1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

776 Commits

Author SHA1 Message Date
Joseph Sutton
716c3a2536 nsswitch: Fix script usage
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Stefan Metzmacher
4af3faace4 nsswitch/wb_common.c: fix socket fd and memory leaks of global state
When we are called in wb_atfork_child() or winbind_destructor(),
wb_thread_ctx_destructor() is not called for the global state
of the current nor any other thread, which means we would
leak the related memory and socket fds.

Now we maintain a global list protected by a global mutex.
We traverse the list and close all socket fds, which are no
longer used (winbind_destructor) or no longer valid in the
current process (wb_atfork_child), in addition we 'autofree'
the ones, which are only visible internally as global (per thread)
context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
2023-09-14 18:53:07 +00:00
Stefan Metzmacher
91b30a7261 nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key
If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.

So we better don't call pthread_key_delete() in wb_atfork_child().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Stefan Metzmacher
836823e504 nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx()
The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
required magic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Stefan Metzmacher
4faf806412 nsswitch/wb_common.c: fix build without HAVE_PTHREAD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Stefan Metzmacher
62af25d44e nsswitch: add test for pthread_key_delete missuse (bug 15464)
This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole@ans.pl>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Joseph Sutton
f6babaa9b6 nsswitch:libwbclient: Fix memory leak
Found by Balazs Scheidler <bazsi@balabit.hu>.

Reported by Ferenc Wágner <wferi@niif.hu> at
https://lists.samba.org/archive/samba-technical/2023-June/138271.html

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Andreas Schneider
51bec2206e nsswitch: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-23 13:44:31 +00:00
Pavel Filipenský
611444a22c tests: Fix idmap.rid.getgrnam for ad_member_idmap_rid with 'winbind expand groups = 10'
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Joseph Sutton
ae5fafa902 testprogs: Have testfail() return 0 on success
This is more consistent with the other testing functions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
60c501b387 nsswitch:tests: Remove unused functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
833cefe8ee testprogs: Make testit_expect_failure() return 0 on success
This is the behaviour that most existing callers expect, but the
function actually returns a non-zero status code in that case.

Adjust all callers expecting the opposite behaviour to match.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Andreas Schneider
b6cf609e9f nsswitch:tests: Use configuration variable passed to test_rfc2307_mapping.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Volker Lendecke
b755b81d66 test: Add a test for "deny ous"
Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:51 +00:00
Volker Lendecke
f9849dbf4f tests: Slightly simplify test_idmap_ad.sh
ldbmodify can change multiple objects in one run

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:51 +00:00
Joseph Sutton
a34e245bb2 nsswitch: Fix CID 1518966 Resource leaks (RESOURCE_LEAK)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-03 01:07:36 +00:00
Andreas Schneider
981dcccfd9 nsswitch: Fix getting data out of pam_get_data()
nsswitch/pam_winbind.c:3360:24: error: cast from 'time_t **' (aka 'long **') to
    'const void **' must have all intermediate pointers const qualified to be safe
    [-Werror,-Wcast-qual]
                             (const void **)&pwdlastset_update);
                                            ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-06 22:51:31 +00:00
Michael Tokarev
96154a26fe spelling fixes for 4.18 (errror implemenation proces Controler)
One of changes is somewhat interesting, it is "tfork waiter proces"
process title in tfork.c. I wonder why no one noticed this before.
There's another similar process title in there, "tfork waiter process(%d)".
Hopefully no one does grep for "proces$" (and there's no reason to).

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 26 20:46:11 UTC 2023 on atb-devel-224
2023-01-26 20:46:11 +00:00
Ralph Boehme
7545e2c77b nsswitch: avoid calling pthread_getspecific() on an uninitialized key
Found by ASAN:

$ bin/stress-nss-libwbclient
...
==1639426==ERROR: AddressSanitizer: unknown-crash on address 0x7f3907d85000 at pc 0x7f3907d649fb bp 0x7ffc6545f5b0 sp 0x7ffc6545f5a8
READ of size 4 at 0x7f3907d85000 thread T0
    #0 0x7f3907d649fa in winbind_close_sock ../../nsswitch/wb_common.c:220
    #1 0x7f3907d65866 in winbind_destructor ../../nsswitch/wb_common.c:246
    #2 0x7f3907da5d3d in _dl_fini /usr/src/debug/glibc-2.35-20.fc36.x86_64/elf/dl-fini.c:142
    #3 0x7f3907241044 in __run_exit_handlers (/lib64/libc.so.6+0x41044)
    #4 0x7f39072411bf in exit (/lib64/libc.so.6+0x411bf)
    #5 0x7f3907229516 in __libc_start_call_main (/lib64/libc.so.6+0x29516)
    #6 0x7f39072295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8)
    #7 0x56236a2042b4 in _start (/data/git/samba/scratch3/bin/default/nsswitch/stress-nss-libwbclient+0x22b4)

Address 0x7f3907d85000 is a wild pointer inside of access range of size 0x000000000004.
SUMMARY: AddressSanitizer: unknown-crash ../../nsswitch/wb_common.c:220 in winbind_close_sock

The pthread key in wb_global_ctx.key is only initialized if
wb_thread_ctx_initialize() is called via get_wb_global_ctx() -> get_wb_thread_ctx().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan  6 15:04:46 UTC 2023 on sn-devel-184
2023-01-06 15:04:46 +00:00
Ralph Boehme
316b8fa4a8 nsswitch: remove winbind_nss_mutex
We're now thread-safe by using TLS, so the global lock isn't needed anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Jan  5 12:34:35 UTC 2023 on sn-devel-184
2023-01-05 12:34:35 +00:00
Ralph Boehme
642a4452ce nsswitch: leverage TLS if available in favour over global locking
The global locking can lead to deadlocks when using nscd: when processing the
first request in winbind, when we know we call into code that will recurse into
winbind we call winbind_off() which sets an environment variable which is later
checked here in the nsswitch module.

