-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attached are patches for wbcLogoffUser() & wbcLookupDomainController()
again v3-3-test. This incorporates the comments from previous
discussions.
One comment, I left the ticket cache path in wbcLogoffUser()
in order to prevent having to link krb5 client libs in
libwbclient.so just to resolve the krb5_ccname and also to
allow nmore flexibility for root user to be able to logoff
a user and remove the user's ccache. The alternative is to
set a flag and just have winbindd do this internally and
not allow an arbitrary ccname passed across in the call.
I'll lookat the wbcLogonUser() next. but that is really just
wbcAuthenticateUser() and passing back a blob. Also need to
review passing back the krb5 ccache path name in
wbcAuthenticateUser() so this might just be a generic extension
to that call.
The wbcChangePassword() should be easy following that.
So that should finish up everything we've discussed so far.
Note: the patches are against v3-3-test but based on the
discussion people seemed to prefer to get this into v3-2-test
if the work was completed before the rc1 release on the 23rd.
Correct?
cheers, jerry
- --
=====================================================================
Samba -------
http://www.samba.orgLikewise Software ---------
http://www.likewisesoftware.com"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.orgiD8DBQFIKNC2IR7qMdg1EfYRAqSHAKC0T29gW2MEmR/V07yo3E86kb0qrACgklL7
vh+MeS+SIPMbgPsjXSjOJ+g=
=XGqD
-----END PGP SIGNATURE-----
>From 0ee3a5fa3664d0a3db15a32c5856816e6e16f50c Mon Sep 17 00:00:00 2001
From: coffeedude <
coffeedude@...>
Date: Mon, 12 May 2008 17:57:04 -0500
Subject: [PATCH] libwbclient: Add wbcLogoffUser() and wbcLookupDomainController().
Add new APIs calls for WINBINDD_PAM_LOGOFF and WINBINDD_DSGETDCNAME
ops.
---
source/nsswitch/libwbclient/wbc_pam.c | 55 ++++++++++++++++++++++++++++++
source/nsswitch/libwbclient/wbc_util.c | 58 ++++++++++++++++++++++++++++++++
source/nsswitch/libwbclient/wbclient.c | 4 ++
source/nsswitch/libwbclient/wbclient.h | 43 +++++++++++++++++++++++-
4 files changed, 159 insertions(+), 1 deletions(-)
diff --git a/source/nsswitch/libwbclient/wbc_pam.c b/source/nsswitch/libwbclient/wbc_pam.c
index a0e91fa..0c5d896 100644
--- a/source/nsswitch/libwbclient/wbc_pam.c
+++ b/source/nsswitch/libwbclient/wbc_pam.c
@@ -470,3 +470,58 @@ wbcErr wbcCheckTrustCredentials(const char *domain,
done:
return wbc_status;
}
+
+/** @brief Trigger a logoff notification to Winbind for a specific user
+ *
+ * @param username Name of user to remove from Winbind's list of
+ * logged on users.
