This changes the winbind protcol a bit:

It adds a 'ping' request, just to check winbind is in fact alive

It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.

(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)

Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).

Andrew Bartlett

diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index 9c012eb85da84e0d7eb90c46fffb818a4ed5a4c2..56cccee3b8e90deb29123882b49e2cb2fadbd9be 100644 (file)
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -31,6 +31,23 @@ NSS_STATUS winbindd_request(int req_type,
                            struct winbindd_request *request,
                            struct winbindd_response *response);
 
+/* Copy of parse_domain_user from winbindd_util.c.  Parse a string of the
+   form DOMAIN/user into a domain and a user */
+
+static BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
+{
+       char *p = strchr(domuser,*lp_winbind_separator());
+
+       if (!p)
+               return False;
+        
+       fstrcpy(user, p+1);
+       fstrcpy(domain, domuser);
+       domain[PTR_DIFF(p, domuser)] = 0;
+       strupper(domain);
+       return True;
+}
+
 /* List groups a user is a member of */
 
 static BOOL wbinfo_get_usergroups(char *user)
@@ -282,8 +299,10 @@ static BOOL wbinfo_auth(char *username)
         * Don't do the lookup if the name has no separator.
         */
  
-       if (!strchr(username, *lp_winbind_separator()))
+       if (!strchr(username, *lp_winbind_separator())) {
+               printf("no domain seperator (%s) in username - failing\n", lp_winbind_separator());
                return False;
+       }
 
        /* Send off request */
 
@@ -317,6 +336,8 @@ static BOOL wbinfo_auth_crap(char *username)
        struct winbindd_request request;
        struct winbindd_response response;
         NSS_STATUS result;
+        fstring name_user;
+        fstring name_domain;
         fstring pass;
         char *p;
 
@@ -324,8 +345,10 @@ static BOOL wbinfo_auth_crap(char *username)
         * Don't do the lookup if the name has no separator.
         */
  
-       if (!strchr(username, *lp_winbind_separator()))
+       if (!strchr(username, *lp_winbind_separator())) {
+               printf("no domain seperator (%s) in username - failing\n", lp_winbind_separator());
                return False;
+       }
 
        /* Send off request */
 
@@ -336,11 +359,14 @@ static BOOL wbinfo_auth_crap(char *username)
 
         if (p) {
                 *p = 0;
-                fstrcpy(request.data.auth_crap.user, username);
                 fstrcpy(pass, p + 1);
-                *p = '%';
-        } else
-                fstrcpy(request.data.auth_crap.user, username);
+       }
+               
+       parse_domain_user(username, name_domain, name_user);
+
+       fstrcpy(request.data.auth_crap.user, name_user);
+
+       fstrcpy(request.data.auth_crap.domain, name_domain);
 
        generate_random_buffer(request.data.auth_crap.chal, 8, False);
         
@@ -447,6 +473,20 @@ static BOOL wbinfo_set_auth_user(char *username)
        return True;
 }
 
+static BOOL wbinfo_ping(void)
+{
+        NSS_STATUS result;
+       
+       result = winbindd_request(WINBINDD_PING, NULL, NULL);
+
+       /* Display response */
+
+        printf("'ping' to winbindd %s\n", 
+               (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
+
+        return result == NSS_STATUS_SUCCESS;
+}
+
 /* Print program usage */
 
 static void usage(void)
@@ -465,6 +505,7 @@ static void usage(void)
        printf("\t-m\t\t\tlist trusted domains\n");
        printf("\t-r user\t\t\tget user groups\n");
        printf("\t-a user%%password\tauthenticate user\n");
+       printf("\t-p 'ping' winbindd to see if it is alive\n");
 }
 
 /* Main program */
@@ -500,6 +541,7 @@ int main(int argc, char **argv)
                { "user-groups", 'r', POPT_ARG_STRING, &string_arg, 'r' },
                { "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a' },
                { "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER },
+               { "ping", 'p', POPT_ARG_NONE, 0, 'p' },
                { 0, 0, 0, 0 }
        };
 
@@ -640,6 +682,14 @@ int main(int argc, char **argv)
                                 return 1;
                         break;
                }
+                case 'p': {
+
+                        if (!wbinfo_ping()) {
+                                printf("could not ping winbindd!\n");
+                                return 1;
+                       }
+                        break;
+               }
                case OPT_SET_AUTH_USER:
                        if (!(wbinfo_set_auth_user(string_arg))) {
                                return 1;

diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c
index 7da20d8b01af4dfd004aa481af4e2a6735a43fae..631b71961d922d6639c0045efa062f2960dabcd8 100644 (file)
--- a/source/nsswitch/winbindd.c
+++ b/source/nsswitch/winbindd.c
@@ -329,6 +329,7 @@ static struct dispatch_table dispatch_table[] = {
        /* Miscellaneous */
 
        { WINBINDD_CHECK_MACHACC, winbindd_check_machine_acct, "CHECK_MACHACC" },
+       { WINBINDD_PING, winbindd_ping, "PING" },
 
