The branch, master has been updated
via 91910fe s3:winbind: fail ads_cached_connection_connect() if realm
== NULL
via 9d08ac4 s3-winbindd: remove unneded include of secrets.h from
idmap_ad.c
via 77d7e2a s3-winbindd: use get_trust_pw_clear() wrapper for AD
connection code.
via b66ce75 s3-winbindd: make sure also the idmap code can deal with
trusted domains.
via 576c597 s3-winbindd: use find_domain_from_name() instead of
find_domain_from_name_no_init().
via 26ab219 s3-winbindd: Fix winbind on DC crash with trusted AD
domains.
via 57d5336 s3-winbindd: Fix memory leak in ads_cached_connection().
via edca1f9 s3-winbindd: remove pointless variable assigment, see the
strdup below.
from 0ca9c74 provision: Rewrite named.txt to be more useful
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 91910fe898e2f8ad405c5790aa1a20e82a9f8aac
Author: Michael Adam <[email protected]>
Date: Thu Aug 29 16:38:08 2013 +0200
s3:winbind: fail ads_cached_connection_connect() if realm == NULL
This prevents segfaults when e.g. a previous SMB_STRDUP failed..
Signed-off-by: Michael Adam <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104
commit 9d08ac424cdf3166110370e94799693bdbb201af
Author: Günther Deschner <[email protected]>
Date: Wed Aug 28 14:53:08 2013 +0200
s3-winbindd: remove unneded include of secrets.h from idmap_ad.c
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 77d7e2ad5a88dbe4c16e8b829d5bd0a2a5aea9bc
Author: Günther Deschner <[email protected]>
Date: Wed Aug 28 14:53:08 2013 +0200
s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code.
This avoids calling secrets functions directly.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit b66ce754a327a5bdb7600fb67ffb7aaac03cb7db
Author: Günther Deschner <[email protected]>
Date: Fri Aug 23 14:56:17 2013 +0200
s3-winbindd: make sure also the idmap code can deal with trusted domains.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 576c597ae38e788bc3c16efc5417e7481c673add
Author: Günther Deschner <[email protected]>
Date: Wed Aug 28 15:00:06 2013 +0200
s3-winbindd: use find_domain_from_name() instead of
find_domain_from_name_no_init().
Otherwise there is a good chance the domain has not been connected and we
don't
know the realm name yet.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 26ab2194f96cee80438c7917bc7de3bb7d48aa64
Author: Günther Deschner <[email protected]>
Date: Thu Aug 22 16:36:27 2013 +0200
s3-winbindd: Fix winbind on DC crash with trusted AD domains.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit 57d5336969d089d063abce8db2fe090e7a363bc9
Author: Günther Deschner <[email protected]>
Date: Fri Aug 23 12:33:53 2013 +0200
s3-winbindd: Fix memory leak in ads_cached_connection().
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
commit edca1f9d4828281eb69b606dafd92f75f66fc984
Author: Günther Deschner <[email protected]>
Date: Thu Aug 22 15:39:08 2013 +0200
s3-winbindd: remove pointless variable assigment, see the strdup below.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/idmap_ad.c | 1 -
source3/winbindd/winbindd_ads.c | 62 ++++++++++++++++++++++++++------------
2 files changed, 42 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 1ed6570..8b63801 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -31,7 +31,6 @@
#include "ads.h"
#include "libads/ldap_schema.h"
#include "nss_info.h"
-#include "secrets.h"
#include "idmap.h"
#include "../libcli/ldap/ldap_ndr.h"
#include "../libcli/security/security.h"
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 1e45ad9..4c26389 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -27,7 +27,6 @@
#include "../librpc/gen_ndr/ndr_netlogon_c.h"
#include "../libds/common/flags.h"
#include "ads.h"
-#include "secrets.h"
#include "../libcli/ldap/ldap_ndr.h"
#include "../libcli/security/security.h"
#include "../libds/common/flag_mapping.h"
@@ -87,6 +86,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT
**adsp,
struct sockaddr_storage dc_ss;
fstring dc_name;
+ if (realm == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+
/* we don't want this to affect the users ccache */
setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
@@ -101,7 +104,6 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT
**adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.realm = realm;
ads->auth.realm = SMB_STRDUP(realm);
if (!strupper_m(ads->auth.realm)) {
@@ -137,6 +139,7 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp,
const char *dom_name)
{
char *ldap_server, *realm, *password;
struct winbindd_domain *wb_dom;
+ ADS_STATUS status;
ads_cached_connection_reuse(adsp);
if (*adsp != NULL) {
@@ -152,22 +155,43 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp,
const char *dom_name)
DEBUG(10, ("ldap_server from saf cache: '%s'\n",
ldap_server ? ldap_server : ""));
- wb_dom = find_domain_from_name_noinit(dom_name);
+ wb_dom = find_domain_from_name(dom_name);
if (wb_dom == NULL) {
DEBUG(10, ("could not find domain '%s'\n", dom_name));
- realm = NULL;
- } else {
- DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+
+ DEBUG(10, ("find_domain_from_name found realm '%s' for "
" domain '%s'\n", wb_dom->alt_name, dom_name));
- realm = wb_dom->alt_name;
+
+ if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) {
+ return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
}
- /* the machine acct password might have change - fetch it every time */
- password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- realm = SMB_STRDUP(lp_realm());
+ if (IS_DC) {
+ realm = SMB_STRDUP(wb_dom->alt_name);
+ } else {
+ struct winbindd_domain *our_domain = wb_dom;
- return ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
- password, realm, 0);
+ /* always give preference to the alt_name in our
+ primary domain if possible */
+
+ if (!wb_dom->primary) {
+ our_domain = find_our_domain();
+ }
+
+ if (our_domain->alt_name != NULL) {
+ realm = SMB_STRDUP(our_domain->alt_name);
+ } else {
+ realm = SMB_STRDUP(lp_realm());
+ }
+ }
+
+ status = ads_cached_connection_connect(adsp, realm, dom_name,
ldap_server,
+ password, realm, 0);
+ SAFE_FREE(realm);
+
+ return status;
}
/*
@@ -188,20 +212,18 @@ static ADS_STRUCT *ads_cached_connection(struct
winbindd_domain *domain)
/* the machine acct password might have change - fetch it every time */
+ if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) {
+ return NULL;
+ }
+
if ( IS_DC ) {
- if ( !pdb_get_trusteddom_pw( domain->name, &password, NULL,
- NULL ) ) {
- return NULL;
- }
- realm = NULL;
+ realm = SMB_STRDUP(domain->alt_name);
}
else {
struct winbindd_domain *our_domain = domain;
- password = secrets_fetch_machine_password(lp_workgroup(), NULL,
- NULL);
/* always give preference to the alt_name in our
primary domain if possible */
@@ -221,7 +243,7 @@ static ADS_STRUCT *ads_cached_connection(struct
winbindd_domain *domain)
domain->name, NULL,
password, realm,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
-
+ SAFE_FREE(realm);
if (!ADS_ERR_OK(status)) {
/* if we get ECONNREFUSED then it might be a NT4
--
Samba Shared Repository
