[SCM] Samba Shared Repository - branch master updated

Thu, 20 Dec 2018 03:17:53 -0800 

The branch, master has been updated
       via  63dc60767eb s3:auth_winbind: ignore a missing winbindd as NT4 
PDC/BDC without trusts
       via  ec3adc1e5b3 s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if 
winbindd is not available
       via  f3bac8c9112 s3:auth_winbind: remove fallback to optional backend
       via  865538fabae s3:auth: ignore create_builtin_guests() failing without 
a valid idmap configuration
      from  1b263ed631c s3-vfs-streams_xattr: add close call

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1
Author: Stefan Metzmacher <[email protected]>
Date:   Sat Dec 8 23:25:40 2018 +0100

    s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Alexander Bokovoy <[email protected]>
    
    Autobuild-User(master): Alexander Bokovoy <[email protected]>
    Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144

commit ec3adc1e5b3cc953576efa795dfb25af08a8ab79
Author: Stefan Metzmacher <[email protected]>
Date:   Sat Dec 8 22:53:21 2018 +0100

    s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not 
available
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Alexander Bokovoy <[email protected]>

commit f3bac8c91121871bf8ce852bc3e3ea2e834d3f27
Author: Stefan Metzmacher <[email protected]>
Date:   Sat Dec 8 22:48:33 2018 +0100

    s3:auth_winbind: remove fallback to optional backend
    
    This is not possible anymore, as the trustdomain backend
    was removed in commit 75c152c0d764165a4a9dd0a85390af063dd0192a.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Alexander Bokovoy <[email protected]>

commit 865538fabaea33741f5fa542dbc3f2e08308c2c1
Author: Stefan Metzmacher <[email protected]>
Date:   Wed Dec 19 09:38:33 2018 +0100

    s3:auth: ignore create_builtin_guests() failing without a valid idmap 
configuration
    
    This happens on standalone servers, where winbindd is automatically
    started by init scripts if it's installed. But it's not really
    used and may not have a valid idmap configuration (
    "idmap config * : range" has no default!)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Alexander Bokovoy <[email protected]>

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth.c         |  2 +-
 source3/auth/auth_winbind.c | 47 ++++++++++++++++++++++++++++++---------------
 source3/auth/token_util.c   | 18 ++++++++++++++++-
 3 files changed, 49 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index d13d0fe471c..0a96d591808 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -557,7 +557,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX 
*mem_ctx,
        switch (lp_server_role()) {
        case ROLE_DOMAIN_BDC:
        case ROLE_DOMAIN_PDC:
-               methods = "sam_netlogon3 winbind:trustdomain";
+               methods = "sam_netlogon3 winbind";
                break;
 
        default:
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 6bf2118037d..93b832265cf 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "auth.h"
+#include "passdb.h"
 #include "nsswitch/libwbclient/wbclient.h"
 
 #undef DBGC_CLASS
@@ -110,13 +111,37 @@ static NTSTATUS check_winbind_security(const struct 
auth_context *auth_context,
        }
 
        if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
-               struct auth_methods *auth_method =
-                       (struct auth_methods *)my_private_data;
+               struct pdb_trusted_domain **domains = NULL;
+               uint32_t num_domains = 0;
+               NTSTATUS status;
+
+               if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+                       status = NT_STATUS_NO_LOGON_SERVERS;
+                       DBG_ERR("winbindd not running - "
+                               "but required as domain member: %s\n",
+                               nt_errstr(status));
+                       return status;
+               }
 
-               if ( auth_method )
-                       return auth_method->auth(auth_context, 
auth_method->private_data, 
-                               mem_ctx, user_info, server_info);
-               return NT_STATUS_LOGON_FAILURE;
+               status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, 
&domains);
+               if (!NT_STATUS_IS_OK(status)) {
+                       DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
+                               nt_errstr(status));
+                       return status;
+               }
+               TALLOC_FREE(domains);
+
+               if (num_domains == 0) {
+                       DBG_DEBUG("winbindd not running - ignoring without "
+                                 "trusted domains\n");
+                       return NT_STATUS_NOT_IMPLEMENTED;
+               }
+
+               status = NT_STATUS_NO_LOGON_SERVERS;
+               DBG_ERR("winbindd not running - "
+                       "but required as DC with trusts: %s\n",
+                       nt_errstr(status));
+               return status;
        }
 
        if (wbc_status == WBC_ERR_AUTH_ERROR) {
@@ -164,16 +189,6 @@ static NTSTATUS auth_init_winbind(struct auth_context 
*auth_context, const char
        result->name = "winbind";
        result->auth = check_winbind_security;
 
-       if (param && *param) {
-               /* we load the 'fallback' module - if winbind isn't here, call 
this
-                  module */
-               auth_methods *priv;
-               if (!load_auth_module(auth_context, param, &priv)) {
-                       return NT_STATUS_UNSUCCESSFUL;
-               }
-               result->private_data = (void *)priv;
-       }
-
        *auth_method = result;
        return NT_STATUS_OK;
 }
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index c95d54db671..21ccb0d1fe7 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -743,7 +743,23 @@ NTSTATUS finalize_local_nt_token(struct security_token 
*result,
                status = create_builtin_guests(domain_sid);
                unbecome_root();
 
-               if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+               /*
+                * NT_STATUS_PROTOCOL_UNREACHABLE:
+                * => winbindd is not running.
+                *
+                * NT_STATUS_ACCESS_DENIED:
+                * => no idmap config at all
+                * and wbint_AllocateGid()/winbind_allocate_gid()
+                * failed.
+                *
+                * NT_STATUS_NO_SUCH_GROUP:
+                * => no idmap config at all and
+                * "tdbsam:map builtin = no" means
+                * wbint_Sids2UnixIDs() fails.
+                */
+               if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
+                   NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+                   NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
                        /*
                         * Add BUILTIN\Guests directly to token.
                         * But only if the token already indicates


-- 
Samba Shared Repository

Reply via email to