[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Wed Feb 28 18:46:02 UTC 2018 

The branch, master has been updated
       via  31b5328 s4:kdc: disable support for CROSS_ORGANIZATION domains
       via  d0a813a s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
       via  274209f s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
       via  afd97e7 winbindd: disable support for CROSS_ORGANIZATION domains
      from  cb58e18 ldb: version 1.3.2

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 31b5328c46c5f510ba234f75688886987276ee9e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 1 11:06:10 2018 +0100

    s4:kdc: disable support for CROSS_ORGANIZATION domains
    
    We don't support selective authentication yet,
    so we shouldn't silently allow domain wide authentication
    for such a trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144

commit d0a813a173be630c2def93cc55e4514204d265a2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 1 11:10:14 2018 +0100

    s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 1 11:10:14 2018 +0100

    s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit afd97e72090aaf31b084646b5fcecaeb8cde653d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 1 11:06:10 2018 +0100

    winbindd: disable support for CROSS_ORGANIZATION domains
    
    We don't support selective authentication yet,
    so we shouldn't silently allow domain wide authentication
    for such a trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_util.c | 11 +++++++++
 source4/kdc/db-glue.c            | 48 +++++++++++++++++++++++++++++++---------
 2 files changed, 49 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 73e6b76..b19c42f 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void)
 			trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
 		}
 
+		if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+			/*
+			 * We don't support selective authentication yet.
+			 */
+			DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+				    "domain[%s/%s]\n",
+				    domains[i]->netbios_name,
+				    domains[i]->domain_name);
+			continue;
+		}
+
 		status = add_trusted_domain(domains[i]->netbios_name,
 					    domains[i]->domain_name,
 					    &domains[i]->security_identifier,
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 69c54b0..8ccc34c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -57,14 +57,17 @@ enum trust_direction {
 };
 
 static const char *trust_attrs[] = {
+	"securityIdentifier",
+	"flatName",
 	"trustPartner",
+	"trustAttributes",
+	"trustDirection",
+	"trustType",
+	"msDS-TrustForestTrustInfo",
 	"trustAuthIncoming",
 	"trustAuthOutgoing",
 	"whenCreated",
 	"msDS-SupportedEncryptionTypes",
-	"trustAttributes",
-	"trustDirection",
-	"trustType",
 	NULL
 };
 
@@ -1167,7 +1170,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 {
 	struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
 	const char *our_realm = lpcfg_realm(lp_ctx);
-	const char *dnsdomain = NULL;
 	char *partner_realm = NULL;
 	const char *realm = NULL;
 	const char *krbtgt_realm = NULL;
@@ -1183,7 +1185,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 	uint32_t previous_kvno;
 	uint32_t num_keys = 0;
 	enum ndr_err_code ndr_err;
-	int ret, trust_direction_flags;
+	int ret;
 	unsigned int i;
 	struct AuthenticationInformationArray *auth_array;
 	struct timeval tv;
@@ -1191,6 +1193,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 	uint32_t *auth_kvno;
 	bool preferr_current = false;
 	uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
+	struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+	NTSTATUS status;
 
 	if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
 		supported_enctypes = ldb_msg_find_attr_as_uint(msg,
@@ -1198,20 +1202,44 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 					supported_enctypes);
 	}
 
-	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
-	if (!(trust_direction_flags & direction)) {
+	status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
+	if (!NT_STATUS_IS_OK(status)) {
+		krb5_clear_error_message(context);
+		ret = ENOMEM;
+		goto out;
+	}
+
+	if (!(tdo->trust_direction & direction)) {
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
+	if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+		/*
+		 * Only UPLEVEL domains support kerberos here,
+		 * as we don't support LSA_TRUST_TYPE_MIT.
+		 */
+		krb5_clear_error_message(context);
+		ret = SDB_ERR_NOENTRY;
+		goto out;
+	}
+
+	if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+		/*
+		 * We don't support selective authentication yet.
+		 */
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
 		goto out;
 	}
 
-	dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
-	if (dnsdomain == NULL) {
+	if (tdo->domain_name.string == NULL) {
 		krb5_clear_error_message(context);
 		ret = SDB_ERR_NOENTRY;
 		goto out;
 	}
-	partner_realm = strupper_talloc(mem_ctx, dnsdomain);
+	partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string);
 	if (partner_realm == NULL) {
 		krb5_clear_error_message(context);
 		ret = ENOMEM;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list