+ * @param ccfilename Absolute path to the Krb5 credentials cache to
+ * be removed
+ *
+ * @return #wbcErr
+ *
+ **/
+
+wbcErr wbcLogoffUser(const char *username, const char *ccfilename)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+ struct passwd *pw = NULL;
+
+ /* validate input */
+
+ if (!username) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+
+ if ((pw = getpwnam(username)) == NULL) {
+ wbc_status = WBC_ERR_UNKNOWN_USER;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
+ strncpy(request.data.logoff.user, username,
+ sizeof(request.data.logoff.user)-1);
+ request.data.logoff.uid = pw->pw_uid;
+
+ if (ccfilename) {
+ strncpy(request.data.logoff.krb5ccname, ccfilename,
+ sizeof(request.data.logoff.krb5ccname)-1);
+ }
+
+ /* Send request */
+
+ wbc_status = wbcRequestResponse(WINBINDD_PAM_LOGOFF,
+ &request,
+ &response);
+
+ /* Take the response above and return it to the caller */
+
+ done:
+ return wbc_status;
+}
diff --git a/source/nsswitch/libwbclient/wbc_util.c b/source/nsswitch/libwbclient/wbc_util.c
index 3afd8a2..1fef660 100644
--- a/source/nsswitch/libwbclient/wbc_util.c
+++ b/source/nsswitch/libwbclient/wbc_util.c
@@ -492,3 +492,61 @@ wbcErr wbcListTrusts(struct wbcDomainInfo **domains, size_t *num_domains)
return wbc_status;
}
+
+/** @brief Enumerate the domain trusts known by Winbind
+ *
+ * @param domain Name of the domain to query for a DC
+ * @flags Bit flags used to control the domain location query
+ * @param *dc_info Pointer to the returned domain controller information
+ *
+ * @return #wbcErr
+ *
+ **/
+
+
+
+wbcErr wbcLookupDomainController(const char *domain,
+ uint32_t flags,
+ struct wbcDomainControllerInfo **dc_info)
+{
+ wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+ struct winbindd_request request;
+ struct winbindd_response response;
+ struct wbcDomainControllerInfo *dc = NULL;
+
+ /* validate input params */
+
+ if (!domain || !dc_info) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ strncpy(request.domain_name, domain, sizeof(request.domain_name)-1);
+
+ request.flags = flags;
+
+ dc = talloc(NULL, struct wbcDomainControllerInfo);
+ BAIL_ON_PTR_ERROR(dc, wbc_status);
+
+ /* Send request */
+
+ wbc_status = wbcRequestResponse(WINBINDD_DSGETDCNAME,
+ &request,
+ &response);
+ BAIL_ON_WBC_ERROR(wbc_status);
+
+ dc->dc_name = talloc_strdup(dc, response.data.dc_name);
+ BAIL_ON_PTR_ERROR(dc->dc_name, wbc_status);
+
+ *dc_info = dc;
+
+done:
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ talloc_free(dc);
+ }
+
+ return wbc_status;
+}
diff --git a/source/nsswitch/libwbclient/wbclient.c b/source/nsswitch/libwbclient/wbclient.c
index 9383fd5..6403c15 100644
--- a/source/nsswitch/libwbclient/wbclient.c
+++ b/source/nsswitch/libwbclient/wbclient.c
@@ -110,6 +110,10 @@ const char *wbcErrorString(wbcErr error)
return "WBC_ERR_INVALID_RESPONSE";
case WBC_ERR_NSS_ERROR:
return "WBC_ERR_NSS_ERROR";
+ case WBC_ERR_UNKNOWN_USER:
+ return "WBC_ERR_UNKNOWN_USER";
+ case WBC_ERR_UNKNOWN_GROUP:
+ return "WBC_ERR_UNKNOWN_GROUP";
case WBC_ERR_AUTH_ERROR:
return "WBC_ERR_AUTH_ERROR";
}
