The branch, master has been updated
via f371032 s4-winbind: Use winbindd in the AD DC by default
via af7f887 winbindd: Use a remote RPC server when we are an RODC when
needed
via da3a798 selftest: Use s4 RPC servers in the s4member environment
via 0b77cd9 s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED
error for winbindd
via 5d069a0 selftest: Make the wbinfo userinfo tests work properly with
the qualified name
via 95a55df winbindd: Allow the AD-DC to call getdcname
via a0105b8 secrets: Ensure we store the secureChannelType when written
to secrets.ldb
from 0c97b7e torture4: Make raw.lock.multilock fail after 20 seconds
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f3710320cef475ebac561882c8fdaf8e51c8b7c3
Author: Andrew Bartlett <[email protected]>
Date: Tue May 20 10:15:31 2014 +1200
s4-winbind: Use winbindd in the AD DC by default
(Including changes to knownfail to match the new winbindd in use in each
environment)
Change-Id: I9e08086eba98e95e05a99afef28315e2857aae56
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Kamen Mazdrashki <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Fri Jul 4 05:19:54 CEST 2014 on sn-devel-104
commit af7f88721a21fbe33cec2bc277f65a736f6cb9cc
Author: Andrew Bartlett <[email protected]>
Date: Mon May 26 11:58:38 2014 +1200
winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.
Andrew Bartlett
Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <[email protected]>
Signed-off-by: Andrew Bartlett <[email protected]>
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
commit da3a79831afbd1b85592be36eb47de375e575643
Author: Andrew Bartlett <[email protected]>
Date: Tue May 20 11:10:22 2014 +1200
selftest: Use s4 RPC servers in the s4member environment
Change-Id: I645669d551d7bb988c69da7b3805e3056ab1e8c8
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
commit 0b77cd969c54e4efa6faff507834c183958ec23c
Author: Andrew Bartlett <[email protected]>
Date: Mon Jun 30 12:04:03 2014 +1200
s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.
Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
commit 5d069a04fc843512b6a703691d81c4c1d28ef744
Author: Garming Sam <[email protected]>
Date: Mon Jun 30 14:58:21 2014 +1200
selftest: Make the wbinfo userinfo tests work properly with the qualified
name
This eliminates a knownfail.
Change-Id: I7331a4e62ef8c1f2a9999a78865023ae19beeaca
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
commit 95a55df021b3f112a18c64a5f5897182ae8b7df8
Author: Garming Sam <[email protected]>
Date: Mon Jun 30 14:23:58 2014 +1200
winbindd: Allow the AD-DC to call getdcname
This is particularly useful for RODC and eliminates a knownfail.
Change-Id: Ia5089761dcabb1620eadd530dbc9b05580cddd1f
Signed-off-by: Garming Sam <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
commit a0105b84b85094375ab92c9e6ca4c9e0a2a531f5
Author: Andrew Bartlett <[email protected]>
Date: Mon May 26 11:58:38 2014 +1200
secrets: Ensure we store the secureChannelType when written to secrets.ldb
This will allow winbindd to know when we are an RODC
without needing to dig into sam.ldb.
Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Nadezhda Ivanova <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/common_auth.h | 2 +-
docs-xml/smbdotconf/base/serverservices.xml | 2 +-
lib/param/loadparm.c | 2 +-
selftest/knownfail | 46 +++++----------------
selftest/target/Samba4.pm | 34 +++++++++++-----
source3/auth/auth.c | 7 +++
source3/include/secrets.h | 1 +
source3/param/loadparm.c | 2 +-
source3/passdb/machine_account_secrets.c | 26 +++++++++---
source3/winbindd/wb_dsgetdcname.c | 22 +++++++---
source3/winbindd/winbindd.h | 1 +
source3/winbindd/winbindd_cache.c | 3 +-
source3/winbindd/winbindd_cm.c | 33 +++++++++------
source3/winbindd/winbindd_msrpc.c | 20 +++++-----
source3/winbindd/winbindd_pam.c | 26 +++++++++---
source3/winbindd/winbindd_proto.h | 3 +-
source3/winbindd/winbindd_util.c | 37 ++++++++++++++--
source4/auth/ntlm/auth.c | 10 +++-
source4/dsdb/samdb/ldb_modules/secrets_tdb_sync.c | 1 +
source4/selftest/tests.py | 2 +-
20 files changed, 176 insertions(+), 104 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/common_auth.h b/auth/common_auth.h
index d9bde01..d1a775d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any
case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account
status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against
the local SAM */
+#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against
the local SAM, do not map missing passwords to NO_SUCH_USER */
#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in
server_info->info3 and do not do any authorization steps */
