r13244: Allow control of the location of the Samba3-compatible winbindd pipe

in Samba4.  This allows us to start winbindd by default, including in
'make test'.

This is via a new 'winbindd socket directory' parameter for utilities
linked against loadparm, as well as a --with-winbindd-socket-dir
option to configure (setting the default and the value for simple
clients).

I hope to add basic winbindd tests, to ensure continued correct
operation, but at least now I don't have to manually change my 'server
services' line.

The other problem with the hard-coded /tmp/.winbind is that RedHat has
moved this in Fedora (to /var/run I think).  For this reason, this
functionality should probably be ported to Samba3 as well.

The default for Samba4 is PREFIX/var/run/winbind_pipe.

I have also re-added the paranoia checks from Samba3 for correct
permissions on the socket directory.

Andrew Bartlett

diff --git a/source/build/m4/check_path.m4 b/source/build/m4/check_path.m4
index 293aac2427fb73e88b7c127b09b40e3dfab6f0f5..2f5f793a1da2c487e94b749b6a1a89e468b87f8e 100644 (file)
--- a/source/build/m4/check_path.m4
+++ b/source/build/m4/check_path.m4
@@ -16,6 +16,7 @@ logfilebase="${localstatedir}"
 lockdir="${localstatedir}/locks"
 piddir="${localstatedir}/run"
 privatedir="${prefix}/private"
+winbindd_socket_dir="${localstatedir}/run/winbind_pipe"
 
 AC_ARG_WITH(fhs, 
 [  --with-fhs              Use FHS-compliant paths (default=no)],
@@ -27,6 +28,7 @@ AC_ARG_WITH(fhs,
     libdir="${libdir}/samba"
     datadir="${datadir}/samba"
     includedir="${includedir}/samba-4.0"
+    winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe"
 )
 
 #################################################
@@ -45,6 +47,22 @@ AC_ARG_WITH(privatedir,
     ;;
   esac])
 
+#################################################
+# set where the winbindd socket should be put
+AC_ARG_WITH(winbindd-socket-dir,
+[  --with-winbindd-socket-dir=DIR   Where to put the winbindd socket ($ac_default_prefix/run/winbind_pipe)],
+[ case "$withval" in
+  yes|no)
+  #
+  # Just in case anybody calls it without argument
+  #
+    AC_MSG_WARN([--with-winbind-socketdir called without argument - will use default])
+  ;;
+  * )
+    winbindd_socket_dir="$withval"
+    ;;
+  esac])
+
 #################################################
 # set lock directory location
 AC_ARG_WITH(lockdir,
@@ -100,6 +118,7 @@ AC_SUBST(logfilebase)
 AC_SUBST(privatedir)
 AC_SUBST(bindir)
 AC_SUBST(sbindir)
+AC_SUBST(winbindd_socket_dir)
 
 #################################################
 # set prefix for 'make test'

diff --git a/source/build/smb_build/makefile.pm b/source/build/smb_build/makefile.pm
index a7540bc9f9abc36554d4c398c36f49f8b18adff3..4280efa9495760fa3a348608ef4ca64d7bfa9296 100644 (file)
--- a/source/build/smb_build/makefile.pm
+++ b/source/build/smb_build/makefile.pm
@@ -84,6 +84,7 @@ LOCKDIR = $self->{config}->{lockdir}
 PIDDIR = $self->{config}->{piddir}
 MANDIR = $self->{config}->{mandir}
 PRIVATEDIR = $self->{config}->{privatedir}
+WINBINDD_SOCKET_DIR = $self->{config}->{winbindd_socket_dir}
 
 __EOD__
 );

diff --git a/source/dynconfig.c b/source/dynconfig.c
index 70f17d0b4834735cff2d2d42bb8911c43a544844..742c96df2a2221fdf9ba67e89652479f449cb875 100644 (file)
--- a/source/dynconfig.c
+++ b/source/dynconfig.c
@@ -80,6 +80,13 @@ const char *dyn_PRIVATE_DIR = PRIVATE_DIR;
 /** SWAT data file (images, etc) directory */
 const char *dyn_SWATDIR = SWATDIR;
 
+/** SETUP files (source files used by the provision) */
 const char *dyn_SETUPDIR = SETUPDIR;
 
