The branch, v3-5-stable has been updated
via 052b65e WHWATSNEW: Prepare release notes for Samba 3.5.18.
via fa8b1fa docs: clarify the idmap_rid manpage (bug #7788)
via 1d5b8aa s3:winbindd: make sure we only call static_init_idmap once
via 536be09 quota: fix build of sysquote_xfs on
via 5463fcf nsswitch: fix crash on null pam change pw response
via f919d07 Fix bug #9147 - winbind can't fetch user or group info from
AD via LDAP
via 3709ac8 s3: delete requests are not special
via f482604 s3: Fix bug #9085.
via 9c48ee2 Fix bug #9100 - winbind doesn't return "Domain Local"
groups from own domain.
via 805992f Fix bug #9098 - winbind does not refresh kerberos tickets.
via aca082e Fix bug #9104 - winbindd can mis-identify idle clients -
can cause crashes and NDR parsing errors.
via 83148e2 Ensure we keep last_access up to date when processing a
request. (cherry picked from commit e01df21a5dbe8f3d401d58de6cffa4d4ba340a24)
via 988118c s3: Fix a crash in reply_lockingX_error
from 6c50a54 WHATSNEW: Start release notes for Samba 3.5.18.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-stable
- Log -----------------------------------------------------------------
commit 052b65e15293b62520f3a35d4681ffeaf7499cae
Author: Karolin Seeger <ksee...@samba.org>
Date: Fri Sep 21 10:19:07 2012 +0200
WHWATSNEW: Prepare release notes for Samba 3.5.18.
Karolin
(cherry picked from commit e9e21faae567370f05432462cf25a3df6cf8e07f)
commit fa8b1fa084a0695e949bf5d473faf6ef523900ee
Author: Michael Adam <ob...@samba.org>
Date: Tue Dec 7 17:30:27 2010 +0100
docs: clarify the idmap_rid manpage (bug #7788)
The idmap_rid module should not be used as a default backend.
Also mention that the old snytax "idmap backend = rid:domain=range ..."
is not supported any more.
Autobuild-User: Michael Adam <ob...@samba.org>
Autobuild-Date: Tue Dec 7 19:07:57 CET 2010 on sn-devel-104
(cherry picked from commit a4f48b3da0081845336c55ff230179caeab5195c)
commit 1d5b8aa6a8c242e6b40e8a984a04bcd76bfdd884
Author: Björn Jacke <b...@sernet.de>
Date: Wed Aug 24 10:57:49 2011 +0200
s3:winbindd: make sure we only call static_init_idmap once
this is a backport of 3f14d03adbda03b821210115af4fae044a9b4a3e
Fix bug #8402 - winbind log spammed with idmap messages.
(cherry picked from commit 04e4325642d029e604c31b371811fafdf2b61cf8)
commit 536be09e802db2f93ed02690d219ed6ccec908c3
Author: Björn Jacke <b...@sernet.de>
Date: Thu Sep 13 01:23:12 2012 +0200
quota: fix build of sysquote_xfs on
linux header files renamed some XFS_* defines to FS_* around kernel v2.6.36
This fixes bug #7814
(cherry picked from commit a3eb8d765e48bcbe86458791ec61325a517bd7dd)
commit 5463fcf7dca60c902946f36437c034137d9078b0
Author: Luca Lorenzetto <lorenzetto-l...@ubuntu-it.org>
Date: Tue Sep 11 18:35:42 2012 +0200
nsswitch: fix crash on null pam change pw response
The function _pam_winbind_change_pwd crashes due to a null value passed
to the function strcasecmp and denies to login via graphical login
manager. Check for a null value before doing a strcasecmp.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1003296
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9013
(Desktop Managers (xdm, gdm, lightdm...) crashes with SIGSEGV in
_pam_winbind_change_pwd() when password is expiring)
(cherry picked from commit 47f2211f137688a7c46c4a38571a9f94e59dbf6a)
(cherry picked from commit 25bf057288d5e77c07a5ed3d3c3fb7f5f33f62b6)
commit f919d070b1dc9c210e9b402806372fd2f041b35a
Author: Jeremy Allison <j...@samba.org>
Date: Mon Sep 10 16:07:37 2012 -0700
Fix bug #9147 - winbind can't fetch user or group info from AD via LDAP
Don't use "isprint" in ldb_binary_encode(). This is locale specific.
