[SCM] Samba Shared Repository - branch master updated
Michael Adam
obnox at samba.org
Mon Oct 6 09:22:02 MDT 2014
The branch, master has been updated
via 92ca4f5 winbindd: Do not overwrite domain list with conflicting info from a trusted domain
via 7b4f266 torture: Reorder torture_winbind_struct_domain_info tests
from 88b2485 ctdb-build: Fix handling of public headers
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 92ca4f52ae093e14d39b8853a34ffa8be6a3d492
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Oct 5 18:32:09 2014 +1300
winbindd: Do not overwrite domain list with conflicting info from a trusted domain
This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting
This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104
commit 7b4f266ef059fbab5ed1cf50ca347fb9985f02dc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Oct 5 16:00:47 2014 +1300
torture: Reorder torture_winbind_struct_domain_info tests
This tries to ensure we get enough information to debug this
intermittent failure.
I think this may be a real failure, but it is hard to tell without more info.
This patch prints out the full details of what the domain returned before
doing the assertions.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_cm.c | 75 ++++++++++++++++++++++++++++++++
source4/torture/winbind/struct_based.c | 37 ++++++++--------
2 files changed, 94 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 43147cb..fd414b8 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2276,6 +2276,18 @@ no_dssetup:
domain->active_directory = True;
if (lsa_info->dns.name.string) {
+ if (!strequal(domain->name, lsa_info->dns.name.string))
+ {
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s claimed it was a DC "
+ "for domain %s, refusing to "
+ "initialize\n",
+ domain->name,
+ lsa_info->dns.name.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
talloc_free(domain->name);
domain->name = talloc_strdup(domain,
lsa_info->dns.name.string);
@@ -2285,6 +2297,20 @@ no_dssetup:
}
if (lsa_info->dns.dns_domain.string) {
+ if (domain->alt_name != NULL &&
+ !strequal(domain->alt_name,
+ lsa_info->dns.dns_domain.string))
+ {
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s (%s) claimed it was "
+ "a DC for domain %s, refusing to "
+ "initialize\n",
+ domain->alt_name, domain->name,
+ lsa_info->dns.dns_domain.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
talloc_free(domain->alt_name);
domain->alt_name =
talloc_strdup(domain,
@@ -2312,6 +2338,23 @@ no_dssetup:
}
if (lsa_info->dns.sid) {
+ if (!is_null_sid(&domain->sid) &&
+ !dom_sid_equal(&domain->sid,
+ lsa_info->dns.sid))
+ {
+ DEBUG(1, ("set_dc_type_and_flags_connect: DC "
+ "for domain %s (%s) claimed it was "
+ "a DC for domain %s, refusing to "
+ "initialize\n",
+ dom_sid_string(talloc_tos(),
+ &domain->sid),
+ domain->name,
+ dom_sid_string(talloc_tos(),
+ lsa_info->dns.sid)));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
sid_copy(&domain->sid, lsa_info->dns.sid);
}
} else {
@@ -2333,6 +2376,20 @@ no_dssetup:
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
if (lsa_info->account_domain.name.string) {
+ if (!strequal(domain->name,
+ lsa_info->account_domain.name.string))
+ {
+ DEBUG(1,
+ ("set_dc_type_and_flags_connect: "
+ "DC for domain %s claimed it was"
+ " a DC for domain %s, refusing "
+ "to initialize\n", domain->name,
+ lsa_info->
+ account_domain.name.string));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
talloc_free(domain->name);
domain->name =
talloc_strdup(domain,
@@ -2340,6 +2397,24 @@ no_dssetup:
}
if (lsa_info->account_domain.sid) {
+ if (!is_null_sid(&domain->sid) &&
+ !dom_sid_equal(&domain->sid,
+ lsa_info->account_domain.sid))
+ {
+ DEBUG(1,
+ ("set_dc_type_and_flags_connect: "
+ "DC for domain %s (%s) claimed "
+ "it was a DC for domain %s, "
+ "refusing to initialize\n",
+ dom_sid_string(talloc_tos(),
+ &domain->sid),
+ domain->name,
+ dom_sid_string(talloc_tos(),
+ lsa_info->account_domain.sid)));
+ TALLOC_FREE(cli);
+ TALLOC_FREE(mem_ctx);
+ return;
+ }
sid_copy(&domain->sid, lsa_info->account_domain.sid);
}
}
diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
index d47d068..ef27b05 100644
--- a/source4/torture/winbind/struct_based.c
+++ b/source4/torture/winbind/struct_based.c
@@ -428,22 +428,6 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture)
DO_STRUCT_REQ_REP(WINBINDD_DOMAIN_INFO, &req, &rep);
- torture_assert_str_equal(torture,
- rep.data.domain_info.name,
- listd[i].netbios_name,
- "Netbios domain name doesn't match");
-
- torture_assert_str_equal(torture,
- rep.data.domain_info.alt_name,
- listd[i].dns_name,
- "DNS domain name doesn't match");
-
- sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid);
- torture_assert(torture, sid, "Failed to parse SID");
-
- ok = dom_sid_equal(listd[i].sid, sid);
- torture_assert(torture, ok, "SID's doesn't match");
-
if (rep.data.domain_info.primary) {
flagstr = talloc_strdup_append(flagstr, "PR ");
}
@@ -462,10 +446,27 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture)
flagstr = talloc_strdup_append(flagstr, "NA ");
}
- torture_comment(torture, "DOMAIN '%s' => '%s' [%s]\n",
+ torture_comment(torture, "DOMAIN '%s' => '%s' [%s] [%s]\n",
rep.data.domain_info.name,
rep.data.domain_info.alt_name,
- flagstr);
+ flagstr,
+ rep.data.domain_info.sid);
+
+ sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid);
+ torture_assert(torture, sid, "Failed to parse SID");
+
+ ok = dom_sid_equal(listd[i].sid, sid);
+ torture_assert(torture, ok, "SID's doesn't match");
+
+ torture_assert_str_equal(torture,
+ rep.data.domain_info.name,
+ listd[i].netbios_name,
+ "Netbios domain name doesn't match");
+
+ torture_assert_str_equal(torture,
+ rep.data.domain_info.alt_name,
+ listd[i].dns_name,
+ "DNS domain name doesn't match");
}
return true;
--
Samba Shared Repository
More information about the samba-cvs
mailing list