+/** EJS Javascript library includes */
 const char *dyn_JSDIR = JSDIR;
+
+/** Where to find the winbindd socket */
+
+const char *dyn_WINBINDD_SOCKET_DIR = WINBINDD_SOCKET_DIR;
+

diff --git a/source/include/dynconfig.h b/source/include/dynconfig.h
index 32f5a24f8053ebe4b3c09b24da78d07d73f74e2c..5acf5b7338a4083d29a33383bf9391a601f18bb5 100644 (file)
--- a/source/include/dynconfig.h
+++ b/source/include/dynconfig.h
@@ -40,3 +40,4 @@ extern const char *dyn_PRIVATE_DIR;
 extern const char *dyn_SWATDIR;
 extern const char *dyn_JSDIR;
 extern const char *dyn_SETUPDIR;
+extern const char *dyn_WINBINDD_SOCKET_DIR;

diff --git a/source/lib/util.c b/source/lib/util.c
index ed384572fe684936d2b0f59281d11b3b8c0e1a2f..7d3f21c1e8bdbe373d021fe9e127ea8b251f3a4e 100644 (file)
--- a/source/lib/util.c
+++ b/source/lib/util.c
@@ -88,6 +88,49 @@ BOOL directory_exist(const char *dname)
        return ret;
 }
 
+BOOL directory_create_or_exist(const char *dname, uid_t uid, 
+                              mode_t dir_perms)
+{
+       mode_t old_umask;
+       struct stat st;
+      
+       old_umask = umask(0);
+       if (lstat(dname, &st) == -1) {
+               if (errno == ENOENT) {
+                       /* Create directory */
+                       if (mkdir(dname, dir_perms) == -1) {
+                               DEBUG(0, ("error creating directory "
+                                         "%s: %s\n", dname, 
+                                         strerror(errno)));
+                               umask(old_umask);
+                               return False;
+                       }
+               } else {
+                       DEBUG(0, ("lstat failed on directory %s: %s\n",
+                                 dname, strerror(errno)));
+                       umask(old_umask);
+                       return False;
+               }
+       } else {
+               /* Check ownership and permission on existing directory */
+               if (!S_ISDIR(st.st_mode)) {
+                       DEBUG(0, ("directory %s isn't a directory\n",
+                               dname));
+                       umask(old_umask);
+                       return False;
+               }
+               if ((st.st_uid != uid) || 
+                   ((st.st_mode & 0777) != dir_perms)) {
+                       DEBUG(0, ("invalid permissions on directory "
+                                 "%s\n", dname));
+                       umask(old_umask);
+                       return False;
+               }
+       }
+       return True;
+}       
+
+
 /*******************************************************************
  Returns the size in bytes of the named file.
 ********************************************************************/

diff --git a/source/main.mk b/source/main.mk
index 59dffb4841fdb3ebefa4d8c7621e44021db690ab..d1a1c3ab2e9fce13f38069f9e1470659efe99948 100644 (file)
--- a/source/main.mk
+++ b/source/main.mk
@@ -43,21 +43,22 @@ everything: all
 
 showlayout: 
        @echo 'Samba will be installed into:'
-       @echo '  basedir: $(BASEDIR)'
-       @echo '  bindir:  $(BINDIR)'
-       @echo '  sbindir: $(SBINDIR)'
-       @echo '  libdir:  $(LIBDIR)'
+       @echo '  basedir:     $(BASEDIR)'
+       @echo '  bindir:      $(BINDIR)'
+       @echo '  sbindir:     $(SBINDIR)'
+       @echo '  libdir:      $(LIBDIR)'
        @echo '  modulesdir:  $(MODULESDIR)'
        @echo '  includedir:  $(INCLUDEDIR)'
-       @echo '  vardir:  $(VARDIR)'
+       @echo '  vardir:      $(VARDIR)'
        @echo '  privatedir:  $(PRIVATEDIR)'
-       @echo '  piddir:   $(PIDDIR)'
-       @echo '  lockdir:  $(LOCKDIR)'
-       @echo '  logfilebase:  $(LOGFILEBASE)'
-       @echo '  setupdir: $(SETUPDIR)'
-       @echo '  jsdir:    $(JSDIR)'
-       @echo '  swatdir:  $(SWATDIR)'
-       @echo '  mandir:   $(MANDIR)'
+       @echo '  piddir:      $(PIDDIR)'
+       @echo '  lockdir:     $(LOCKDIR)'
+       @echo '  logfilebase: $(LOGFILEBASE)'
+       @echo '  setupdir:    $(SETUPDIR)'
+       @echo '  jsdir:       $(JSDIR)'
+       @echo '  swatdir:     $(SWATDIR)'
+       @echo '  mandir:      $(MANDIR)'
+       @echo '  winbinddir:  $(WINBINDDIR)'
 
