[SCM] Samba Shared Repository - branch master updated

Michael Adam obnox at samba.org
Mon Oct 6 09:22:02 MDT 2014 

The branch, master has been updated
       via  92ca4f5 winbindd: Do not overwrite domain list with conflicting info from a trusted domain
       via  7b4f266 torture: Reorder torture_winbind_struct_domain_info tests
      from  88b2485 ctdb-build: Fix handling of public headers

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 92ca4f52ae093e14d39b8853a34ffa8be6a3d492
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sun Oct 5 18:32:09 2014 +1300

    winbindd: Do not overwrite domain list with conflicting info from a trusted domain
    
    This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting
    
    This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>
    
    Autobuild-User(master): Michael Adam <obnox at samba.org>
    Autobuild-Date(master): Mon Oct  6 17:21:03 CEST 2014 on sn-devel-104

commit 7b4f266ef059fbab5ed1cf50ca347fb9985f02dc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sun Oct 5 16:00:47 2014 +1300

    torture: Reorder torture_winbind_struct_domain_info tests
    
    This tries to ensure we get enough information to debug this
    intermittent failure.
    
    I think this may be a real failure, but it is hard to tell without more info.
    
    This patch prints out the full details of what the domain returned before
    doing the assertions.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_cm.c         |   75 ++++++++++++++++++++++++++++++++
 source4/torture/winbind/struct_based.c |   37 ++++++++--------
 2 files changed, 94 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 43147cb..fd414b8 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2276,6 +2276,18 @@ no_dssetup:
 		domain->active_directory = True;
 
 		if (lsa_info->dns.name.string) {
+			if (!strequal(domain->name, lsa_info->dns.name.string))
+			{
+				DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+					  "for domain %s claimed it was a DC "
+					  "for domain %s, refusing to "
+					  "initialize\n",
+					  domain->name,
+					  lsa_info->dns.name.string));
+				TALLOC_FREE(cli);
+				TALLOC_FREE(mem_ctx);
+				return;
+			}
 			talloc_free(domain->name);
 			domain->name = talloc_strdup(domain,
 						     lsa_info->dns.name.string);
@@ -2285,6 +2297,20 @@ no_dssetup:
 		}
 
 		if (lsa_info->dns.dns_domain.string) {
+			if (domain->alt_name != NULL &&
+			    !strequal(domain->alt_name,
+				      lsa_info->dns.dns_domain.string))
+			{
+				DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+					  "for domain %s (%s) claimed it was "
+					  "a DC for domain %s, refusing to "
+					  "initialize\n",
+					  domain->alt_name, domain->name,
+					  lsa_info->dns.dns_domain.string));
+				TALLOC_FREE(cli);
+				TALLOC_FREE(mem_ctx);
+				return;
+			}
 			talloc_free(domain->alt_name);
 			domain->alt_name =
 				talloc_strdup(domain,
@@ -2312,6 +2338,23 @@ no_dssetup:
 		}
 
 		if (lsa_info->dns.sid) {
+			if (!is_null_sid(&domain->sid) &&
+			    !dom_sid_equal(&domain->sid,
+					   lsa_info->dns.sid))
+			{
+				DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+					  "for domain %s (%s) claimed it was "
+					  "a DC for domain %s, refusing to "
+					  "initialize\n",
+					  dom_sid_string(talloc_tos(),
+							 &domain->sid),
+					  domain->name,
+					  dom_sid_string(talloc_tos(),
+							 lsa_info->dns.sid)));
+				TALLOC_FREE(cli);
+				TALLOC_FREE(mem_ctx);
+				return;
+			}
 			sid_copy(&domain->sid, lsa_info->dns.sid);
 		}
 	} else {
@@ -2333,6 +2376,20 @@ no_dssetup:
 		if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
 
 			if (lsa_info->account_domain.name.string) {
+				if (!strequal(domain->name,
+					lsa_info->account_domain.name.string))
+				{
+					DEBUG(1,
+					      ("set_dc_type_and_flags_connect: "
+					       "DC for domain %s claimed it was"
+					       " a DC for domain %s, refusing "
+					       "to initialize\n", domain->name,
+					       lsa_info->
+						account_domain.name.string));
+					TALLOC_FREE(cli);
+					TALLOC_FREE(mem_ctx);
+					return;
+				}
 				talloc_free(domain->name);
 				domain->name =
 					talloc_strdup(domain,
@@ -2340,6 +2397,24 @@ no_dssetup:
 			}
 
 			if (lsa_info->account_domain.sid) {
+				if (!is_null_sid(&domain->sid) &&
+				    !dom_sid_equal(&domain->sid,
+						lsa_info->account_domain.sid))
+				{
+					DEBUG(1,
+					      ("set_dc_type_and_flags_connect: "
+					       "DC for domain %s (%s) claimed "
+					       "it was a DC for domain %s, "
+					       "refusing to initialize\n",
+					       dom_sid_string(talloc_tos(),
+							      &domain->sid),
+					       domain->name,
+					       dom_sid_string(talloc_tos(),
+						lsa_info->account_domain.sid)));
+					TALLOC_FREE(cli);
+					TALLOC_FREE(mem_ctx);
+					return;
+				}
 				sid_copy(&domain->sid, lsa_info->account_domain.sid);
 			}
 		}
diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
index d47d068..ef27b05 100644
--- a/source4/torture/winbind/struct_based.c
+++ b/source4/torture/winbind/struct_based.c
@@ -428,22 +428,6 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture)
 
 		DO_STRUCT_REQ_REP(WINBINDD_DOMAIN_INFO, &req, &rep);
 
-		torture_assert_str_equal(torture,
-					 rep.data.domain_info.name,
-					 listd[i].netbios_name,
-					 "Netbios domain name doesn't match");
-
-		torture_assert_str_equal(torture,
-					 rep.data.domain_info.alt_name,
-					 listd[i].dns_name,
-					 "DNS domain name doesn't match");
-
-		sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid);
-		torture_assert(torture, sid, "Failed to parse SID");
-
-		ok = dom_sid_equal(listd[i].sid, sid);
-		torture_assert(torture, ok, "SID's doesn't match");
-
 		if (rep.data.domain_info.primary) {
 			flagstr = talloc_strdup_append(flagstr, "PR ");
 		}
@@ -462,10 +446,27 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture)
 			flagstr = talloc_strdup_append(flagstr, "NA ");
 		}
 
-		torture_comment(torture, "DOMAIN '%s' => '%s' [%s]\n",
+		torture_comment(torture, "DOMAIN '%s' => '%s' [%s] [%s]\n",
 				rep.data.domain_info.name,
 				rep.data.domain_info.alt_name,
-				flagstr);
+				flagstr,
+				rep.data.domain_info.sid);
+
+		sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid);
+		torture_assert(torture, sid, "Failed to parse SID");
+
+		ok = dom_sid_equal(listd[i].sid, sid);
+		torture_assert(torture, ok, "SID's doesn't match");
+
+		torture_assert_str_equal(torture,
+					 rep.data.domain_info.name,
+					 listd[i].netbios_name,
+					 "Netbios domain name doesn't match");
+
+		torture_assert_str_equal(torture,
+					 rep.data.domain_info.alt_name,
+					 listd[i].dns_name,
+					 "DNS domain name doesn't match");
 	}
 
 	return true;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list