[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Sat Jan 20 14:24:02 UTC 2024
The branch, master has been updated
via 201edcb5c61 winbindd: fix listing trusted domains with NT trusts
via 000bbede59e selftest: test listing trusted domains that includes an NT4 domain
via 53ca19851db s4/rpc_server: return NULL dns_name for NT4 trusts
via 3a95e135472 selftest: add a test for NT4 trusts
via 645a725603c selftest: create trust between fl2008r2dc and nt4_dc
via 9725aa932e2 selftest: rename a variable in setup_fl2008r2dc()
via 5420af69423 selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails
via d0cdc81aa99 selftest: fix domain name of nt4_dc_smb1 environment
via 9d933abd9e5 winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler
via 60ac5b03ef1 winbindd: make add_trusted_domains_dc() public
via 95bb2acbf06 winbindd: also apply schannel logic as an NT4 DC
via 9b2920fd367 net: create creds for other domain
via 449a968d3d1 net: support NT4 trusts in "net rpc trust create"
via 15c07723765 net: fix credentials in trustdom establish
via 340753a2554 net: remove a newline
from c82a267b2a1 s3:passdb: smbpasswd reset permissions only if not 0600
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 201edcb5c6138488959e54e7df88007d010f1cfb
Author: Ralph Boehme <slow at samba.org>
Date: Sat Jan 13 11:40:55 2024 +0100
winbindd: fix listing trusted domains with NT trusts
Commit e07f8901ec95aab8c36965000de185d99e642644 broke handling of NT4 domains
which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name)
returns NULL, which causes _wbint_ListTrustedDomains to return
NT_STATUS_NO_MEMORY.
To make things worse, at that point the new struct netr_DomainTrust is not yet
initialized correctly and the "out->count = n + 1" already increased the array
counter at the start of the loop without initializing it.
Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can
crash when accesssing the ununitialized values:
2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD)
2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames:
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5]
92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b]
2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045]
2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd]
Deferring assignment of r->out.domains->array and r->out.domains->count to the
end of the function ensures we don't return inconsistent state in case of an
error.
Also, r->out.domains is already set by the NDR layer, no need to create and
assign a struct netr_DomainTrustList object.
Using talloc_move() ensures we don't leave dangling pointers. Better to crash
reliably on accessing NULL, then accessing some unknown memory via a wild
pointer. As talloc_move() can't fail, there's no need to check the return value.
And using a struct initializer ensures all members are properly initialized.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224
commit 000bbede59e4ca78427fa57b56fa251d4d779adb
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 17:42:33 2024 +0100
selftest: test listing trusted domains that includes an NT4 domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 53ca19851dbfc3cab7345424c029a7c90745e24a
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 19:12:34 2024 +0100
s4/rpc_server: return NULL dns_name for NT4 trusts
That's what Windows returns for an NT4 trust:
array: struct netr_DomainTrust
netbios_name : *
netbios_name : 'NT4TRUST'
dns_name : NULL
trust_flags : 0x00000020 (32)
0: NETR_TRUST_FLAG_IN_FOREST
0: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
0: NETR_TRUST_FLAG_PRIMARY
0: NETR_TRUST_FLAG_NATIVE
1: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
parent_index : 0x00000000 (0)
trust_type : LSA_TRUST_TYPE_DOWNLEVEL (1)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
sid : *
sid : S-1-5-21-4267984555-3675415144-1682400025
guid : 00000000-0000-0000-0000-000000000000
Even though when creating the trust the DNS name must not be NULL and the
trustPartner and name attributes are set to the flatName in the trustedDomain
object:
dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site
objectClass: top
objectClass: leaf
objectClass: trustedDomain
cn: NT4TRUST
distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site
instanceType: 4
whenCreated: 20240118175040.0Z
whenChanged: 20240118175040.0Z
uSNCreated: 4939915
uSNChanged: 4939916
showInAdvancedViewOnly: TRUE
name: NT4TRUST
objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd
securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025
trustDirection: 1
trustPartner: NT4TRUST
trustPosixOffset: 0
trustType: 1
trustAttributes: 0
flatName: NT4TRUST
objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site
isCriticalSystemObject: TRUE
dSCorePropagationData: 16010101000000.0Z
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3a95e135472a495a90637e5dc0f9e3c8de052ff9
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 10 14:50:05 2024 +0100
