[SCM] Samba Shared Repository - branch master updated

Karolin Seeger kseeger at samba.org
Sat Jan 13 16:13:02 UTC 2018


The branch, master has been updated
       via  4b17d36 WHATSNEW: document some more new options
       via  b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
       via  9fb3637 winbindd: add more trust types to get_trust_type_string
       via  95e3307 libwbclient: add more trust types
       via  05558dd wbinfo: support for local, workstation and routed trust types
       via  ec85579 libwbclient: add trust routing and more trust-types
       via  f12a43f winbindd: fix trust_is_oubound()
       via  09021f9 winbindd: fix trust_is_inbound()
       via  a39cf19 winbindd: transitive trust logic in trust_is_transitive()
       via  939592c winbindd: use add_trusted_domain_from_auth
       via  f4d27f2 winbindd: add add_trusted_domain_from_auth
       via  b2ea360 winbindd: add set_routing_domain()
       via  2e644af winbindd: add find_default_route_domain()
       via  40c9115 winbindd: avoid automatic enumerating trusts on DCs
       via  29e6d55 winbindd: load the trusted domains on a DC already in init_domain_list()
       via  fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
       via  f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
       via  a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
       via  3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
       via  6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
       via  f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
       via  8fde1c6 s3/torture/pdbtest: delete trusted domain at test end
       via  f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a valid SID
       via  4b0641b winbindd: use find_trust_from_name_noinit when we require a direct trust
       via  2385e71 winbindd: add find_trust_from_{name,sid}_noinit()
       via  b724e01 winbindd: remember the secure_channel_type in winbindd_domain
       via  5bf2979 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
       via  8587445 winbindd: initialize some stack pointers to NULL
       via  126d6ce winbindd: rename alternative_name to dns_name
       via  5ffade7 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
       via  c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc()
      from  e43ee33 winbindd: set info6 data in append_info3_as_txt

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 4b17d365bc8df7860ee28b5b0e1f53a9acf2b69d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jan 11 12:46:24 2018 +0100

    WHATSNEW: document some more new options
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Karolin Seeger <kseeger at samba.org>
    
    Autobuild-User(master): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144

commit b4e1e3019a1475cb8c1e3ab9314693d6ed130923
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 29 16:02:28 2017 +0100

    winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 9fb36370a57904770e1c9ca96279a1854481d3f3
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Dec 13 08:53:16 2017 +0100

    winbindd: add more trust types to get_trust_type_string
    
    Add support for the following trust types: "Local", "Workstation",
    "RWDC", "RODC"┬┤and "Routed (via ...)".
    
    Where we previously returned "None" this now returns "Routed (via ...)",
    otherwise (hopefully) no change in behaviour.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 95e3307917b5731ab883ee5fce530c5b559b4934
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Dec 13 16:01:50 2017 +0100

    libwbclient: add more trust types
    
    Prepare libwbclient for additional trust types and trust routing.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 05558ddd7e91643c9b8bca92271252e6f5494b69
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Dec 13 16:02:22 2017 +0100

    wbinfo: support for local, workstation and routed trust types
    
    Prepare wbinfo for additional trust types and trust routing.
    
    This also modifies the output line for a "None" trust type by skipping
    the transitivity and direction -- that just doesn't make sense without a
    trust.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit ec85579d87aafba3a78ddd326cf125909007c349
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 19 17:26:46 2017 +0100

    libwbclient: add trust routing and more trust-types
    
    This adds the struct member and the defines, the implementation comes
    later.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit f12a43f4876b4a6bf556ea760ffe8e21f2acacf8
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 28 17:46:03 2017 +0100

    winbindd: fix trust_is_oubound()
    
    A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
    does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 09021f920faba4dc4d2b2e1c0d3d4432e1a759d5
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 28 17:44:41 2017 +0100

    winbindd: fix trust_is_inbound()
    
    A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
    does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit a39cf19c2514d8f249951b77078683dd6a53504e
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Nov 28 17:32:59 2017 +0100

    winbindd: transitive trust logic in trust_is_transitive()
    
    trust_is_transitive() currently defaults to transitive=true, unless
    LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
    LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.
    
    This is not correct, for the trust to be transative,
    LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
    be set.
    