Restrict to ASCII only, hex encode everything else.
(cherry picked from commit 9258a7b9cfd5fb85e5361d1b49c3bb8655e97159)
commit 3709ac83a0671fc8ac546031f4992165a886de0d
Author: Volker Lendecke <v...@samba.org>
Date: Mon Sep 10 11:25:03 2012 +0200
s3: delete requests are not special
The only difference between batch and exclusive oplocks is the time of
the check: Batch is checked before the share mode check, exclusive after.
Signed-off-by: Jeremy Allison <j...@samba.org>
Fix bug #9150 - Valid open requests can cause smbd assert due to incorrect
oplock handling on delete requests.
(cherry picked from commit b20ca77e2a9d111eb2e77d0b804fe7505b07e418)
commit f4826046d01bf702044a1664400989a631acf65f
Author: hargagan <sharga...@novell.com>
Date: Tue Aug 28 09:29:52 2012 +0200
s3: Fix bug #9085.
NMB registration for a duplicate workstation fails with registration refuse.
(cherry picked from commit 71c4227fd0a741984fb273ad1973ad1724ecb04b)
(cherry picked from commit 30567b8f9bc0f5a39a3a65039277aa5f839622cd)
commit 9c48ee2bc85867bf30bb71a26edf9300ee081094
Author: Goldberg, Neil R <ngold...@mitre.org>
Date: Fri Aug 17 13:52:07 2012 -0700
Fix bug #9100 - winbind doesn't return "Domain Local" groups from own
domain.
Back-port of fix for 3.6.x from bug #9052.
(cherry picked from commit 38444389c39d5c5adca1c9f300bded47407fd0b5)
commit 805992fc98a2cacf9d5e5d02f49dc0866f5a2083
Author: Jeremy Allison <j...@samba.org>
Date: Tue Aug 21 14:08:24 2012 -0700
Fix bug #9098 - winbind does not refresh kerberos tickets.
Based on work from Ian Gordon <ian.gor...@strath.ac.uk>.
(cherry picked from commit 51c5f84d2496b5117a2fe6afc061594cf33b5fc1)
commit aca082e6df0ae46b3c2267f0a5ebed91893aaef8
Author: Herb Lewis <hle...@panasas.com>
Date: Mon Aug 20 16:03:28 2012 -0700
Fix bug #9104 - winbindd can mis-identify idle clients - can cause crashes
and NDR parsing errors.
A connection is idle when both struct winbindd_cli_state->request AND
struct winbindd_cli_state->response are NULL. Otherwise we can flag
as idle a connection in the state of having sent the request to
the winbindd child (request != NULL) but not yet received a reply
(response == NULL).
(cherry picked from commit 36dc8a0f40a38d9c03570856cb4c843b74c1c7bd)
commit 83148e290f436783dc24b7349be38e40049ce080
Author: Jeremy Allison <j...@samba.org>
Date: Mon Aug 20 15:21:26 2012 -0700
Ensure we keep last_access up to date when processing a request.
(cherry picked from commit e01df21a5dbe8f3d401d58de6cffa4d4ba340a24)
commit 988118c2358204eab5bb5907d0f5390cfece9538
Author: Volker Lendecke <v...@samba.org>
Date: Tue Aug 7 16:49:52 2012 -0700
s3: Fix a crash in reply_lockingX_error
A timed brlock with 2 locks comes in and the second one blocks,
file is closed. smbd_cancel_pending_lock_requests_by_fid sets
blr->fsp to NULL. reply_lockingX_error (called via
MSG_SMB_BLOCKING_LOCK_CANCEL) deferences blr->fsp because
blr->lock_num==1 (the second one blocked).
This patch fixes the bug by only undoing the locks if fsp!=NULL.
fsp==NULL is the close case where everything is undone anyway.
Thanks to Peter Somogyi, somo...@hu.ibm.com for this bug report.