enum auth_password_state {
diff --git a/docs-xml/smbdotconf/base/serverservices.xml
b/docs-xml/smbdotconf/base/serverservices.xml
index 677ae6a..e02e29d 100644
--- a/docs-xml/smbdotconf/base/serverservices.xml
+++ b/docs-xml/smbdotconf/base/serverservices.xml
@@ -13,6 +13,6 @@
<constant>-</constant>. </para>
</description>
-<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate, dns</value>
+<value type="default">s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns</value>
<value type="example">-s3fs, +smb</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5a0ef88..c8f34e7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2214,7 +2214,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper
wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser
eventlog6 backupkey dnsserver");
- lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt
wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns");
+ lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt
wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
diff --git a/selftest/knownfail b/selftest/knownfail
index deeb8fa..624a5ae 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -247,18 +247,6 @@
^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc
^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against dc
^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -N against s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -I against s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --trusted-domains against
s4member
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --all-domains against s4member
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -N against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -I against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --trusted-domains against rodc
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --all-domains against rodc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -N against promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -I against promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --trusted-domains against
promoted_dc
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --all-domains against
promoted_dc
#
# This makes less sense when not running against an AD DC
#
@@ -273,18 +261,20 @@
^samba.wbinfo_simple.\(s4member:local\).--allocate-gid
^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-uid
^samba.wbinfo_simple.\(plugin_s4_dc:local\).--allocate-gid
-^samba.blackbox.wbinfo\(plugin_s4_dc:local\).wbinfo --getdcname against
plugin_s4_dc\(plugin_s4_dc:local\)
#
# These do not work against winbindd in member mode for unknown reasons
#
-^samba.wbinfo_simple.\(member:local\).--user-info
-^samba.wbinfo_simple.\(s3member:local\).--user-info
+^samba4.winbind.struct.domain_info\(s4member:local\)
+^samba4.winbind.struct.getdcname\(s4member:local\)
+^samba4.winbind.struct.lookup_name_sid\(s4member:local\)
+^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against
s4member\(s4member:local\)
+^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against
s4member\(s4member:local\)
^samba4.winbind.struct.getpwent\(plugin_s4_dc:local\)
+^samba.wbinfo_simple.\(s4member:local\).--user-groups
+^samba.nss.test using winbind\(s4member\)
#
# These just happen to fail for some reason (probably because they run against
the s4 winbind)
#
-^samba4.winbind.pac.pac\(s4member:local\)
-^samba4.winbind.struct.show_sequence\(s4member:local\)
^samba4.winbind.struct.getdcname\(s3member:local\)
^samba4.winbind.struct.lookup_name_sid\(s3member:local\)
^samba.wbinfo_simple.\(dc:local\).--all-domains.wbinfo\(dc:local\)
@@ -294,28 +284,12 @@
^samba.wbinfo_simple.\(dc:local\).--online-status
--domain=SAMBADOMAIN.wbinfo\(dc:local\)
^samba.wbinfo_simple.\(dc:local\).--change-secret
--domain=SAMBADOMAIN.wbinfo\(dc:local\)
^samba.wbinfo_simple.\(dc:local\).--online-status
--domain=SAMBADOMAIN.wbinfo\(dc:local\)
-^samba.wbinfo_simple.\(s4member:local\).--all-domains.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--trusted-domains.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status
--domain=BUILTIN.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--online-status
--domain=SAMBADOMAIN.wbinfo\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--change-secret
--domain=SAMBADOMAIN.wbinfo\(s4member:local\)
-^samba.blackbox.wbinfo\(dc:local\).wbinfo -N against dc\(dc:local\)
^samba.blackbox.wbinfo\(dc:local\).wbinfo -I against dc\(dc:local\)
^samba.blackbox.wbinfo\(dc:local\).wbinfo --trusted-domains against
dc\(dc:local\)