    Logic taken from dsdb_trust_routing_by_name().
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 939592c660263b6f9969c30e4c6a1903fcc75831
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 29 10:55:25 2017 +0100

    winbindd: use add_trusted_domain_from_auth
    
    After a successfully authentication, ensure we have the users domain in our
    domain list and the TDC.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit f4d27f2bf9a32fec02da01351fa5af3867f4b1f7
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Nov 29 10:10:38 2017 +0100

    winbindd: add add_trusted_domain_from_auth
    
    Function to add a new trusted domain to the domain list and TDC after an
    successfull authentication. On Member servers only, not on DCs though.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit b2ea3606a7f7325b0e2f5fae46346f8fbf489177
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Dec 13 17:11:25 2017 +0100

    winbindd: add set_routing_domain()

commit 2e644af16428ff6421459020a54cf20c296bc4df
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Dec 13 17:08:10 2017 +0100

    winbindd: add find_default_route_domain()
    
    On a member server this is just our primary domain. The logic for DCs is
    not yet implemented, on a DC of a child-domain in a forrest this would
    be the parent domain.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 40c91150e36e5818d4a4f25429ed600762cfd49b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 29 16:02:28 2017 +0100

    winbindd: avoid automatic enumerating trusts on DCs
    
    We have a static list of trust based on our configuration.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 29e6d55909be1f17ffc140481a90000c1475e92e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 29 15:55:12 2017 +0100

    winbindd: load the trusted domains on a DC already in init_domain_list()
    
    We should do that in the parent as early as possible.
    Similar to our primary domain, which is also a direct trust.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit fa3b81b21c99093c531181acaac375b99c0816c6
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 19 23:44:00 2017 +0100

    pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit f8bcd37058579ed435daebefd47efe374e9084d2
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Dec 11 07:57:27 2017 +0100

    pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit a55643701b7d1c8c51ef15484af9bf8bebce065d
Author: Ralph Boehme <slow at samba.org>
Date:   Sun Dec 10 20:03:37 2017 +0100

    pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 3091ea3b7a4f19f81b9a545ccc64f80e382e04ef
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Dec 1 08:41:29 2017 +0100

    pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 6f9232e26c8b4d4595c339d95977c9b1ca94a601
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Dec 1 07:59:59 2017 +0100

    pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit f362387352645c2252bd2412b0a25f7b085c8bc7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Dec 1 08:33:51 2017 +0100

    s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 8fde1c641da4ba23342bf36226ab9291a79acbad
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Dec 11 07:56:40 2017 +0100

    s3/torture/pdbtest: delete trusted domain at test end
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit f1bd7c8bb48abc8fabb8374f549b888fbdd3036c
Author: Ralph Boehme <slow at samba.org>
Date:   Mon Dec 11 07:56:02 2017 +0100

    s3/torture/pdbtest: creating a trusted domain requires a valid SID
    
    Signed-off-by: Ralph Boehme <slow at samba.org>

commit 4b0641bf10f7561771cee2581e1d7fc4e183c826
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 30 13:04:56 2017 +0100

    winbindd: use find_trust_from_name_noinit when we require a direct trust
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 2385e719ba4835ca254eedbdfeffdd875912ec27
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 29 15:23:36 2017 +0100

    winbindd: add find_trust_from_{name,sid}_noinit()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit b724e01ec767caebbfa3723d8346d640a511ded1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 29 15:10:38 2017 +0100

    winbindd: remember the secure_channel_type in winbindd_domain
    
    This way we have an indication of non direct trusts with
    SEC_CHAN_NULL.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 5bf2979bb6e22c6d3f7565c13329aa60fdce4e0f
Author: Ralph Boehme <slow at samba.org>
Date:   Sat Dec 16 11:34:23 2017 +0100

    winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
    
    This extends add_trusted_domain() to be a the one true one-stop function
    to add winbindd domain.
    
    add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
    in the winbindd domain which made it hard to track which attributes
    would be required and which are optional.
    
    Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 85874458852697df8f7c45fb9e7f848367d07a07
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 10 12:14:57 2018 +0100

    winbindd: initialize some stack pointers to NULL
    
    This reduces the diff in the following commit.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 126d6ceecfc4371187eec3497a5bae09ec0d159a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 10 12:14:57 2018 +0100

    winbindd: rename alternative_name to dns_name
    
    This reduces the diff in the following commit.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 5ffade7b29292c671aca51bd82e25de8723d6852
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Dec 15 21:13:52 2017 +0100

    winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
    
    Unique key for domains is the NetBIOS name, period. If the the caller
    passes a domain name that matches a different domains DNS name or vice
    versa, that is an error. The same applies to SIDs.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c7c06fd23813a61fdb10745e3ee2838206319bdd
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Dec 15 21:09:15 2017 +0100

    winbindd: enforce valid SID in add_trusted_domain_from_tdc()
    