But with nscd in the stack, we don't see the env variable in nsswitch, so when
we try to acquire the global lock again, it is already locked and we deadlock.

By using a thread specific winbindd_context, plus a few other thread local global
variables, we don't need a global lock anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-05 11:33:37 +00:00
Ralph Boehme
ae4a06f4b0 nsswitch: prepare for removing global locking by using TLS
Switch to using TLS for all global variables. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-05 11:33:37 +00:00
Ralph Boehme
347f75499e nsswitch/stress-nss-libwbclient: also test after fork
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-01-05 11:33:37 +00:00
Andreas Schneider
5bed51fc6f nsswitch:tests: Use system_or_builddir_binary() for test_rfc2307_mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-12-23 14:35:31 +00:00
Ralph Boehme
52cdf1d93a wbinfo: Add --change-secret-at=dcname
Add WHATSNEW.txt entry and update wbinfo man page.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
682216aa29 libwbclient: add wbc[Ctx]ChangeTrustCredentialsAt()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Volker Lendecke
6d36577715 nsswitch: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-12 21:16:33 +00:00
Sushmita Bhattacharya
67042d95bb Fix memleak in _nss_winbind_initgroups_dyn
Free the response at the end of _nss_winbind_initgroups_dyn

Signed-off-by: Sushmita Bhattacharya <sushmita.bhattacharya@oracle.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-09 23:11:37 +00:00
Andreas Schneider
b97d31abb4 nsswitch:tests: Use ldb(modify|search) from the system
If Samba is built against the system libldb, use the system tools.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec  5 09:36:40 UTC 2022 on sn-devel-184
2022-12-05 09:36:40 +00:00
Volker Lendecke
9735498f60 pam_winbind: Fix a memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-11-22 18:27:33 +00:00
Noel Power
f6284877ce nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 16 19:29:21 UTC 2022 on sn-devel-184
2022-11-16 19:29:21 +00:00
Jeremy Allison
7cb5040551 nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15224

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Nov 16 15:09:45 UTC 2022 on sn-devel-184
2022-11-16 15:09:45 +00:00
Andrew Walker
aa9f3a2da9 nsswitch:libwbclient - fix leak in wbcCtxPingDc2
Memory allocated for response is never freed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15164

Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  6 20:10:17 UTC 2022 on sn-devel-184
2022-09-06 20:10:17 +00:00
Andreas Schneider
72f16b6354 nsswitch: Fix shellcheck errors in test_rfc2307_mapping.sh
nsswitch/tests/test_rfc2307_mapping.sh:65:139: error: Double quote array
expansions to avoid re-splitting elements. [SC2068]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-08-17 10:08:35 +00:00
listout
e13875601f nsswitch/wins: Define NETDB_* for other libc's
Define NETDB_SUCCESS and NETDB_INTERNAL if they are not defined. On
libc's such as musl NETDB_INTERNAL and NETDB_SUCCESS are not defined.

Signed-off-by: listout <brahmajit.xyz@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-08-08 06:33:38 +00:00
Samuel Cabrero
e9286b06cf s3:winbind: Convert InitConnection from struct based to NDR based
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-05-19 17:51:33 +00:00
Pavel Filipenský
4580fd1046 winbind: send "debug traceid" from winbindd parent to child
Bumping WINBIND_INTERFACE_VERSION to 32

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 10 18:25:01 UTC 2022 on sn-devel-184
2022-05-10 18:25:01 +00:00
Samuel Cabrero
3944b586d5 selftest: Extend test_wbc_logon_user to test WBFLAG_PAM_UNIX_NAME flag
Use the same function append_unix_username() uses to build the expected
value as it depends on the server role. This requires linking
winbindd-lib.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-08 20:13:37 +00:00
Stefan Metzmacher
e1d2c59d36 nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN
When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
DC work fine for upn names, e.g. administrator@DOMAIN.

But it currently fails locally on a DC against the local sam.

For the RODC only work because it forwards the request to
an RWDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Andreas Schneider
d42f08d16b nsswitch: Reformat shell scripts
shfmt -f nsswitch/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-02-24 09:15:34 +00:00
Günther Deschner
20c85cc1da pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
2021-12-16 03:05:30 +00:00
Stefan Metzmacher
66e90b7391 nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
62d05a8108 nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.

Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
fa98a44cb4 nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
This is the only symbol which is used via dlopen()/dlsym() and
needs to be exported, in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
419ca68de0 nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
3f9948bd6d nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
a663c9648f nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
9615395b1f nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()
We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
41108b9ed9 nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h
nsswitch/wb_common.c will be made completely internal soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
600ebefa5a libwbclient: fix strict-overflow warning in wbcSidToString()
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len+1 > sizeof(buf)) {
     ^

Even this would fail:
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len >= sizeof(buf)) {
     ^

Note that this only seems to happen with gcc 7 and when -O3 and
-fvisibility=hidden are used together. E.g. in the opensuse151-samba-o3
builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00