        /* End of list */
 

diff --git a/source/nsswitch/winbindd_misc.c b/source/nsswitch/winbindd_misc.c
index 2718a753856a2864ea4e2019c340ae3e8eecf1f0..2cfea9bbb681f65b33c2d98563f5dfeedf010e84 100644 (file)
--- a/source/nsswitch/winbindd_misc.c
+++ b/source/nsswitch/winbindd_misc.c
@@ -31,18 +31,9 @@ extern pstring global_myname;
 static BOOL _get_trust_account_password(char *domain, unsigned char *ret_pwd, 
                                        time_t *pass_last_set_time)
 {
-       struct machine_acct_pass *pass;
-       size_t size;
-
-       if (!(pass = secrets_fetch(trust_keystr(domain), &size)) ||
-           size != sizeof(*pass)) 
+       if (!secrets_fetch_trust_account_password(domain, ret_pwd, pass_last_set_time)) {
                 return False;
-        
-       if (pass_last_set_time) 
-                *pass_last_set_time = pass->mod_time;
-
-       memcpy(ret_pwd, pass->hash, 16);
-       SAFE_FREE(pass);
+       }
 
        return True;
 }
@@ -150,3 +141,11 @@ enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state
 
        return WINBINDD_OK;
 }
+
+enum winbindd_result winbindd_ping(struct winbindd_cli_state
+                                                  *state)
+{
+       DEBUG(3, ("[%5d]: ping\n", state->pid));
+
+       return WINBINDD_OK;
+}

diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index 07c67dd5581bf5fec387f8625130d96943ef1fb6..4d836a21cfcd2dc42d372a6b8fd9cd8fafd88246 100644 (file)
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -83,6 +83,7 @@ enum winbindd_cmd {
        /* Miscellaneous other stuff */
 
        WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
+       WINBINDD_PING,              /* Just tell me winbind is running */
 
        /* Placeholder for end of cmd list */
 
@@ -107,6 +108,7 @@ struct winbindd_request {
                 struct {
                         unsigned char chal[8];
                         fstring user;
+                        fstring domain;
                         fstring lm_resp;
                         uint16 lm_resp_len;
                         fstring nt_resp;

diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index f168ce9e35025bbfa624c374d614a892dd1c8a38..87086586ec79a10bd5dfd3c30faadeca4d31d8b4 100644 (file)
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -53,10 +53,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
        }
 
        /* Parse domain and username */
-
+       
        if (!parse_domain_user(state->request.data.auth.user, name_domain, 
-                          name_user))
+                              name_user)) {
+               DEBUG(5,("no domain seperator (%s) in username (%s) - failing fauth\n", lp_winbind_separator(), state->request.data.auth.user));
                return WINBINDD_ERROR;
+       }
 
        passlen = strlen(state->request.data.auth.pass);
                
@@ -71,8 +73,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
                
                SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);
 
-               lm_resp = data_blob(local_lm_response, sizeof(local_lm_response));
-               nt_resp = data_blob(local_nt_response, sizeof(local_nt_response));
+               lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
+               nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
        }
        
        /*
@@ -106,8 +108,6 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
                                                &info3);
         
 done:
-       data_blob_free(&lm_resp);
-       data_blob_free(&nt_resp);
 
        cli_shutdown(cli);
 
@@ -115,13 +115,12 @@ done:
        
        return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
-
+       
 /* Challenge Response Authentication Protocol */
 
 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
 {
        NTSTATUS result;
-       fstring name_domain, name_user;
        unsigned char trust_passwd[16];
        time_t last_change_time;
         NET_USER_INFO_3 info3;
@@ -132,23 +131,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
        extern pstring global_myname;
 
-       DEBUG(3, ("[%5d]: pam auth crap %s\n", state->pid,
-                 state->request.data.auth_crap.user));
+       DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
+                 state->request.data.auth_crap.user, state->request.data.auth_crap.user));
 
-       if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) {
+       if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) {
                DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
                return WINBINDD_ERROR;
        }
 
-       /* Parse domain and username */
-       if (!parse_domain_user(state->request.data.auth_crap.user, name_domain, 
-                              name_user))
-               return WINBINDD_ERROR;
-       
-       
-       
-       lm_resp = data_blob(state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
-       nt_resp = data_blob(state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
+       lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
+       nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
        
        /*
         * Get the machine account password for our primary domain
@@ -171,7 +163,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         }
 
        result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-                                               name_user, name_domain, 
+                                               state->request.data.auth_crap.user, state->request.data.auth_crap.domain, 
                                                global_myname, state->request.data.auth_crap.chal, 
                                                lm_resp, nt_resp, 
                                                &info3);

diff --git a/source/nsswitch/winbindd_proto.h b/source/nsswitch/winbindd_proto.h
index ac72768ea43cb7d9562a2b7ce32cf603a2d1781c..bedd5a03525405a0c0cc8547811c2df822e8e5b5 100644 (file)
--- a/source/nsswitch/winbindd_proto.h
+++ b/source/nsswitch/winbindd_proto.h
@@ -68,6 +68,8 @@ void winbindd_idmap_status(void);
 enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *state);
 enum winbindd_result winbindd_list_trusted_domains(struct winbindd_cli_state
                                                   *state);
+enum winbindd_result winbindd_ping(struct winbindd_cli_state
+                                                  *state);
 
 /* The following definitions come from nsswitch/winbindd_pam.c  */