    It's the callers responsibility to ensure we get a valid SID. Adding
    half-baked domains with only partially valid data is a recipe for
    desaster.
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                       |  21 +-
 .../winbind/winbindscantrusteddomains.xml          |  29 +
 lib/param/loadparm.c                               |   1 +
 nsswitch/libwbclient/wbc_util.c                    |  16 +-
 nsswitch/libwbclient/wbclient.h                    |   7 +
 nsswitch/wbinfo.c                                  |  21 +-
 source3/param/loadparm.c                           |   1 +
 source3/passdb/pdb_samba_dsdb.c                    | 877 ++++++++++++++++++++-
 source3/torture/pdbtest.c                          |  13 +
 source3/winbindd/winbindd.c                        |  15 +-
 source3/winbindd/winbindd.h                        |   2 +
 source3/winbindd/winbindd_irpc.c                   |   2 +-
 source3/winbindd/winbindd_misc.c                   | 211 ++++-
 source3/winbindd/winbindd_pam_auth.c               |  15 +
 source3/winbindd/winbindd_pam_auth_crap.c          |  24 +-
 source3/winbindd/winbindd_ping_dc.c                |   2 +-
 source3/winbindd/winbindd_proto.h                  |   8 +
 source3/winbindd/winbindd_util.c                   | 711 +++++++++++++----
 source4/dsdb/common/util_trusts.c                  |  65 ++
 19 files changed, 1853 insertions(+), 188 deletions(-)
 create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94278b3..f1e43f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -95,15 +95,18 @@ smb.conf changes
   client schannel                    Default changed/        yes
                                      Deprecated
   gpo update command                 New
+  ldap ssl ads                       Deprecated
   map untrusted to domain            Removed
   oplock contention limit            Removed
-  prefork children		     New		     1
+  prefork children                   New                     1
   mdns name                          Added                   netbios
   fruit:time machine                 Added                   false
   profile acls                       Removed
   use spnego                         Removed
   server schannel                    Default changed/        yes
                                      Deprecated
+  unicode                            Deprecated
+  winbind scan trusted domains       New                     yes
   winbind trusted domains only       Removed
 
 
@@ -150,6 +153,22 @@ reversed to match the parameter ordering of the UNIX extensions
 'symlink' command. The usage message for this command has also
 been improved to remove confusion.
 
+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
 REMOVED FEATURES
 ================
 
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to
+    <constant>domain</constant> or <constant>ads</constant>.
+    If it is set to yes (the default), winbindd periodically tries to scan for new
+    trusted domains and adds them to a global list inside of winbindd.
+    The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+    This matches the behaviour of Samba 4.7 and older.</para>
+
+    <para>The construction of that global list is not reliable and often
+    incomplete in complex trust setups. In most situations the list is
+    not needed any more for winbindd to operate correctly.
+    E.g. for plain file serving via SMB using a simple idmap setup
+    with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+    However some more complex setups require the list, e.g.
+    if you specify idmap backends for specific domains.
+    Some pam_winbind setups may also require the global list.</para>
+
+    <para>If you have a setup that doesn't require the global list, you should set
+    <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+    </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d..f265459 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
 	lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+	lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
 	lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index 3dab0a2..ecfcaa0 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -455,8 +455,22 @@ static wbcErr process_domain_info_string(struct wbcDomainInfo *info,
 	*s = '\0';
 	s++;
 
-	if (strcmp(r, "None") == 0) {
+	if (strcmp(r, "Local") == 0) {
 		info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+	} else if (strncmp(r, "Routed", strlen("Routed")) == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+		info->trust_routing = strdup(r);
+		BAIL_ON_PTR_ERROR(info->trust_routing, wbc_status);
+	} else if (strcmp(r, "Local") == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_LOCAL;
+	} else if (strcmp(r, "Workstation") == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_WKSTA;
+	} else if (strcmp(r, "RWDC") == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_RWDC;
+	} else if (strcmp(r, "RODC") == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_RODC;
+	} else if (strcmp(r, "PDC") == 0) {
+		info->trust_type = WBC_DOMINFO_TRUSTTYPE_PDC;
 	} else if (strcmp(r, "External") == 0) {
 		info->trust_type = WBC_DOMINFO_TRUSTTYPE_EXTERNAL;
 	} else if (strcmp(r, "Forest") == 0) {
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index ed97a67..81a6a6a 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -187,6 +187,7 @@ struct wbcDomainInfo {
 	uint32_t domain_flags;
 	uint32_t trust_flags;
 	uint32_t trust_type;
+	char *trust_routing;
 };
 
