r19255: Add blacklist of accounts when NSS initgroups calls are coming in and

"winbind use default domain" is set. Defaults to "root, nobody, lp"
currently.

Guenther
(This used to be commit b5b42196a6f2869deefc700dc98060f5ab832e40)

diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index de19ee02b5061b95ffb787ed49993bab84149282..676bf918b4b631c5dcf7350c36aafc0e31d329ea 100644 (file)
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -1018,6 +1018,30 @@ void winbindd_getgroups(struct winbindd_cli_state *state)
        DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
                  state->request.data.username));
 
+       /* when using "winbind use default domain" we need to avoid that
+        * initgroups() requests from NSS hit our DC too badly for accounts
+        * that will never be on the remote DC */
+
+       if (lp_winbind_use_default_domain()) {
+               
+               const char **list = lp_winbind_initgroups_blacklist();
+               int i;
+
+               if (!list || !list[0]) {
+                       goto parse;
+               }
+
+               for (i=0; list[i] != NULL; i++) {
+       
+                       if (strequal(state->request.data.username, list[i])) {
+                               DEBUG(3,("ignoring blacklisted user [%s] for getgroups\n", 
+                                       state->request.data.username));
+                               request_ok(state);
+                               return;
+                       }
+               }
+       }
+ parse:
        /* Parse domain and username */
 
        s = TALLOC_P(state->mem_ctx, struct getgroups_state);

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 8f2258bb72fa12fb017a2f6fbaeca0515b535ce3..0dff2e36c7cdb31f8468317e0554712a6c7fc4ab 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -181,6 +181,7 @@ typedef struct {
        BOOL bWinbindRefreshTickets;
        BOOL bWinbindOfflineLogon;
        char **szIdmapBackend;
+       char **szWinbindInitgroupsBlacklist;
        char *szAddShareCommand;
        char *szChangeShareCommand;
        char *szDeleteShareCommand;
@@ -1278,6 +1279,7 @@ static struct parm_struct parm_table[] = {
        {"winbind nss info", P_LIST, P_GLOBAL, &Globals.szWinbindNssInfo, NULL, NULL, FLAG_ADVANCED}, 
        {"winbind refresh tickets", P_BOOL, P_GLOBAL, &Globals.bWinbindRefreshTickets, NULL, NULL, FLAG_ADVANCED}, 
        {"winbind offline logon", P_BOOL, P_GLOBAL, &Globals.bWinbindOfflineLogon, NULL, NULL, FLAG_ADVANCED},
+       {"winbind initgroups blacklist", P_LIST, P_GLOBAL, &Globals.szWinbindInitgroupsBlacklist, NULL, NULL, FLAG_ADVANCED},
 
        {NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -1624,6 +1626,7 @@ static void init_globals(BOOL first_time_only)
        Globals.szWinbindNssInfo = str_list_make("template", NULL);
        Globals.bWinbindRefreshTickets = False;
        Globals.bWinbindOfflineLogon = False;
+       Globals.szWinbindInitgroupsBlacklist = str_list_make("root nobody lp", NULL);
 
        Globals.bPassdbExpandExplicit = False;
 
@@ -1839,6 +1842,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 
 FN_GLOBAL_LIST(lp_idmap_backend, &Globals.szIdmapBackend)
+FN_GLOBAL_LIST(lp_winbind_initgroups_blacklist, &Globals.szWinbindInitgroupsBlacklist)
 FN_GLOBAL_BOOL(lp_passdb_expand_explicit, &Globals.bPassdbExpandExplicit)
 
 FN_GLOBAL_STRING(lp_ldap_suffix, &Globals.szLdapSuffix)