s4:server: avoid calling into nss_winbind from within 'samba'

The most important part is that the 'winbind_server' doesn't
recurse into itself. This could happen if the krb5 libraries
call getlogin().

As we may run in single process mode, we need to set
_NO_WINBINDD=1 everywhere, the only exception is the forked
'smbd'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 10 23:18:06 CEST 2013 on sn-devel-104

diff --git a/file_server/file_server.c b/file_server/file_server.c
index 5d44d5a85cabf455a33e4da2f2f32beee4cdd8b8..aab5f39ac76cf2a5c2919f671e6c1ecfb83df200 100644 (file)
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -28,6 +28,7 @@
 #include "source4/smbd/process_model.h"
 #include "file_server/file_server.h"
 #include "dynconfig.h"
+#include "nsswitch/winbind_client.h"
 
 /*
   called if smbd exits
@@ -64,6 +65,8 @@ static void s3fs_task_init(struct task_server *task)
        smbd_path = talloc_asprintf(task, "%s/smbd", dyn_SBINDIR);
        smbd_cmd[0] = smbd_path;
 
+       /* the child should be able to call through nss_winbind */
+       (void)winbind_on();
        /* start it as a child process */
        subreq = samba_runcmd_send(task, task->event_ctx, timeval_zero(), 1, 0,
                                smbd_cmd,
@@ -72,6 +75,12 @@ static void s3fs_task_init(struct task_server *task)
                                "--foreground",
                                debug_get_output_is_stdout()?"--log-stdout":NULL,
                                NULL);
+       /* the parent should not be able to call through nss_winbind */
+       if (!winbind_off()) {
+               DEBUG(0,("Failed to re-disable recursive winbindd calls after forking smbd\n"));
+               task_server_terminate(task, "Failed to re-disable recursive winbindd calls", true);
+               return;
+       }
        if (subreq == NULL) {
                DEBUG(0, ("Failed to start smbd as child daemon\n"));
                task_server_terminate(task, "Failed to startup s3fs smb task", true);

diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 0ad3e6ba4157a649f679ce8a2f27eaecb520380b..37aac625b6c8cdfd6500163507c8b7411107541d 100644 (file)
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -43,6 +43,7 @@
 #include "cluster/cluster.h"
 #include "dynconfig/dynconfig.h"
 #include "lib/util/samba_modules.h"
+#include "nsswitch/winbind_client.h"
 
 /*
   recursively delete a directory tree
@@ -402,6 +403,12 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
                }
        }
 
+       /* make sure we won't go through nss_winbind */
+       if (!winbind_off()) {
+               DEBUG(0,("Failed to disable recusive winbindd calls.  Exiting.\n"));
+               exit(1);
+       }
+
        gensec_init(); /* FIXME: */
 
        ntptr_init();   /* FIXME: maybe run this in the initialization function