 /* wbcDomainInfo->domain_flags */
@@ -209,6 +210,12 @@ struct wbcDomainInfo {
 #define WBC_DOMINFO_TRUSTTYPE_FOREST     0x00000001
 #define WBC_DOMINFO_TRUSTTYPE_IN_FOREST  0x00000002
 #define WBC_DOMINFO_TRUSTTYPE_EXTERNAL   0x00000003
+#define WBC_DOMINFO_TRUSTTYPE_LOCAL      0x00000004
+#define WBC_DOMINFO_TRUSTTYPE_WKSTA      0x00000005
+#define WBC_DOMINFO_TRUSTTYPE_RWDC       0x00000006
+#define WBC_DOMINFO_TRUSTTYPE_RODC       0x00000007
+#define WBC_DOMINFO_TRUSTTYPE_PDC        0x00000008
+
 
 /**
  * @brief Generic Blob
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9cd299a..54d5758 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -536,7 +536,26 @@ static bool wbinfo_list_domains(bool list_all_domains, bool verbose)
 
 		switch(domain_list[i].trust_type) {
 		case WBC_DOMINFO_TRUSTTYPE_NONE:
-			d_printf("None        ");
+			if (domain_list[i].trust_routing != NULL) {
+				d_printf("%s\n", domain_list[i].trust_routing);
+			} else {
+				d_printf("None\n");
+			}
+			continue;
+		case WBC_DOMINFO_TRUSTTYPE_LOCAL:
+			d_printf("Local\n");
+			continue;
+		case WBC_DOMINFO_TRUSTTYPE_RWDC:
+			d_printf("RWDC\n");
+			continue;
+		case WBC_DOMINFO_TRUSTTYPE_RODC:
+			d_printf("RODC\n");
+			continue;
+		case WBC_DOMINFO_TRUSTTYPE_PDC:
+			d_printf("PDC\n");
+			continue;
+		case WBC_DOMINFO_TRUSTTYPE_WKSTA:
+			d_printf("Workstation ");
 			break;
 		case WBC_DOMINFO_TRUSTTYPE_FOREST:
 			d_printf("Forest      ");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 582c875..f1f453e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
 	Globals.winbind_refresh_tickets = false;
 	Globals.winbind_offline_logon = false;
+	Globals.winbind_scan_trusted_domains = true;
 
 	Globals.idmap_cache_time = 86400 * 7; /* a week by default */
 	Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 58168d8..16a7a85 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -40,6 +40,8 @@
 #include "source4/auth/auth_sam.h"
 #include "auth/credentials/credentials.h"
 #include "lib/util/base64.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "lib/util/util_ldb.h"
 
 struct pdb_samba_dsdb_state {
 	struct tevent_context *ev;
@@ -2132,7 +2134,7 @@ static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods *m, const struct dom_sid
 
 static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
 {
-	return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
+	return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
 }
 
 static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
@@ -2878,11 +2880,871 @@ static bool pdb_samba_dsdb_del_trusteddom_pw(struct pdb_methods *m,
 