 showflags:
        @echo 'Samba will be compiled with flags:'
@@ -84,7 +85,7 @@ PATH_FLAGS = -DCONFIGFILE=\"$(CONFIGFILE)\"  -DSBINDIR=\"$(SBINDIR)\" \
         -DCONFIGDIR=\"$(CONFIGDIR)\" -DNCALRPCDIR=\"$(NCALRPCDIR)\" \
         -DSWATDIR=\"$(SWATDIR)\" -DPRIVATE_DIR=\"$(PRIVATEDIR)\" \
         -DMODULESDIR=\"$(MODULESDIR)\" -DJSDIR=\"$(JSDIR)\" \
-        -DSETUPDIR=\"$(SETUPDIR)\"
+        -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(WINBINDD_SOCKET_DIR)\"
 
 install: showlayout installbin installdat installswat installmisc installlib \
        installheader installpc

diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index 5b96dad15f48af1c5c0e1135e2c9bc586f685bd5..37695c6aa6bdb153cd3f14b41207a6fe4beaebaa 100644 (file)
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -27,7 +27,9 @@
 #define _WINBINDD_NTDOM_H
 
 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
+#ifndef WINBINDD_SOCKET_DIR
 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
+#endif
 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"

diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index bd01581eae2f2e24b498e3714d4c4ed1efcf0c99..96ba2bbc736795b7dfa1dcbe26cbb328d82835ea 100644 (file)
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -127,6 +127,7 @@ typedef struct
        char **server_services;
        char *ntptr_providor;
        char *szWinbindSeparator;
+       char *szWinbinddSocketDirectory;
        BOOL bWinbindSealedPipes;
        char *swat_directory;
        BOOL tls_enabled;
@@ -545,6 +546,7 @@ static struct parm_struct parm_table[] = {
        {"msdfs root", P_BOOL, P_LOCAL, &sDefault.bMSDfsRoot, NULL, NULL, FLAG_SHARE},
        {"host msdfs", P_BOOL, P_GLOBAL, &Globals.bHostMSDfs, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
        {"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER },
+       {"winbindd socket directory", P_STRING, P_GLOBAL, &Globals.szWinbinddSocketDirectory, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER },
        {"winbind sealed pipes", P_BOOL, P_GLOBAL, &Globals.bWinbindSealedPipes, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER },
 
        {NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0}
@@ -599,7 +601,7 @@ static void init_globals(void)
        do_parameter("max connections", "-1", NULL);
 
        do_parameter("dcerpc endpoint servers", "epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup", NULL);
-       do_parameter("server services", "smb rpc nbt wrepl ldap cldap web kdc", NULL);
+       do_parameter("server services", "smb rpc nbt wrepl ldap cldap web kdc winbind", NULL);
        do_parameter("ntptr providor", "simple_ldb", NULL);
        do_parameter("auth methods", "anonymous sam_ignoredomain", NULL);
        do_parameter("private dir", dyn_PRIVATE_DIR, NULL);
@@ -670,6 +672,7 @@ static void init_globals(void)
 
        do_parameter("winbind separator", "\\", NULL);
        do_parameter("winbind sealed pipes", "True", NULL);
+       do_parameter("winbindd socket directory", dyn_WINBINDD_SOCKET_DIR, NULL);
 
        do_parameter("client signing", "Yes", NULL);
        do_parameter("server signing", "auto", NULL);
@@ -820,6 +823,7 @@ FN_GLOBAL_STRING(lp_spoolss_url, &Globals.szSPOOLSS_URL)
 FN_GLOBAL_STRING(lp_wins_config_url, &Globals.szWINS_CONFIG_URL)
 FN_GLOBAL_STRING(lp_wins_url, &Globals.szWINS_URL)
 FN_GLOBAL_CONST_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
+FN_GLOBAL_CONST_STRING(lp_winbindd_socket_directory, &Globals.szWinbinddSocketDirectory)
 FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
 FN_GLOBAL_STRING(lp_private_dir, &Globals.szPrivateDir)
 FN_GLOBAL_STRING(lp_serverstring, &Globals.szServerString)

