[SCM] Samba Shared Repository - branch master updated
Alexander Bokovoy
ab at samba.org
Wed Nov 11 11:00:03 UTC 2020
The branch, master has been updated
via 31c703766fd lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
from f214a3ba5a3 selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 31c703766fd2b89737826fb7e9a707f0622bb8cd
Author: Alexander Bokovoy <ab at samba.org>
Date: Tue Nov 10 17:35:24 2020 +0200
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
source3/passdb/lookup_sid.c | 37 ++++++++++++++++++++++++++++---------
1 file changed, 28 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index ff8a16619a8..cf80a300189 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -113,17 +113,36 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
- strequal(domain, get_global_sam_name()))
- {
+ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
+ bool check_global_sam = false;
+
+ check_global_sam = strequal(domain, get_global_sam_name());
+
+ /* If we are running on a DC that has PASSDB module with domain
+ * information, check if DNS forest name is matching the domain
+ * name. This is the case of FreeIPA domain controller when
+ * trusted AD DC looks up users found in a Global Catalog of
+ * the forest root domain. */
+ if (!check_global_sam && (IS_DC)) {
+ struct pdb_domain_info *dom_info = NULL;
+ dom_info = pdb_get_domain_info(tmp_ctx);
+
+ if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
+ check_global_sam = strequal(domain, dom_info->dns_forest);
+ }
- /* It's our own domain, lookup the name in passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
- sid_compose(&sid, get_global_sam_sid(), rid);
- goto ok;
+ TALLOC_FREE(dom_info);
+ }
+
+ if (check_global_sam) {
+ /* It's our own domain, lookup the name in passdb */
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ sid_compose(&sid, get_global_sam_sid(), rid);
+ goto ok;
+ }
+ TALLOC_FREE(tmp_ctx);
+ return false;
}
- TALLOC_FREE(tmp_ctx);
- return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
--
Samba Shared Repository
More information about the samba-cvs
mailing list