[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Feb 28 18:46:02 UTC 2018
The branch, master has been updated
via 31b5328 s4:kdc: disable support for CROSS_ORGANIZATION domains
via d0a813a s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
via 274209f s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
via afd97e7 winbindd: disable support for CROSS_ORGANIZATION domains
from cb58e18 ldb: version 1.3.2
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 31b5328c46c5f510ba234f75688886987276ee9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 11:06:10 2018 +0100
s4:kdc: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144
commit d0a813a173be630c2def93cc55e4514204d265a2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 11:10:14 2018 +0100
s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 11:10:14 2018 +0100
s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit afd97e72090aaf31b084646b5fcecaeb8cde653d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 1 11:06:10 2018 +0100
winbindd: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_util.c | 11 +++++++++
source4/kdc/db-glue.c | 48 +++++++++++++++++++++++++++++++---------
2 files changed, 49 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 73e6b76..b19c42f 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void)
trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
}
+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+ /*
+ * We don't support selective authentication yet.
+ */
+ DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+ "domain[%s/%s]\n",
+ domains[i]->netbios_name,
+ domains[i]->domain_name);
+ continue;
+ }
+
status = add_trusted_domain(domains[i]->netbios_name,
domains[i]->domain_name,
&domains[i]->security_identifier,
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 69c54b0..8ccc34c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -57,14 +57,17 @@ enum trust_direction {
};
static const char *trust_attrs[] = {
+ "securityIdentifier",
+ "flatName",
"trustPartner",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "msDS-TrustForestTrustInfo",
"trustAuthIncoming",
"trustAuthOutgoing",
"whenCreated",
"msDS-SupportedEncryptionTypes",
- "trustAttributes",
- "trustDirection",
- "trustType",
NULL
};
@@ -1167,7 +1170,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
const char *our_realm = lpcfg_realm(lp_ctx);
- const char *dnsdomain = NULL;
char *partner_realm = NULL;
const char *realm = NULL;
const char *krbtgt_realm = NULL;
@@ -1183,7 +1185,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
uint32_t previous_kvno;
uint32_t num_keys = 0;
enum ndr_err_code ndr_err;
- int ret, trust_direction_flags;
+ int ret;
unsigned int i;
struct AuthenticationInformationArray *auth_array;
struct timeval tv;
@@ -1191,6 +1193,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
uint32_t *auth_kvno;
bool preferr_current = false;
uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
+ struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+ NTSTATUS status;
if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
supported_enctypes = ldb_msg_find_attr_as_uint(msg,
@@ -1198,20 +1202,44 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
supported_enctypes);
}
- trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
- if (!(trust_direction_flags & direction)) {
+ status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
+ if (!NT_STATUS_IS_OK(status)) {
+ krb5_clear_error_message(context);
+ ret = ENOMEM;
+ goto out;
+ }
+
+ if (!(tdo->trust_direction & direction)) {
+ krb5_clear_error_message(context);
+ ret = SDB_ERR_NOENTRY;
+ goto out;
+ }
+
+ if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+ /*
+ * Only UPLEVEL domains support kerberos here,
+ * as we don't support LSA_TRUST_TYPE_MIT.
+ */
+ krb5_clear_error_message(context);
+ ret = SDB_ERR_NOENTRY;
+ goto out;
+ }
+
+ if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+ /*
+ * We don't support selective authentication yet.
+ */
krb5_clear_error_message(context);
ret = SDB_ERR_NOENTRY;
goto out;
}
- dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
- if (dnsdomain == NULL) {
+ if (tdo->domain_name.string == NULL) {
krb5_clear_error_message(context);
ret = SDB_ERR_NOENTRY;
goto out;
}
- partner_realm = strupper_talloc(mem_ctx, dnsdomain);
+ partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string);
if (partner_realm == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
--
Samba Shared Repository
More information about the samba-cvs
mailing list