^samba.blackbox.wbinfo\(dc:local\).wbinfo --all-domains against dc\(dc:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -N against
s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -I against
s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --trusted-domains against
s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --all-domains against
s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -N against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo -I against rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --trusted-domains against
rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(rodc:local\).wbinfo --all-domains against
rodc\(rodc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -N against
promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo -I against
promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --trusted-domains against
promoted_dc\(promoted_dc:local\)
-^samba.blackbox.wbinfo\(promoted_dc:local\).wbinfo --all-domains against
promoted_dc\(promoted_dc:local\)
+#
+# These do not work against winbindd in member mode for unknown reasons
+#
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U against
s3member\(s3member:local\)
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -U check for sane
mapping\(s3member:local\)
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G against
s3member\(s3member:local\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c6e6ef9..412fbff 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -922,7 +922,20 @@ sub provision_s4member($$$)
{
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING MEMBER...";
-
+ my $extra_smb_conf = "
+ passdb backend = samba_dsdb
+winbindd:use external pipes = true
+
+rpc_server:default = external
+rpc_server:svcctl = embedded
+rpc_server:srvsvc = embedded
+rpc_server:eventlog = embedded
+rpc_server:ntsvcs = embedded
+rpc_server:winreg = embedded
+rpc_server:spoolss = embedded
+rpc_daemon:spoolssd = embedded
+rpc_server:tcpip = no
+";
my $ret = $self->provision($prefix,
"member server",
"s4member",
@@ -931,7 +944,7 @@ sub provision_s4member($$$)
"2008",
"locMEMpass3",
$dcvars->{SERVER_IP},
- "passdb backend = samba_dsdb", "", undef);
+ $extra_smb_conf, "", undef);
unless ($ret) {
return undef;
}
@@ -1263,7 +1276,8 @@ sub provision_dc($$)
my ($self, $prefix) = @_;
print "PROVISIONING DC...";
- my $extra_conf_options = "netbios aliases = localDC1-a";
+ my $extra_conf_options = "netbios aliases = localDC1-a
+ server services = +winbind -winbindd";
my $ret = $self->provision($prefix,
"domain controller",
"localdc",
@@ -1315,8 +1329,7 @@ sub provision_fl2003dc($$)
my ($self, $prefix) = @_;
print "PROVISIONING DC...";
- my $extra_conf_options = "allow dns updates = nonsecure and secure
- server services = +winbindd -winbind";
+ my $extra_conf_options = "allow dns updates = nonsecure and secure";
my $ret = $self->provision($prefix,
"domain controller",
"dc6",
@@ -1514,8 +1527,6 @@ sub provision_plugin_s4_dc($$)
queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb
queueresume %p
lpq cache time = 0
print notify backchannel = yes
-
- server services = +winbindd -winbind
";
my $extra_smbconf_shares = "
@@ -1590,6 +1601,7 @@ sub provision_chgdcpass($$)
print "PROVISIONING CHGDCPASS...";
my $extra_provision_options = undef;
push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
+ my $extra_conf_options = "server services = +winbind -winbindd";
my $ret = $self->provision($prefix,
"domain controller",
"chgdcpass",
@@ -1597,7 +1609,7 @@ sub provision_chgdcpass($$)
"chgdcpassword.samba.example.com",
"2008",
"chgDCpass1",
- undef, "", "",
+ undef, $extra_conf_options, "",
$extra_provision_options);
return undef unless(defined $ret);
@@ -1606,8 +1618,10 @@ sub provision_chgdcpass($$)
return undef;
}
- # Remove secrets.tdb from this environment to test that we still start
up
- # on systems without the new matching secrets.tdb records
+ # Remove secrets.tdb from this environment to test that we
+ # still start up on systems without the new matching
+ # secrets.tdb records. For this reason we don't run winbindd
+ # in this environment
unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") ||
unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added
during provision");
return undef;
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 6d1192e..00261f7 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
if ( NT_STATUS_V(result) ==
NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
DEBUG(10,("check_ntlm_password: %s had nothing to
say\n", auth_method->name));
TALLOC_FREE(tmp_ctx);
+ if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
+ /* we don't expose the NT_STATUS_NOT_IMPLEMENTED