diff --git a/source/nsswitch/libwbclient/wbclient.h b/source/nsswitch/libwbclient/wbclient.h
index f236c43..469cb02 100644
--- a/source/nsswitch/libwbclient/wbclient.h
+++ b/source/nsswitch/libwbclient/wbclient.h
@@ -42,7 +42,9 @@ enum _wbcErrType {
WBC_ERR_DOMAIN_NOT_FOUND, /**< Domain is not trusted or cannot be found **/
WBC_ERR_INVALID_RESPONSE, /**< Winbind returned an invalid response **/
WBC_ERR_NSS_ERROR, /**< NSS_STATUS error **/
- WBC_ERR_AUTH_ERROR /**< Authentication failed **/
+ WBC_ERR_AUTH_ERROR, /**< Authentication failed **/
+ WBC_ERR_UNKNOWN_USER, /**< User account cannot be found */
+ WBC_ERR_UNKNOWN_GROUP /**< Group account cannot be found */
};
typedef enum _wbcErrType wbcErr;
@@ -290,6 +292,15 @@ struct wbcAuthErrorInfo {
};
/*
+ * DomainControllerInfo struct
+ */
+struct wbcDomainControllerInfo {
+ char *dc_name;
+};
+
+
+
+/*
* Memory Management
*/
@@ -411,6 +422,31 @@ wbcErr wbcDomainInfo(const char *domain,
wbcErr wbcListTrusts(struct wbcDomainInfo **domains,
size_t *num_domains);
+/* Flags for wbcLookupDomainController */
+
+#define WBC_LOOKUP_DC_FORCE_REDISCOVERY 0x00000001
+#define WBC_LOOKUP_DC_DS_REQUIRED 0x00000010
+#define WBC_LOOKUP_DC_DS_PREFERRED 0x00000020
+#define WBC_LOOKUP_DC_GC_SERVER_REQUIRED 0x00000040
+#define WBC_LOOKUP_DC_PDC_REQUIRED 0x00000080
+#define WBC_LOOKUP_DC_BACKGROUND_ONLY 0x00000100
+#define WBC_LOOKUP_DC_IP_REQUIRED 0x00000200
+#define WBC_LOOKUP_DC_KDC_REQUIRED 0x00000400
+#define WBC_LOOKUP_DC_TIMESERV_REQUIRED 0x00000800
+#define WBC_LOOKUP_DC_WRITABLE_REQUIRED 0x00001000
+#define WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED 0x00002000
+#define WBC_LOOKUP_DC_AVOID_SELF 0x00004000
+#define WBC_LOOKUP_DC_ONLY_LDAP_NEEDED 0x00008000
+#define WBC_LOOKUP_DC_IS_FLAT_NAME 0x00010000
+#define WBC_LOOKUP_DC_IS_DNS_NAME 0x00020000
+#define WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE 0x00040000
+#define WBC_LOOKUP_DC_DS_6_REQUIRED 0x00080000
+#define WBC_LOOKUP_DC_RETURN_DNS_NAME 0x40000000
+#define WBC_LOOKUP_DC_RETURN_FLAT_NAME 0x80000000
+
+wbcErr wbcLookupDomainController(const char *domain,
+ uint32_t flags,
+ struct wbcDomainControllerInfo **dc_info);
/*
* Athenticate functions
@@ -423,6 +459,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
struct wbcAuthUserInfo **info,
struct wbcAuthErrorInfo **error);
+wbcErr wbcLogoffUser(const char *username,
+ const char *ccfilename);
+
+
/*
* Resolve functions
*/
@@ -435,4 +475,5 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name);
wbcErr wbcCheckTrustCredentials(const char *domain,
struct wbcAuthErrorInfo **error);
+
#endif /* _WBCLIENT_H */
--
1.5.4.3
>From ae42921e1637025d31fd173fe3c7e8e9dffa4d26 Mon Sep 17 00:00:00 2001
From: coffeedude <
coffeedude@...>
Date: Mon, 12 May 2008 17:58:35 -0500
Subject: [PATCH] libwbclient: Abstract the DS_XXX flags for DsGetDcName().
The wbcLookupDomainController() call supports a set of flags
defined in wbclient.h. Add a mapping function between these
flags and the original DS_XXX flags in order to prevent having
to include the generated RPC headers in wbclient.h.
