The branch, master has been updated via 1f9501c winbind: Fix passing idmap failure from wb_sids2xids back to callers via 7a3b780 idmap_ad: Fix retrieving credentials from clustered secrets.tdb via 1017b22 s3: winbind: Trust name2sid mappings from the PAC. from f85b233a s4-kdc: Fix Coverity ID #1373385 (OVERRUN)
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1f9501cad63717d6e4ea01974f853b199f359b40 Author: Christof Schmitt <c...@samba.org> Date: Mon Sep 26 14:27:28 2016 -0700 winbind: Fix passing idmap failure from wb_sids2xids back to callers If the idmap call in wb_sids2xids fails, the callers expect xid.type to be set to ID_TYPE_NOT_SPECIFIED, not the internal type field that is initialized from the lookupsids call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12295 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Fri Sep 30 02:10:29 CEST 2016 on sn-devel-144 commit 7a3b7804cba53a21739e8912b005ab498e921eb7 Author: Christof Schmitt <c...@samba.org> Date: Mon Sep 26 14:40:28 2016 -0700 idmap_ad: Fix retrieving credentials from clustered secrets.tdb cli_credentials_set_machine_account only reads from a local tdb. Change that call to cli_credentials_set_machine_account_db_ctx to fix this for clustered Samba. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12295 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit 1017b22f68e798a080e0738d3beecf008b2284ef Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 28 11:26:04 2016 -0700 s3: winbind: Trust name2sid mappings from the PAC. Don't refresh sequence number in parent as the mapping comes from a trusted DC. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/winbindd/idmap_ad.c | 11 ++++++++++- source3/winbindd/wb_sids2xids.c | 2 +- source3/winbindd/winbindd_cache.c | 19 +++++++++++++++++++ source3/winbindd/winbindd_pam.c | 2 +- source3/winbindd/winbindd_proto.h | 5 +++++ 5 files changed, 36 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index 242b788..c385cf0 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -22,6 +22,7 @@ #include "idmap.h" #include "tldap_gensec_bind.h" #include "tldap_util.h" +#include "secrets.h" #include "lib/param/param.h" #include "utils/net.h" #include "auth/gensec/gensec.h" @@ -242,6 +243,7 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, const char *domname, struct tldap_context **pld) { + struct db_context *db_ctx; struct netr_DsRGetDCNameInfo *dcinfo; struct sockaddr_storage dcaddr; struct cli_credentials *creds; @@ -308,7 +310,14 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(creds, lp_ctx); - status = cli_credentials_set_machine_account(creds, lp_ctx); + db_ctx = secrets_db_ctx(); + if (db_ctx == NULL) { + DBG_DEBUG("Failed to open secrets.tdb.\n"); + return NT_STATUS_INTERNAL_ERROR; + } + + status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx, + db_ctx); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("cli_credentials_set_machine_account " "failed: %s\n", nt_errstr(status)); diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c index e16917f..25260be 100644 --- a/source3/winbindd/wb_sids2xids.c +++ b/source3/winbindd/wb_sids2xids.c @@ -305,7 +305,7 @@ static void wb_sids2xids_done(struct tevent_req *subreq) * All we can do here is to report "not mapped" */ for (i=0; i<src->num_ids; i++) { - src->ids[i].type = ID_TYPE_NOT_SPECIFIED; + src->ids[i].xid.type = ID_TYPE_NOT_SPECIFIED; } } diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 2bce12d..3e01ff0 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -3339,6 +3339,25 @@ bool lookup_cached_name(const char *domain_name, return NT_STATUS_IS_OK(status); } +/* + * Cache a name to sid without checking the sequence number. + * Used when caching from a trusted PAC. + */ + +void cache_name2sid_trusted(struct winbindd_domain *domain, + const char *domain_name, + const char *name, + enum lsa_SidType type, + const struct dom_sid *sid) +{ + wcache_save_name_to_sid(domain, + NT_STATUS_OK, + domain_name, + name, + sid, + type); +} + void cache_name2sid(struct winbindd_domain *domain, const char *domain_name, const char *name, enum lsa_SidType type, const struct dom_sid *sid) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index da874c7..8456876 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2598,7 +2598,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, info3_copy->base.domain_sid, info3_copy->base.rid); - cache_name2sid(domain, + cache_name2sid_trusted(domain, info3_copy->base.logon_domain.string, info3_copy->base.account_name.string, SID_NAME_USER, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 4d99927..5e3d9fb 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -86,6 +86,11 @@ bool lookup_cached_name(const char *domain_name, const char *name, struct dom_sid *sid, enum lsa_SidType *type); +void cache_name2sid_trusted(struct winbindd_domain *domain, + const char *domain_name, + const char *name, + enum lsa_SidType type, + const struct dom_sid *sid); void cache_name2sid(struct winbindd_domain *domain, const char *domain_name, const char *name, enum lsa_SidType type, const struct dom_sid *sid); -- Samba Shared Repository