+ * internals, except when the caller is only
probing
+ * one method, as they may do the fallback
+ */
+ nt_status = result;
+ }
continue;
}
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 1eeb24c..16162e1 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -130,6 +130,7 @@ bool secrets_store_machine_pw_sync(const char *pass, const
char *oldpass, const
const char *realm,
const char *salting_principal, uint32_t
supported_enc_types,
const struct dom_sid *domain_sid, uint32_t
last_change_time,
+ uint32_t secure_channel,
bool delete_join);
/* The following definitions come from passdb/secrets_lsa.c */
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 4814d25..6e64482 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -969,7 +969,7 @@ static void init_globals(bool reinit_globals)
string_set(Globals.ctx, &Globals.ncalrpc_dir, get_dyn_NCALRPCDIR());
- Globals.server_services = (const char **)str_list_make_v3(NULL, "s3fs
rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns", NULL);
+ Globals.server_services = (const char **)str_list_make_v3(NULL, "s3fs
rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
Globals.dcerpc_endpoint_servers = (const char **)str_list_make_v3(NULL,
"epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo
browser eventlog6 backupkey dnsserver", NULL);
diff --git a/source3/passdb/machine_account_secrets.c
b/source3/passdb/machine_account_secrets.c
index 4e35a72..37ee9bc 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -482,11 +482,13 @@ bool secrets_store_machine_pw_sync(const char *pass,
const char *oldpass, const
const char *realm,
const char *salting_principal, uint32_t
supported_enc_types,
const struct dom_sid *domain_sid, uint32_t
last_change_time,
+ uint32_t secure_channel_type,
bool delete_join)
{
bool ret;
uint8_t last_change_time_store[4];
TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t sec_channel_bytes[4];
void *value;
if (delete_join) {
@@ -516,13 +518,23 @@ bool secrets_store_machine_pw_sync(const char *pass,
const char *oldpass, const
return ret;
}
- /* We delete this and instead have the read code fall back to
- * a default based on server role, as our caller can't specify
- * this with any more certainty */
- value = secrets_fetch(machine_sec_channel_type_keystr(domain), NULL);
- if (value) {
- SAFE_FREE(value);
- ret = secrets_delete(machine_sec_channel_type_keystr(domain));
+ if (secure_channel_type == 0) {
+ /* We delete this and instead have the read code fall back to
+ * a default based on server role, as our caller can't specify
+ * this with any more certainty */
+ value = secrets_fetch(machine_sec_channel_type_keystr(domain),
NULL);
+ if (value) {
+ SAFE_FREE(value);
+ ret =
secrets_delete(machine_sec_channel_type_keystr(domain));
+ if (!ret) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+ }
+ } else {
+ SIVAL(&sec_channel_bytes, 0, secure_channel_type);
+ ret = secrets_store(machine_sec_channel_type_keystr(domain),
+ &sec_channel_bytes,
sizeof(sec_channel_bytes));
if (!ret) {
TALLOC_FREE(frame);
return ret;
diff --git a/source3/winbindd/wb_dsgetdcname.c
b/source3/winbindd/wb_dsgetdcname.c
index bc952cd..db6cde9 100644
--- a/source3/winbindd/wb_dsgetdcname.c
+++ b/source3/winbindd/wb_dsgetdcname.c
@@ -45,18 +45,28 @@ struct tevent_req *wb_dsgetdcname_send(TALLOC_CTX *mem_ctx,
return NULL;
}
- if (strequal(domain_name, "BUILTIN")
- || strequal(domain_name, get_global_sam_name())) {
+ if (strequal(domain_name, "BUILTIN")) {
/*
- * Two options here: Give back our own address, or say there's
- * nobody around. Right now opting for the latter, one measure
- * to prevent the loopback connects. This might change if
- * needed.
+ * This makes no sense
*/
tevent_req_nterror(req, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
return tevent_req_post(req, ev);
}
+ if (strequal(domain_name, get_global_sam_name())) {
+ int role = lp_server_role();
+ if ( role != ROLE_ACTIVE_DIRECTORY_DC ) {
+ /*
+ * Two options here: Give back our own address, or say
there's
+ * nobody around. Right now opting for the latter, one
measure
+ * to prevent the loopback connects. This might change
if
+ * needed.
+ */
+ tevent_req_nterror(req,
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND);
+ return tevent_req_post(req, ev);
+ }
+ }
+
if (IS_DC) {
/*
* We have to figure out the DC ourselves
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 07c87db..5b98928 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -164,6 +164,7 @@ struct winbindd_domain {
bool active_directory; /* is this a win2k active
directory ? */
bool primary; /* is this our primary domain ?