---
source/winbindd/winbindd.h | 1 +
source/winbindd/winbindd_locator.c | 46 +++++++++++++++++++++++++++++++++++-
2 files changed, 46 insertions(+), 1 deletions(-)
diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h
index 0840e58..301d877 100644
--- a/source/winbindd/winbindd.h
+++ b/source/winbindd/winbindd.h
@@ -24,6 +24,7 @@
#define _WINBINDD_H
#include "nsswitch/winbind_struct_protocol.h"
+#include "nsswitch/libwbclient/wbclient.h"
#ifdef HAVE_LIBNSCD
#include <libnscd.h>
diff --git a/source/winbindd/winbindd_locator.c b/source/winbindd/winbindd_locator.c
index 709fbcc..72d3a4d 100644
--- a/source/winbindd/winbindd_locator.c
+++ b/source/winbindd/winbindd_locator.c
@@ -54,12 +54,54 @@ void winbindd_dsgetdcname(struct winbindd_cli_state *state)
sendto_child(state, locator_child());
}
+struct wbc_flag_map {
+ uint32_t wbc_dc_flag;
+ uint32_t ds_dc_flags;
+};
+
+static uint32_t get_dsgetdc_flags(uint32_t wbc_flags)
+{
+ struct wbc_flag_map lookup_dc_flags[] = {
+ { WBC_LOOKUP_DC_FORCE_REDISCOVERY, DS_FORCE_REDISCOVERY },
+ { WBC_LOOKUP_DC_DS_REQUIRED, DS_DIRECTORY_SERVICE_REQUIRED },
+ { WBC_LOOKUP_DC_DS_PREFERRED, DS_DIRECTORY_SERVICE_PREFERRED},
+ { WBC_LOOKUP_DC_GC_SERVER_REQUIRED, DS_GC_SERVER_REQUIRED },
+ { WBC_LOOKUP_DC_PDC_REQUIRED, DS_PDC_REQUIRED},
+ { WBC_LOOKUP_DC_BACKGROUND_ONLY, DS_BACKGROUND_ONLY },
+ { WBC_LOOKUP_DC_IP_REQUIRED, DS_IP_REQUIRED },
+ { WBC_LOOKUP_DC_KDC_REQUIRED, DS_KDC_REQUIRED },
+ { WBC_LOOKUP_DC_TIMESERV_REQUIRED, DS_TIMESERV_REQUIRED },
+ { WBC_LOOKUP_DC_WRITABLE_REQUIRED, DS_WRITABLE_REQUIRED },
+ { WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED, DS_GOOD_TIMESERV_PREFERRED },
+ { WBC_LOOKUP_DC_AVOID_SELF, DS_AVOID_SELF },
+ { WBC_LOOKUP_DC_ONLY_LDAP_NEEDED, DS_ONLY_LDAP_NEEDED },
+ { WBC_LOOKUP_DC_IS_FLAT_NAME, DS_IS_FLAT_NAME },
+ { WBC_LOOKUP_DC_IS_DNS_NAME, DS_IS_DNS_NAME },
+ { WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE, DS_TRY_NEXTCLOSEST_SITE },
+ { WBC_LOOKUP_DC_DS_6_REQUIRED, DS_DIRECTORY_SERVICE_6_REQUIRED },
+ { WBC_LOOKUP_DC_RETURN_DNS_NAME, DS_RETURN_DNS_NAME },
+ { WBC_LOOKUP_DC_RETURN_FLAT_NAME, DS_RETURN_FLAT_NAME }
+ };
+ uint32_t ds_flags = 0;
+ int i = 0 ;
+ int num_entries = sizeof(lookup_dc_flags) / sizeof(struct wbc_flag_map);
+
+ for (i=0; i<num_entries; i++) {
+ if (wbc_flags & lookup_dc_flags[i].wbc_dc_flag)
+ ds_flags |= lookup_dc_flags[i].ds_dc_flags;
+ }
+
+ return ds_flags;
+}
+
+
static enum winbindd_result dual_dsgetdcname(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
NTSTATUS result;
struct netr_DsRGetDCNameInfo *info = NULL;
const char *dc = NULL;
+ uint32_t ds_flags = 0;
state->request.domain_name
[sizeof(state->request.domain_name)-1] = '\0';
@@ -67,9 +109,11 @@ static enum winbindd_result dual_dsgetdcname(struct winbindd_domain *domain,
DEBUG(3, ("[%5lu]: dsgetdcname for %s\n", (unsigned long)state->pid,
state->request.domain_name));
+ ds_flags = get_dsgetdc_flags(state->request.flags);
+
result = dsgetdcname(state->mem_ctx, winbind_messaging_context(),
state->request.domain_name,
- NULL, NULL, state->request.flags, &info);
+ NULL, NULL, ds_flags, &info);
if (!NT_STATUS_IS_OK(result)) {
return WINBINDD_ERROR;
--
1.5.4.3
signature.asc (257 bytes) 