Fix bug #9084 - Blocking lock followed by close can crash smbd.
(cherry picked from commit d80fbbea8ec77c0bda0e3fb9eaed2f170784ea7d)
(cherry picked from commit b27caac5e077b49f46edf34045bb4fd8d17b4c77)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 44 ++++++++++++++++++++++++++++++-
docs-xml/manpages-3/idmap_rid.8.xml | 18 +++++++++++++
nsswitch/pam_winbind.c | 2 +-
source3/auth/auth_util.c | 2 +-
source3/include/proto.h | 3 +-
source3/lib/ldb/common/ldb_parse.c | 11 ++++++-
source3/lib/sysquotas_xfs.c | 12 ++++++++
source3/lib/util_sid.c | 20 +++++---------
source3/nmbd/nmbd_winsserver.c | 2 +-
source3/smbd/blocking.c | 17 ++++++++---
source3/smbd/open.c | 13 +--------
source3/winbindd/idmap.c | 21 ++++++++++++---
source3/winbindd/winbindd.c | 4 ++-
source3/winbindd/winbindd_cred_cache.c | 30 +++++++++++++++++++++-
source3/winbindd/winbindd_pam.c | 11 +++++++-
source3/winbindd/winbindd_proto.h | 1 +
source3/winbindd/winbindd_util.c | 12 ++++++--
source4/lib/ldb/common/ldb_parse.c | 11 ++++++-
18 files changed, 184 insertions(+), 50 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index da49f98..37bbe4b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,18 +1,58 @@
==============================
Release Notes for Samba 3.5.18
- , 2012
+ September 24, 2012
==============================
This is the latest stable release of Samba 3.5.
-Major enhancements in Samba 3.5.16 include:
+Major enhancements in Samba 3.5.18 include:
+
+o Fix a smbd crash in reply_lockingX_error (bug #9084).
+o Fix Winbind crashes caused by mis-identified idle clients (bug #9104).
+o Desktop Managers (xdm, gdm, lightdm...) crash with SIGSEGV in
+ _pam_winbind_change_pwd() when password is expiring (bug #9013).
Changes since 3.5.17:
---------------------
+o Michael Adam <ob...@samba.org>
+ * BUG 7788: Clarify the idmap_rid manpage.
+
+
o Jeremy Allison <j...@samba.org>
+ * BUG 9098: Winbind does not refresh Kerberos tickets.
+ * BUG 9147: Winbind can't fetch user or group info from AD via LDAP.
+ * BUG 9150: Valid open requests can cause smbd assert due to incorrect
+ oplock handling on delete requests.
+
+
+o Neil R. Goldberg <ngold...@mitre.org>
+ * BUG 9100: Winbind doesn't return "Domain Local" groups from own domain.
+
+
+o Hargagan <sharga...@novell.com>
+ * BUG 9085: NMB registration for a duplicate workstation fails with
+ registration refuse.
+
+
+o Björn Jacke <b...@sernet.de>
+ * BUG 7814: Fix build of sysquote_xfs.
+ * BUG 8402: Winbind log spammed with idmap messages.
+
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 9084: Fix a smbd crash in reply_lockingX_error.
+
+
+o Herb Lewis <hle...@panasas.com>
+ * BUG 9104: Fix Winbind crashes caused by mis-identified idle clients.
+
+
+o Luca Lorenzetto <lorenzetto-l...@ubuntu-it.org>
+ * BUG 9013: Desktop Managers (xdm, gdm, lightdm...) crash with SIGSEGV in
+ _pam_winbind_change_pwd() when password is expiring.
######################################################################
diff --git a/docs-xml/manpages-3/idmap_rid.8.xml
b/docs-xml/manpages-3/idmap_rid.8.xml
index 55aed62..a453e91 100644
--- a/docs-xml/manpages-3/idmap_rid.8.xml
+++ b/docs-xml/manpages-3/idmap_rid.8.xml
@@ -21,6 +21,24 @@
<para>The idmap_rid backend provides a way to use an algorithmic
mapping scheme to map UIDs/GIDs and SIDs. No database is required
in this case as the mapping is deterministic.</para>
+
+ <para>
+ Note that the idmap_rid module has changed considerably since Samba
+ versions 3.0. and 3.2.
