Fix for bug #5551, smbd recursing back into winbindd from a winbindd call.
[samba.git] / source / auth / auth_util.c
index 7013285809c1e4d32f379c10747f1c74c405328b..115a6e9ad205bf4370dcdd66bcfe7cae80a6bd45 100644 (file)
@@ -485,27 +485,51 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
        return result;
 }
 
+/***************************************************************************
+ Is the incoming username our own machine account ?
+ If so, the connection is almost certainly from winbindd.
+***************************************************************************/
+
+static bool is_our_machine_account(const char *username)
+{
+       bool ret;
+       char *truncname = NULL;
+       size_t ulen = strlen(username);
+
+       if (ulen == 0 || username[ulen-1] != '$') {
+               return false;
+       }
+       truncname = SMB_STRDUP(username);
+       if (!truncname) {
+               return false;
+       }
+       truncname[ulen-1] = '\0';
+       ret = strequal(truncname, global_myname());
+       SAFE_FREE(truncname);
+       return ret;
+}
+
 /***************************************************************************
  Make (and fill) a user_info struct from a struct samu
 ***************************************************************************/
 
-NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, 
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
                              struct samu *sampass)
 {
-       NTSTATUS status;
        struct passwd *pwd;
        gid_t *gids;
        auth_serversupplied_info *result;
        int i;
        size_t num_gids;
        DOM_SID unix_group_sid;
-       
+       const char *username = pdb_get_username(sampass);
+       NTSTATUS status;
 
        if ( !(result = make_server_info(NULL)) ) {
                return NT_STATUS_NO_MEMORY;
        }
 
-       if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
+       if ( !(pwd = getpwnam_alloc(result, username)) ) {
                DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
                          pdb_get_username(sampass)));
                TALLOC_FREE(result);
@@ -520,21 +544,50 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
        talloc_steal(result, pwd->pw_name);
        result->gid = pwd->pw_gid;
        result->uid = pwd->pw_uid;
-       
+
        TALLOC_FREE(pwd);
 
-       status = pdb_enum_group_memberships(result, sampass,
+       if (IS_DC && is_our_machine_account(username)) {
+               /*
+                * Ensure for a connection from our own
+                * machine account (from winbindd on a DC)
+                * there are no supplementary groups.
+                * Prevents loops in calling gid_to_sid().
+                */
+               result->sids = NULL;
+               gids = NULL;
+               result->num_sids = 0;
+
+               /*
+                * This is a hack of monstrous proportions.
+                * If we know it's winbindd talking to us,
+                * we know we must never recurse into it,
+                * so turn off contacting winbindd for this
+                * entire process. This will get fixed when
+                * winbindd doesn't need to talk to smbd on
+                * a PDC. JRA.
+                */
+
+               winbind_off();
+
+               DEBUG(10, ("make_server_info_sam: our machine account %s "
+                       "setting supplementary group list empty and "
+                       "turning off winbindd requests.\n",
+                       username));
+       } else {
+               status = pdb_enum_group_memberships(result, sampass,
                                            &result->sids, &gids,
                                            &result->num_sids);
 
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
-                          nt_errstr(status)));
-               result->sam_account = NULL; /* Don't free on error exit. */
-               TALLOC_FREE(result);
-               return status;
+               if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
+                                  nt_errstr(status)));
+                       result->sam_account = NULL; /* Don't free on error exit. */
+                       TALLOC_FREE(result);
+                       return status;
+               }
        }
-       
+
        /* Add the "Unix Group" SID for each gid to catch mapped groups
           and their Unix equivalent.  This is to solve the backwards 
           compatibility problem of 'valid users = +ntadmin' where