 static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
 					 TALLOC_CTX *mem_ctx,
-					 uint32_t *num_domains,
-					 struct trustdom_info ***domains)
+					 uint32_t *_num_domains,
+					 struct trustdom_info ***_domains)
 {
-	*num_domains = 0;
-	*domains = NULL;
+	struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+		m->private_data, struct pdb_samba_dsdb_state);
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	const char * const attrs[] = {
+		"securityIdentifier",
+		"flatName",
+		"trustDirection",
+		NULL
+	};
+	struct ldb_result *res = NULL;
+	unsigned int i;
+	struct trustdom_info **domains = NULL;
+	NTSTATUS status;
+	uint32_t di = 0;
+
+	*_num_domains = 0;
+	*_domains = NULL;
+
+	status = dsdb_trust_search_tdos(state->ldb, NULL,
+					attrs, tmp_ctx, &res);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
+		TALLOC_FREE(tmp_ctx);
+		return status;
+	}
+
+	if (res->count == 0) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_OK;
+	}
+
+	domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
+				    res->count);
+	if (domains == NULL) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	for (i = 0; i < res->count; i++) {
+		struct ldb_message *msg = res->msgs[i];
+		struct trustdom_info *d = NULL;
+		const char *name = NULL;
+		struct dom_sid *sid = NULL;
+		uint32_t direction;
+
+		d = talloc_zero(domains, struct trustdom_info);
+		if (d == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+		if (name == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
+		if (sid == NULL) {
+			continue;
+		}
+
+		direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+		if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+			continue;
+		}
+
+		d->name = talloc_strdup(d, name);
+		if (d->name == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+		d->sid = *sid;
+
+		domains[di++] = d;
+	}
+
+	talloc_realloc(domains, domains, struct trustdom_info *, di);
+	*_domains = talloc_move(mem_ctx, &domains);
+	*_num_domains = di;
+	TALLOC_FREE(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message *msg,
+						TALLOC_CTX *mem_ctx,
+						struct pdb_trusted_domain **_d)
+{
+	struct pdb_trusted_domain *d = NULL;
+	const char *str = NULL;
+	struct dom_sid *sid = NULL;
+	const struct ldb_val *val = NULL;
+	uint64_t val64;
+
+	*_d = NULL;
+
+	d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
+	if (d == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+	if (str == NULL) {
+		TALLOC_FREE(d);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	d->netbios_name = talloc_strdup(d, str);
+	if (d->netbios_name == NULL) {
+		TALLOC_FREE(d);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+	if (str != NULL) {
+		d->domain_name = talloc_strdup(d, str);
+		if (d->domain_name == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
+	if (sid != NULL) {
+		d->security_identifier = *sid;
+		TALLOC_FREE(sid);
+	}
+
+	val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+	if (val != NULL) {
+		d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
+		if (d->trust_auth_outgoing.data == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+	val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+	if (val != NULL) {
+		d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
+		if (d->trust_auth_incoming.data == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+	d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
+	d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes", 0);
+
+	val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset", UINT64_MAX);
+	if (val64 != UINT64_MAX) {
+		d->trust_posix_offset = talloc(d, uint32_t);
+		if (d->trust_posix_offset == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+		*d->trust_posix_offset = (uint32_t)val64;
+	}
+
+	val64 = ldb_msg_find_attr_as_uint64(msg, "msDS-SupportedEncryptionTypes", UINT64_MAX);
+	if (val64 != UINT64_MAX) {
+		d->supported_enc_type = talloc(d, uint32_t);
+		if (d->supported_enc_type == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+		*d->supported_enc_type = (uint32_t)val64;
+	}
+
+	val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
+	if (val != NULL) {
+		d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
+		if (d->trust_forest_trust_info.data == NULL) {
+			TALLOC_FREE(d);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	*_d = d;
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
+						  TALLOC_CTX *mem_ctx,
+						  const char *domain,
+						  struct pdb_trusted_domain **td)
+{
+	struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+		m->private_data, struct pdb_samba_dsdb_state);
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	const char * const attrs[] = {
+		"securityIdentifier",
+		"flatName",
+		"trustPartner",
+		"trustAuthOutgoing",
+		"trustAuthIncoming",
+		"trustAttributes",
+		"trustDirection",
+		"trustType",
+		"trustPosixOffset",
+		"msDS-SupportedEncryptionTypes",
+		"msDS-TrustForestTrustInfo",
+		NULL
+	};
+	struct ldb_message *msg = NULL;
+	struct pdb_trusted_domain *d = NULL;
+	NTSTATUS status;
+
+	status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
+				       attrs, tmp_ctx, &msg);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
+			domain, nt_errstr(status));
+		TALLOC_FREE(tmp_ctx);
+		return status;
+	}
+
+	status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+			domain, nt_errstr(status));
+		TALLOC_FREE(tmp_ctx);
+		return status;
+	}
+
+	*td = d;
+	TALLOC_FREE(tmp_ctx);
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
+							 TALLOC_CTX *mem_ctx,
+							 struct dom_sid *sid,
+							 struct pdb_trusted_domain **td)
+{
+	struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+		m->private_data, struct pdb_samba_dsdb_state);
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	const char * const attrs[] = {
+		"securityIdentifier",
+		"flatName",
+		"trustPartner",
+		"trustAuthOutgoing",
+		"trustAuthIncoming",
+		"trustAttributes",
+		"trustDirection",
+		"trustType",
+		"trustPosixOffset",
+		"msDS-SupportedEncryptionTypes",
+		"msDS-TrustForestTrustInfo",
+		NULL
+	};
+	struct ldb_message *msg = NULL;
+	struct pdb_trusted_domain *d = NULL;
+	NTSTATUS status;
+
+	status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
+					      attrs, tmp_ctx, &msg);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
+			dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+		TALLOC_FREE(tmp_ctx);
+		return status;
+	}
+
+	status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+			dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+		TALLOC_FREE(tmp_ctx);
+		return status;
+	}
+
+	*td = d;
+	TALLOC_FREE(tmp_ctx);
+	return NT_STATUS_OK;
+}
+


-- 
Samba Shared Repository



More information about the samba-cvs mailing list