+ Currently, there should to be an explicit idmap configuration for each
+ domain that should use the idmap_rid backend, using disjoint ranges.
+ One usually needs to define a writeable default idmap range, using
+ a backent like <parameter>tdb</parameter> or <parameter>ldap</parameter>
+ that can create unix ids, in order to be able to map the BUILTIN sids
+ and other domains, and also in order to be able to create group
mappings.
+ See the example below.
+ </para>
+
+ <para>
+ Note that the old syntax
+ <parameter>idmap backend = rid:"DOM1=range DOM2=range2 ..."</parameter>
+ is not supported any more since Samba version 3.0.25.
+ </para>
</refsynopsisdiv>
<refsect1>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 81055c9..fdaf807 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -831,7 +831,7 @@ static bool _pam_winbind_change_pwd(struct pwb_context *ctx)
}
_pam_log(ctx, LOG_CRIT, "Received [%s] reply from application.\n",
resp->resp);
- if (strcasecmp(resp->resp, "yes") == 0) {
+ if ((resp->resp != NULL) && (strcasecmp(resp->resp, "yes") == 0)) {
retval = true;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 69d5c65..42e2747 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
nt_status = sid_array_from_info3(result, info3,
&result->sids,
&result->num_sids,
- false, false);
+ false);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(result);
return nt_status;
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 559a34e..785cc30 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
size_t *num_user_sids,
- bool include_user_group_rid,
- bool skip_ressource_groups);
+ bool include_user_group_rid);
/* The following definitions come from lib/util_sock.c */
diff --git a/source3/lib/ldb/common/ldb_parse.c
b/source3/lib/ldb/common/ldb_parse.c
index bcc92c5..1412d57 100644
--- a/source3/lib/ldb/common/ldb_parse.c
+++ b/source3/lib/ldb/common/ldb_parse.c
@@ -92,6 +92,13 @@ struct ldb_val ldb_binary_decode(void *mem_ctx, const char
*str)
return ret;
}
+static bool need_encode(unsigned char cval)
+{
+ if (cval < 0x20 || cval > 0x7E || strchr(" *()\\&|!\"", cval)) {
+ return true;
+ }
+ return false;
+}
/*
encode a blob as a RFC2254 binary string, escaping any
@@ -105,7 +112,7 @@ char *ldb_binary_encode(void *mem_ctx, struct ldb_val val)
unsigned char *buf = val.data;
for (i=0;i<val.length;i++) {
- if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+ if (need_encode(buf[i])) {
len += 2;
}
}
@@ -114,7 +121,7 @@ char *ldb_binary_encode(void *mem_ctx, struct ldb_val val)
len = 0;
for (i=0;i<val.length;i++) {
- if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+ if (need_encode(buf[i])) {
snprintf(ret+len, 4, "\\%02X", buf[i]);
len += 3;
} else {
diff --git a/source3/lib/sysquotas_xfs.c b/source3/lib/sysquotas_xfs.c
index 1e438e9..1e3d952 100644
--- a/source3/lib/sysquotas_xfs.c
+++ b/source3/lib/sysquotas_xfs.c
@@ -35,6 +35,18 @@
#include "samba_linux_quota.h"
#ifdef HAVE_LINUX_DQBLK_XFS_H
#include <linux/dqblk_xfs.h>
+#ifndef XFS_QUOTA_UDQ_ACCT
+#define XFS_QUOTA_UDQ_ACCT FS_QUOTA_UDQ_ACCT
+#endif
+#ifndef XFS_QUOTA_UDQ_ENFD
+#define XFS_QUOTA_UDQ_ENFD FS_QUOTA_UDQ_ENFD
+#endif
+#ifndef XFS_QUOTA_GDQ_ACCT
+#define XFS_QUOTA_GDQ_ACCT FS_QUOTA_GDQ_ACCT
+#endif
+#ifndef XFS_QUOTA_GDQ_ENFD
+#define XFS_QUOTA_GDQ_ENFD FS_QUOTA_GDQ_ENFD
+#endif
#endif
#define HAVE_GROUP_QUOTA
#else /* IRIX */
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index bea04d8..f918eba 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
size_t *num_user_sids,
- bool include_user_group_rid,
- bool skip_ressource_groups)
+ bool include_user_group_rid)
{
NTSTATUS status;
DOM_SID sid;
@@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
}
}
- /* Copy 'other' sids. We need to do sid filtering here to
- prevent possible elevation of privileges. See:
-
-
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
- */
+ /* SID filtering should only be handled by the domain controller on a
+ trust by trust basis, and is counter-indicated for forests. Since
+ native AD return all Domain Local groups as other SIDs, then this
+ must not filter them when parsing INFO3 responses such that the
+ list is identical to the tokenGroups LDAP query.
