiv> <refsect1> diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 81055c9..fdaf807 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -831,7 +831,7 @@ static bool _pam_winbind_change_pwd(struct pwb_context *ctx) } _pam_log(ctx, LOG_CRIT, "Received [%s] reply from application.\n", resp->resp); - if (strcasecmp(resp->resp, "yes") == 0) { + if ((resp->resp != NULL) && (strcasecmp(resp->resp, "yes") == 0)) { retval = true; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 69d5c65..42e2747 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, - false, false); + false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; diff --git a/source3/include/proto.h b/source3/include/proto.h index 559a34e..785cc30 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups); + bool include_user_group_rid); /* The following definitions come from lib/util_sock.c */ diff --git a/source3/lib/ldb/common/ldb_parse.c b/source3/lib/ldb/common/ldb_parse.c index bcc92c5..1412d57 100644 --- a/source3/lib/ldb/common/ldb_parse.c +++ b/source3/lib/ldb/common/ldb_parse.c @@ -92,6 +92,13 @@ struct ldb_val ldb_binary_decode(void *mem_ctx, const char *str) return ret; } +static bool need_encode(unsigned char cval) +{ + if (cval < 0x20 || cval > 0x7E || strchr(" *()\\&|!\"", cval)) { + return true; + } + return false; +} /* encode a blob as a RFC2254 binary string, escaping any @@ -105,7 +112,7 @@ char *ldb_binary_encode(void *mem_ctx, struct ldb_val val) unsigned char *buf = val.data; for (i=0;i<val.length;i++) { - if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) { + if (need_encode(buf[i])) { len += 2; } } @@ -114,7 +121,7 @@ char *ldb_binary_encode(void *mem_ctx, struct ldb_val val) len = 0; for (i=0;i<val.length;i++) { - if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) { + if (need_encode(buf[i])) { snprintf(ret+len, 4, "\\%02X", buf[i]); len += 3; } else { diff --git a/source3/lib/sysquotas_xfs.c b/source3/lib/sysquotas_xfs.c index 1e438e9..1e3d952 100644 --- a/source3/lib/sysquotas_xfs.c +++ b/source3/lib/sysquotas_xfs.c @@ -35,6 +35,18 @@ #include "samba_linux_quota.h" #ifdef HAVE_LINUX_DQBLK_XFS_H #include <linux/dqblk_xfs.h> +#ifndef XFS_QUOTA_UDQ_ACCT +#define XFS_QUOTA_UDQ_ACCT FS_QUOTA_UDQ_ACCT +#endif +#ifndef XFS_QUOTA_UDQ_ENFD +#define XFS_QUOTA_UDQ_ENFD FS_QUOTA_UDQ_ENFD +#endif +#ifndef XFS_QUOTA_GDQ_ACCT +#define XFS_QUOTA_GDQ_ACCT FS_QUOTA_GDQ_ACCT +#endif +#ifndef XFS_QUOTA_GDQ_ENFD +#define XFS_QUOTA_GDQ_ENFD FS_QUOTA_GDQ_ENFD +#endif #endif #define HAVE_GROUP_QUOTA #else /* IRIX */ diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index bea04d8..f918eba 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups) + bool include_user_group_rid) { NTSTATUS status; DOM_SID sid; @@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, } } - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ + /* SID filtering should only be handled by the domain controller on a + trust by trust basis, and is counter-indicated for forests. Since + native AD return all Domain Local groups as other SIDs, then this + must not filter them when parsing INFO3 responses such that the + list is identical to the tokenGroups LDAP query. + */ for (i = 0; i < info3->sidcount; i++) { - - if (skip_ressource_groups && - (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { - continue; - } - status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/nmbd/nmbd_winsserver.c b/source3/nmbd/nmbd_winsserver.c index 0a5b1c8..20436c5 100644 --- a/source3/nmbd/nmbd_winsserver.c +++ b/source3/nmbd/nmbd_winsserver.c @@ -1014,7 +1014,7 @@ static void wins_register_query_success(struct subnet_record *subrec, DEBUG(3,("wins_register_query_success: Original client at IP %s still wants the \ name %s. Rejecting registration request.\n", inet_ntoa(ip), nmb_namestr(question_name) )); - send_wins_name_registration_response(RFS_ERR, 0, orig_reg_packet); + send_wins_name_registration_response(ACT_ERR, 0, orig_reg_packet); orig_reg_packet->locked = False; free_packet(orig_reg_packet); diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c index 3f49421..08af28a 100644 --- a/source3/smbd/blocking.c +++ b/source3/smbd/blocking.c @@ -299,7 +299,7 @@ static void generic_blocking_lock_error(struct blocking_lock_record *blr, NTSTAT obtained first. *****************************************************************************/ -static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS status) +static void undo_locks_obtained(struct blocking_lock_record *blr) { files_struct *fsp = blr->fsp; uint16 num_ulocks = SVAL(blr->req->vwv+6, 0); @@ -343,8 +343,6 @@ static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS stat offset, WINDOWS_LOCK); } - - generic_blocking_lock_error(blr, status); } /**************************************************************************** @@ -357,8 +355,17 @@ static void blocking_lock_reply_error(struct blocking_lock_record *blr, NTSTATUS switch(blr->req->cmd) { case SMBlockingX: - reply_lockingX_error(blr, status); - break; + /* + * This code can be