diff --git a/source/script/tests/selftest.sh b/source/script/tests/selftest.sh
index 67797b17f42f13d75a8057d11f4c6ae61989dee7..dc5da9b61f5e360e5cce8138af71526cdb4338ac 100755 (executable)
--- a/source/script/tests/selftest.sh
+++ b/source/script/tests/selftest.sh
@@ -59,6 +59,7 @@ PRIVATEDIR=$PREFIX_ABS/private
 NCALRPCDIR=$PREFIX_ABS/ncalrpc
 LOCKDIR=$PREFIX_ABS/lockdir
 TLSDIR=$PRIVATEDIR/tls
+WINBINDD_SOCKET_DIR=$PREFIX_ABS/winbind_socket
 CONFIGURATION="--configfile=$CONFFILE"
 export CONFIGURATION
 export CONFFILE
@@ -109,6 +110,7 @@ cat >$CONFFILE<<EOF
        lock dir = $LOCKDIR
        setup directory = $SRCDIR/setup
        js include = $SRCDIR/scripting/libjs
+        winbindd socket directory = $WINBINDD_SOCKET_DIR
        name resolve order = bcast
        interfaces = 127.0.0.1/8
        tls enabled = $TLS_ENABLED

diff --git a/source/winbind/wb_server.c b/source/winbind/wb_server.c
index a08b0803342ff94079d7a7a178f71bdd3a7c33e9..9c045585832fd1764f3a0c33f127a6fb2fd87e9f 100644 (file)
--- a/source/winbind/wb_server.c
+++ b/source/winbind/wb_server.c
@@ -123,9 +123,11 @@ static void winbind_task_init(struct task_server *task)
                return;
        }
 
-       /* Make sure the directory for NCALRPC exists */
-       if (!directory_exist(WINBINDD_DIR)) {
-               mkdir(WINBINDD_DIR, 0755);
+       /* Make sure the directory for the Samba3 socket exists, and is of the correct permissions */
+       if (!directory_create_or_exist(lp_winbindd_socket_directory(), geteuid(), 0755)) {
+               task_server_terminate(task,
+                                     "Cannot create winbindd pipe directory");
+               return;
        }
 
        service = talloc_zero(task, struct wbsrv_service);
@@ -143,7 +145,9 @@ static void winbind_task_init(struct task_server *task)
        /* setup the unprivileged samba3 socket */
        listen_socket = talloc(service, struct wbsrv_listen_socket);
        if (!listen_socket) goto nomem;
-       listen_socket->socket_path      = WINBINDD_SAMBA3_SOCKET;
+       listen_socket->socket_path      = talloc_asprintf(listen_socket, "%s/%s", 
+                                                         lp_winbindd_socket_directory(), 
+                                                         WINBINDD_SAMBA3_SOCKET);
        if (!listen_socket->socket_path) goto nomem;
        listen_socket->service          = service;
        listen_socket->privileged       = False;

diff --git a/source/winbind/wb_server.h b/source/winbind/wb_server.h
index 15fee0853ca80997a5ceca296537679dad3ae478..7906e52de694620a3e108fefeb6991513dcb054d 100644 (file)
--- a/source/winbind/wb_server.h
+++ b/source/winbind/wb_server.h
@@ -22,12 +22,9 @@
 
 #include "nsswitch/winbindd_nss.h"
 
-#define WINBINDD_DIR "/tmp/.winbindd/"
-#define WINBINDD_SOCKET WINBINDD_DIR"socket"
-/* the privileged socket is in smbd_tmp_dir() */
-#define WINBINDD_PRIVILEGED_SOCKET "winbind_socket"
 
-#define WINBINDD_SAMBA3_SOCKET WINBINDD_DIR"pipe"
+
+#define WINBINDD_SAMBA3_SOCKET "pipe"
 /* the privileged socket is in smbd_tmp_dir() */
 #define WINBINDD_SAMBA3_PRIVILEGED_SOCKET "winbind_pipe"