+ */
for (i = 0; i < info3->sidcount; i++) {
-
- if (skip_ressource_groups &&
- (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
- continue;
- }
-
status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
&sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/nmbd/nmbd_winsserver.c b/source3/nmbd/nmbd_winsserver.c
index 0a5b1c8..20436c5 100644
--- a/source3/nmbd/nmbd_winsserver.c
+++ b/source3/nmbd/nmbd_winsserver.c
@@ -1014,7 +1014,7 @@ static void wins_register_query_success(struct
subnet_record *subrec,
DEBUG(3,("wins_register_query_success: Original client at IP %s still
wants the \
name %s. Rejecting registration request.\n", inet_ntoa(ip),
nmb_namestr(question_name) ));
- send_wins_name_registration_response(RFS_ERR, 0, orig_reg_packet);
+ send_wins_name_registration_response(ACT_ERR, 0, orig_reg_packet);
orig_reg_packet->locked = False;
free_packet(orig_reg_packet);
diff --git a/source3/smbd/blocking.c b/source3/smbd/blocking.c
index 3f49421..08af28a 100644
--- a/source3/smbd/blocking.c
+++ b/source3/smbd/blocking.c
@@ -299,7 +299,7 @@ static void generic_blocking_lock_error(struct
blocking_lock_record *blr, NTSTAT
obtained first.
*****************************************************************************/
-static void reply_lockingX_error(struct blocking_lock_record *blr, NTSTATUS
status)
+static void undo_locks_obtained(struct blocking_lock_record *blr)
{
files_struct *fsp = blr->fsp;
uint16 num_ulocks = SVAL(blr->req->vwv+6, 0);
@@ -343,8 +343,6 @@ static void reply_lockingX_error(struct
blocking_lock_record *blr, NTSTATUS stat
offset,
WINDOWS_LOCK);
}
-
- generic_blocking_lock_error(blr, status);
}
/****************************************************************************
@@ -357,8 +355,17 @@ static void blocking_lock_reply_error(struct
blocking_lock_record *blr, NTSTATUS
switch(blr->req->cmd) {
case SMBlockingX:
- reply_lockingX_error(blr, status);
- break;
+ /*
+ * This code can be called during the rundown of a
+ * file after it was already closed. In that case,
+ * blr->fsp==NULL and we do not need to undo any
+ * locks, they are already gone.
+ */
+ if (blr->fsp != NULL) {
+ undo_locks_obtained(blr);
+ }
+ generic_blocking_lock_error(blr, status);
+ break;
case SMBtrans2:
case SMBtranss2:
reply_nterror(blr->req, status);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index dfa45ef..843bb2b 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -894,11 +894,6 @@ static NTSTATUS open_mode_check(connection_struct *conn,
return NT_STATUS_OK;
}
-static bool is_delete_request(files_struct *fsp) {
- return ((fsp->access_mask == DELETE_ACCESS) &&
- (fsp->oplock_type == NO_OPLOCK));
-}
-
/*
* Send a break message to the oplock holder and delay the open for
* our client.
@@ -1002,13 +997,9 @@ static bool delay_for_oplocks(struct share_mode_lock *lck,
}
if (exclusive != NULL) { /* Found an exclusive oplock */
- bool delay_it = is_delete_request(fsp) ?
