nsswitch: Don't enumerate all domains with wbinfo -u|-g.

By default wbinfo -u|-g should only enumerate the domain winbindd is
joined to. The command can be harmfull if you have e.g. 30 domains and
700k users. Then the parent will collect all information and the
oom-killer will kill winbind. As we still want to support it, you can
enable it the old behaviour with wbinfo --domain='*' -u. This is
a measure that sysadmins don't shoot themself.

https://bugzilla.samba.org/show_bug.cgi?id=10034

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 11:54:58 CEST 2013 on sn-devel-104

docs-xml/manpages/wbinfo.1.xml

@@ -146,8 +146,9 @@
 		<listitem><para>This parameter sets the domain on which any specified
 		operations will performed.  If special domain name '.' is used to represent
 		the current domain to which <citerefentry><refentrytitle>winbindd</refentrytitle>
-		<manvolnum>8</manvolnum></citerefentry> belongs.  Currently only the
+		<manvolnum>8</manvolnum></citerefentry> belongs. A '*' as the domain name
-		<option>-u</option>, and <option>-g</option> options honor this parameter.
+		means to enumerate over all domains (NOTE: This can take a long time and use
+		a lot of memory).
 		</para></listitem>
 		</varlistentry>
 
@@ -181,7 +182,7 @@
 		<listitem><para>This option will list all groups available
 		in the Windows NT domain for which the <citerefentry><refentrytitle>samba</refentrytitle>
 		<manvolnum>7</manvolnum></citerefentry> daemon is operating in. Groups in all trusted domains
-		will also be listed.  Note that this operation does not assign
+		can be listed with the --domain='*' option.  Note that this operation does not assign
 		group ids to any groups that have not already been
 		seen by <citerefentry><refentrytitle>winbindd</refentrytitle>
 		<manvolnum>8</manvolnum></citerefentry>. </para></listitem>
@@ -390,7 +391,7 @@
 		<listitem><para>This option will list all users available
 		in the Windows NT domain for which the <citerefentry><refentrytitle>winbindd</refentrytitle>
 		<manvolnum>8</manvolnum></citerefentry> daemon is operating in. Users in all trusted domains
-		will also be listed.  Note that this operation does not assign
+		can be listed with the --domain='*' option.  Note that this operation does not assign
 		user ids to any users that have not already been seen by <citerefentry>
 		<refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 		.</para></listitem>

nsswitch/wbinfo.c

@@ -1926,9 +1926,16 @@ static bool print_domain_users(const char *domain)
 
 	/* Send request to winbind daemon */
 
-	/* '.' is the special sign for our own domain */
+	if (domain == NULL) {
-	if (domain && strcmp(domain, ".") == 0) {
 		domain = get_winbind_domain();
+	} else {
+		/* '.' is the special sign for our own domain */
+		if ((domain[0] == '\0') || strcmp(domain, ".") == 0) {
+			domain = get_winbind_domain();
+		/* '*' is the special sign for all domains */
+		} else if (strcmp(domain, "*") == 0) {
+			domain = NULL;
+		}
 	}
 
 	wbc_status = wbcListUsers(domain, &num_users, &users);
@@ -1956,9 +1963,16 @@ static bool print_domain_groups(const char *domain)
 
 	/* Send request to winbind daemon */
 
-	/* '.' is the special sign for our own domain */
+	if (domain == NULL) {
-	if (domain && strcmp(domain, ".") == 0) {
 		domain = get_winbind_domain();
+	} else {
+		/* '.' is the special sign for our own domain */
+		if ((domain[0] == '\0') || strcmp(domain, ".") == 0) {
+			domain = get_winbind_domain();
+		/* '*' is the special sign for all domains */
+		} else if (strcmp(domain, "*") == 0) {
+			domain = NULL;
+		}
 	}
 
 	wbc_status = wbcListGroups(domain, &num_groups, &groups);