called during the rundown of a + * file after it was already closed. In that case, + * blr->fsp==NULL and we do not need to undo any + * locks, they are already gone. + */ + if (blr->fsp != NULL) { + undo_locks_obtained(blr); + } + generic_blocking_lock_error(blr, status); + break; case SMBtrans2: case SMBtranss2: reply_nterror(blr->req, status); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index dfa45ef..843bb2b 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -894,11 +894,6 @@ static NTSTATUS open_mode_check(connection_struct *conn, return NT_STATUS_OK; } -static bool is_delete_request(files_struct *fsp) { - return ((fsp->access_mask == DELETE_ACCESS) && - (fsp->oplock_type == NO_OPLOCK)); -} - /* * Send a break message to the oplock holder and delay the open for * our client. @@ -1002,13 +997,9 @@ static bool delay_for_oplocks(struct share_mode_lock *lck, } if (exclusive != NULL) { /* Found an exclusive oplock */ - bool delay_it = is_delete_request(fsp) ? - BATCH_OPLOCK_TYPE(exclusive->op_type) : true; SMB_ASSERT(!have_level2); - if (delay_it) { - send_break_message(fsp, exclusive, mid, oplock_request); - return true; - } + send_break_message(fsp, exclusive, mid, oplock_request); + return true; } /* diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c index 7aa2853..2414dab 100644 --- a/source3/winbindd/idmap.c +++ b/source3/winbindd/idmap.c @@ -28,6 +28,21 @@ static_decl_idmap; +static void idmap_init(void) +{ + static bool initialized; + + if (initialized) { + return; + } + + DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); + + static_init_idmap; + + initialized = true; +} + /** * Pointer to the backend methods. Modules register themselves here via * smb_register_idmap. @@ -346,9 +361,7 @@ static struct idmap_domain *idmap_init_default_domain(TALLOC_CTX *mem_ctx) char *modulename; char *params; - DEBUG(10, ("idmap_init_default_domain: calling static_init_idmap\n")); - - static_init_idmap; + idmap_init(); if (!parse_idmap_module(talloc_tos(), lp_idmap_backend(), &modulename, ¶ms)) { @@ -546,7 +559,7 @@ static NTSTATUS idmap_alloc_init(struct idmap_alloc_context **ctx) char *modulename, *params; NTSTATUS ret = NT_STATUS_NO_MEMORY;; - static_init_idmap; + idmap_init(); if (idmap_alloc_ctx != NULL) { *ctx = idmap_alloc_ctx; diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index ca5a53b..4442c73 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -566,6 +566,7 @@ static void process_request(struct winbindd_cli_state *state) state->cmd_name = "unknown request"; state->recv_fn = NULL; + state->last_access = time(NULL); /* Process command */ @@ -871,7 +872,8 @@ static bool remove_idle_client(void) int nidle = 0; for (state = winbindd_client_list(); state; state = state->next) { - if (state->response == NULL && + if (state->request == NULL && + state->response == NULL && !state->pwent_state && !state->grent_state) { nidle++; if (!last_access || state->last_access < last_access) { diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index e63e732..ba4a7b2 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -484,6 +484,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *pass, const char *realm, uid_t uid, time_t create_time, @@ -586,7 +587,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); } - + + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function (or increase the reference count + * if we're logging in more than once). Fix inspired + * by patch from Ian Gordon <ian.gor...@strath.ac.uk> + * for bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + return NT_STATUS_OK; } @@ -669,6 +683,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, "added ccache [%s] for user [%s] to the list\n", ccname, username)); + if (entry->event) { + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function. Fix inspired by patch from + * Ian Gordon <ian.gor...@strath.ac.uk> for + * bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + } + return NT_STATUS_OK; no_mem: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index c8910d6..59a95b0 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, - true, false); + true); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; @@ -656,6 +656,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, realm, uid, time(NULL), @@ -1034,6 +1035,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, domain->alt_name, uid, time(NULL), @@ -2456,6 +2458,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + /* + * Remove any mlock'ed memory creds in the child + * we might be using for krb5 ticket renewal. + */ + + winbindd_delete_memory_creds(state->request->data.logoff.user); + #else result = NT_STATUS_NOT_SUPPORTED; #endif diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 62fbc8e..b7b64de 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -216,6 +216,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *password, const char *realm, uid_t uid, time_t create_time, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 15a3575..f4e2f56 100644 -- Samba Shared Repository