- BATCH_OPLOCK_TYPE(exclusive->op_type) : true;
SMB_ASSERT(!have_level2);
- if (delay_it) {
- send_break_message(fsp, exclusive, mid, oplock_request);
- return true;
- }
+ send_break_message(fsp, exclusive, mid, oplock_request);
+ return true;
}
/*
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 7aa2853..2414dab 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -28,6 +28,21 @@
static_decl_idmap;
+static void idmap_init(void)
+{
+ static bool initialized;
+
+ if (initialized) {
+ return;
+ }
+
+ DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
+
+ static_init_idmap;
+
+ initialized = true;
+}
+
/**
* Pointer to the backend methods. Modules register themselves here via
* smb_register_idmap.
@@ -346,9 +361,7 @@ static struct idmap_domain
*idmap_init_default_domain(TALLOC_CTX *mem_ctx)
char *modulename;
char *params;
- DEBUG(10, ("idmap_init_default_domain: calling static_init_idmap\n"));
-
- static_init_idmap;
+ idmap_init();
if (!parse_idmap_module(talloc_tos(), lp_idmap_backend(), &modulename,
¶ms)) {
@@ -546,7 +559,7 @@ static NTSTATUS idmap_alloc_init(struct idmap_alloc_context
**ctx)
char *modulename, *params;
NTSTATUS ret = NT_STATUS_NO_MEMORY;;
- static_init_idmap;
+ idmap_init();
if (idmap_alloc_ctx != NULL) {
*ctx = idmap_alloc_ctx;
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index ca5a53b..4442c73 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -566,6 +566,7 @@ static void process_request(struct winbindd_cli_state
*state)
state->cmd_name = "unknown request";
state->recv_fn = NULL;
+ state->last_access = time(NULL);
/* Process command */
@@ -871,7 +872,8 @@ static bool remove_idle_client(void)
int nidle = 0;
for (state = winbindd_client_list(); state; state = state->next) {
- if (state->response == NULL &&
+ if (state->request == NULL &&
+ state->response == NULL &&
!state->pwent_state && !state->grent_state) {
nidle++;
if (!last_access || state->last_access < last_access) {
diff --git a/source3/winbindd/winbindd_cred_cache.c
b/source3/winbindd/winbindd_cred_cache.c
index e63e732..ba4a7b2 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -484,6 +484,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
+ const char *pass,
const char *realm,
uid_t uid,
time_t create_time,
@@ -586,7 +587,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
DEBUG(10,("add_ccache_to_list: added krb5_ticket
handler\n"));
}
-
+
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function (or increase the reference count
+ * if we're logging in more than once). Fix inspired
+ * by patch from Ian Gordon <ian.gor...@strath.ac.uk>
+ * for bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+
return NT_STATUS_OK;
}
@@ -669,6 +683,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
"added ccache [%s] for user [%s] to the list\n",
ccname, username));
+ if (entry->event) {
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function. Fix inspired by patch from
+ * Ian Gordon <ian.gor...@strath.ac.uk> for
+ * bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+ }
+
return NT_STATUS_OK;
no_mem:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c8910d6..59a95b0 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
status = sid_array_from_info3(talloc_tos(), info3,
&token->user_sids,
&token->num_sids,
- true, false);
+ true);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
@@ -656,6 +656,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct
winbindd_domain *domain,
cc,
service,
state->request->data.auth.user,
+ state->request->data.auth.pass,
realm,
uid,
time(NULL),
@@ -1034,6 +1035,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct
winbindd_domain *domain,
cc,
service,
state->request->data.auth.user,
+
state->request->data.auth.pass,
domain->alt_name,
uid,
time(NULL),
@@ -2456,6 +2458,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct
winbindd_domain *domain,
goto process_result;
}
+ /*
+ * Remove any mlock'ed memory creds in the child
+ * we might be using for krb5 ticket renewal.
+ */
+
+ winbindd_delete_memory_creds(state->request->data.logoff.user);
+
#else
result = NT_STATUS_NOT_SUPPORTED;
#endif
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index 62fbc8e..b7b64de 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -216,6 +216,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
+ const char *password,
const char *realm,
uid_t uid,
time_t create_time,
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 15a3575..f4e2f56 100644
--
Samba Shared Repository