*/
bool internal; /* BUILTIN and member SAM */
+ bool rodc; /* Are we an RODC for this AD
domain? (do some operations locally) */
bool online; /* is this domain available ? */
time_t startup_time; /* When we set "startup" true.
monotonic clock */
bool startup; /* are we in the first 30
seconds after startup_time ? */
diff --git a/source3/winbindd/winbindd_cache.c
b/source3/winbindd/winbindd_cache.c
index dfad8f5..bfd78da 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -132,7 +132,8 @@ static struct winbind_cache *get_cache(struct
winbindd_domain *domain)
}
if ( !domain->initialized ) {
- init_dc_connection( domain );
+ /* We do not need a connection to an RW DC for cache operation
*/
+ init_dc_connection(domain, false);
}
/*
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index a8ace52..05205a7 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -94,7 +94,7 @@ struct dc_name_ip {
extern struct winbindd_methods reconnect_methods;
extern bool override_logfile;
-static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain);
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain,
bool need_rw_dc);
static void set_dc_type_and_flags( struct winbindd_domain *domain );
static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
struct dc_name_ip **dcs, int *num_dcs);
@@ -176,7 +176,7 @@ static void msg_try_to_go_online(struct messaging_context
*msg,
the offline handler if false. Bypasses online
check so always does network calls. */
- init_dc_connection_network(domain);
+ init_dc_connection_network(domain, true);
break;
}
}
@@ -1931,9 +1931,13 @@ static bool connection_ok(struct winbindd_domain *domain)
/* Initialize a new connection up to the RPC BIND.
Bypass online status check so always does network calls. */
-static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain)
+static NTSTATUS init_dc_connection_network(struct winbindd_domain *domain,
bool need_rw_dc)
{
NTSTATUS result;
+ bool skip_connection = domain->internal;
+ if (need_rw_dc && domain->rodc) {
+ skip_connection = false;
+ }
/* Internal connections never use the network. */
if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
@@ -1941,7 +1945,7 @@ static NTSTATUS init_dc_connection_network(struct
winbindd_domain *domain)
}
/* Still ask the internal LSA and SAMR server about the local domain */
- if (domain->internal || connection_ok(domain)) {
+ if (skip_connection || connection_ok(domain)) {
if (!domain->initialized) {
set_dc_type_and_flags(domain);
}
@@ -1959,7 +1963,7 @@ static NTSTATUS init_dc_connection_network(struct
winbindd_domain *domain)
return result;
}
-NTSTATUS init_dc_connection(struct winbindd_domain *domain)
+NTSTATUS init_dc_connection(struct winbindd_domain *domain, bool need_rw_dc)
{
if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
@@ -1970,14 +1974,14 @@ NTSTATUS init_dc_connection(struct winbindd_domain
*domain)
return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
}
- return init_dc_connection_network(domain);
+ return init_dc_connection_network(domain, need_rw_dc);
}
-static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain)
+static NTSTATUS init_dc_connection_rpc(struct winbindd_domain *domain, bool
need_rw_dc)
{
NTSTATUS status;
- status = init_dc_connection(domain);
+ status = init_dc_connection(domain, need_rw_dc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2382,6 +2386,7 @@ static NTSTATUS cm_get_schannel_creds(struct
winbindd_domain *domain,
}
NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ bool need_rw_dc,
struct rpc_pipe_client **cli, struct policy_handle
*sam_handle)
{
struct winbindd_cm_conn *conn;
@@ -2392,10 +2397,12 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *domain_name = NULL;
if (sid_check_is_our_sam(&domain->sid)) {
- return open_internal_samr_conn(mem_ctx, domain, cli,
sam_handle);
+ if (domain->rodc == false || need_rw_dc == false) {
+ return open_internal_samr_conn(mem_ctx, domain, cli,
sam_handle);
+ }
}
- status = init_dc_connection_rpc(domain);
+ status = init_dc_connection_rpc(domain, need_rw_dc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2605,7 +2612,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain
*domain,
DEBUG(10,("cm_connect_lsa_tcp\n"));
- status = init_dc_connection_rpc(domain);
+ status = init_dc_connection_rpc(domain, false);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2656,7 +2663,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
struct netlogon_creds_cli_context *p_creds;
- result = init_dc_connection_rpc(domain);
+ result = init_dc_connection_rpc(domain, false);
if (!NT_STATUS_IS_OK(result))
return result;
@@ -2829,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
*cli = NULL;
- result = init_dc_connection_rpc(domain);
+ result = init_dc_connection_rpc(domain, true);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
diff --git a/source3/winbindd/winbindd_msrpc.c
b/source3/winbindd/winbindd_msrpc.c
index 426d64c..9aef7cc 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -76,7 +76,7 @@ static NTSTATUS msrpc_query_user_list(struct winbindd_domain
*domain,
goto done;
}
--
Samba Shared Repository
