The branch, master has been updated
via 1f9501c winbind: Fix passing idmap failure from wb_sids2xids back
to callers
via 7a3b780 idmap_ad: Fix retrieving credentials from clustered
secrets.tdb
via 1017b22 s3: winbind: Trust name2sid mappings from the PAC.
from f85b233a s4-kdc: Fix Coverity ID #1373385 (OVERRUN)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1f9501cad63717d6e4ea01974f853b199f359b40
Author: Christof Schmitt <c...@samba.org>
Date: Mon Sep 26 14:27:28 2016 -0700
winbind: Fix passing idmap failure from wb_sids2xids back to callers
If the idmap call in wb_sids2xids fails, the callers expect xid.type to
be set to ID_TYPE_NOT_SPECIFIED, not the internal type field that is
initialized from the lookupsids call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12295
Signed-off-by: Christof Schmitt <c...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Fri Sep 30 02:10:29 CEST 2016 on sn-devel-144
commit 7a3b7804cba53a21739e8912b005ab498e921eb7
Author: Christof Schmitt <c...@samba.org>
Date: Mon Sep 26 14:40:28 2016 -0700
idmap_ad: Fix retrieving credentials from clustered secrets.tdb
cli_credentials_set_machine_account only reads from a local tdb. Change
that call to cli_credentials_set_machine_account_db_ctx to fix this for
clustered Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12295
Signed-off-by: Christof Schmitt <c...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit 1017b22f68e798a080e0738d3beecf008b2284ef
Author: Jeremy Allison <j...@samba.org>
Date: Wed Sep 28 11:26:04 2016 -0700
s3: winbind: Trust name2sid mappings from the PAC.
Don't refresh sequence number in parent as the
mapping comes from a trusted DC.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/idmap_ad.c | 11 ++++++++++-
source3/winbindd/wb_sids2xids.c | 2 +-
source3/winbindd/winbindd_cache.c | 19 +++++++++++++++++++
source3/winbindd/winbindd_pam.c | 2 +-
source3/winbindd/winbindd_proto.h | 5 +++++
5 files changed, 36 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 242b788..c385cf0 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -22,6 +22,7 @@
#include "idmap.h"
#include "tldap_gensec_bind.h"
#include "tldap_util.h"
+#include "secrets.h"
#include "lib/param/param.h"
#include "utils/net.h"
#include "auth/gensec/gensec.h"
@@ -242,6 +243,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
const char *domname,
struct tldap_context **pld)
{
+ struct db_context *db_ctx;
struct netr_DsRGetDCNameInfo *dcinfo;
struct sockaddr_storage dcaddr;
struct cli_credentials *creds;
@@ -308,7 +310,14 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(creds, lp_ctx);
- status = cli_credentials_set_machine_account(creds, lp_ctx);
+ db_ctx = secrets_db_ctx();
+ if (db_ctx == NULL) {
+ DBG_DEBUG("Failed to open secrets.tdb.\n");
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx,
+ db_ctx);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("cli_credentials_set_machine_account "
"failed: %s\n", nt_errstr(status));
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index e16917f..25260be 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -305,7 +305,7 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
* All we can do here is to report "not mapped"
*/
for (i=0; i<src->num_ids; i++) {
- src->ids[i].type = ID_TYPE_NOT_SPECIFIED;
+ src->ids[i].xid.type = ID_TYPE_NOT_SPECIFIED;
}
}
diff --git a/source3/winbindd/winbindd_cache.c
b/source3/winbindd/winbindd_cache.c
index 2bce12d..3e01ff0 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -3339,6 +3339,25 @@ bool lookup_cached_name(const char *domain_name,
return NT_STATUS_IS_OK(status);
}
+/*
+ * Cache a name to sid without checking the sequence number.
+ * Used when caching from a trusted PAC.
+ */
+
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+ const char *domain_name,
+ const char *name,
+ enum lsa_SidType type,
+ const struct dom_sid *sid)
+{
+ wcache_save_name_to_sid(domain,
+ NT_STATUS_OK,
+ domain_name,
+ name,
+ sid,
+ type);
+}
+
void cache_name2sid(struct winbindd_domain *domain,
const char *domain_name, const char *name,
enum lsa_SidType type, const struct dom_sid *sid)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index da874c7..8456876 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2598,7 +2598,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
info3_copy->base.domain_sid,
info3_copy->base.rid);
- cache_name2sid(domain,
+ cache_name2sid_trusted(domain,
info3_copy->base.logon_domain.string,
info3_copy->base.account_name.string,
SID_NAME_USER,
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index 4d99927..5e3d9fb 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -86,6 +86,11 @@ bool lookup_cached_name(const char *domain_name,
const char *name,
struct dom_sid *sid,
enum lsa_SidType *type);
+void cache_name2sid_trusted(struct winbindd_domain *domain,
+ const char *domain_name,
+ const char *name,
+ enum lsa_SidType type,
+ const struct dom_sid *sid);
void cache_name2sid(struct winbindd_domain *domain,
const char *domain_name, const char *name,
enum lsa_SidType type, const struct dom_sid *sid);
--
Samba Shared Repository