selftest: add a test for NT4 trusts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 645a725603ca03f27c1347b1e2ed9fea94a6319d
Author: Ralph Boehme <slow at samba.org>
Date: Sat Jan 13 08:48:54 2024 +0100
selftest: create trust between fl2008r2dc and nt4_dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9725aa932e24622566baf208586d1fe03885da9f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 16:04:34 2024 +0100
selftest: rename a variable in setup_fl2008r2dc()
Prepares for adding another variable with a similar name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5420af6942307e045be1317edc323ee3ff9f379b
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 11 12:02:43 2024 +0100
selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d0cdc81aa99031b0c067c7f8cf2ec0dc99d57da5
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 10 18:13:46 2024 +0100
selftest: fix domain name of nt4_dc_smb1 environment
It had the same workgroup as the nt4_dc environment:
$ grep workgroup st/nt4_dc/lib/server.conf st/nt4_dc_smb1/lib/server.conf
st/nt4_dc/lib/server.conf: workgroup = SAMBA-TEST
st/nt4_dc_smb1/lib/server.conf: workgroup = SAMBA-TEST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9d933abd9e578de74bd4c5a8bcfcf6924262a8e2
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 15:38:45 2024 +0100
winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler
This allows reloading trust info on an NT4 DC without restarting winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 60ac5b03ef15de73744e0f86507849fb4b55d96f
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 15:38:10 2024 +0100
winbindd: make add_trusted_domains_dc() public
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 95bb2acbf066049f92c16836a2cdaea3aae829cc
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jan 16 15:36:01 2024 +0100
winbindd: also apply schannel logic as an NT4 DC
This applies the same logic we already added in
06601b3a9293db35feda1b033fa864dc1a764164 for AD DCs wrt to IPC authentication
when running as an NT4 DC in cm_prepare_connection(). Similarily adjust the
check in cm_connect_lsa() added in 3e17a3b7cd4083299037ba9377931bea792b2d18 and
in cm_connect_netlogon_transport() added by
532a14dc684e7a6d8c584d5671a4ebbad00aa4fc for cm_connect_netlogon_transport().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9b2920fd367d26cfbf6f6f442a5c01fae4734abd
Author: Ralph Boehme <slow at samba.org>
Date: Sun Jan 14 08:34:17 2024 +0100
net: create creds for other domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 449a968d3d18633e05db7d00ab76c7a52b04a54c
Author: Ralph Boehme <slow at samba.org>
Date: Sat Jan 13 08:51:48 2024 +0100
net: support NT4 trusts in "net rpc trust create"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 15c07723765c6863a0ada9dfbaaa204604500907
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 10 15:06:14 2024 +0100
net: fix credentials in trustdom establish
This was broken by ea071d278a614f17b5417d3ff98e1b8d1fd8970d. I guess the whole
opt_user_specified dance should be ripped out, but that's a fix for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 340753a2554ce9a842a6c90d684fb0510def81a1
Author: Ralph Boehme <slow at samba.org>
Date: Wed Jan 10 15:03:49 2024 +0100
net: remove a newline
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba.pm | 7 +++
selftest/target/Samba3.pm | 10 ++--
selftest/target/Samba4.pm | 75 ++++++++++++++++++++++-----
source3/script/tests/test_list_nt4_trust.sh | 25 +++++++++
source3/script/tests/test_nt4_trust.sh | 31 +++++++++++
source3/selftest/tests.py | 8 +++
source3/utils/net_rpc.c | 10 ++--
source3/utils/net_rpc_trust.c | 32 ++++++++----
source3/winbindd/winbindd_cm.c | 12 ++---
source3/winbindd/winbindd_dual.c | 6 +++
source3/winbindd/winbindd_dual_srv.c | 58 +++++++++------------
source3/winbindd/winbindd_proto.h | 1 +
source3/winbindd/winbindd_util.c | 4 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++-
14 files changed, 218 insertions(+), 73 deletions(-)
create mode 100755 source3/script/tests/test_list_nt4_trust.sh
create mode 100755 source3/script/tests/test_nt4_trust.sh
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 7cf222235af..5a717f94766 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -921,6 +921,13 @@ my @exported_envvars = (
"TRUST_E_BOTH_DOMAIN",
"TRUST_E_BOTH_REALM",
+ # stuff related to a trusted NT4 domain,
+ # used for one-way trust fl2008r2dc <- nt4_dc
+ "NT4_TRUST_SERVER",
+ "NT4_TRUST_SERVER_IP",
+ "NT4_TRUST_DOMAIN",
+ "NT4_TRUST_DOMSID",
+
# domain controller stuff
"DC_SERVER",
"DC_SERVER_IP",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 5b3d31ea535..c8489407e01 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -262,7 +262,7 @@ sub check_env($$)
sub setup_nt4_dc
{
- my ($self, $path, $more_conf, $server) = @_;
+ my ($self, $path, $more_conf, $domain, $server) = @_;
print "PROVISIONING NT4 DC...";
@@ -312,12 +312,15 @@ sub setup_nt4_dc
if (defined($more_conf)) {
$nt4_dc_options = $nt4_dc_options . $more_conf;
}
+ if (!defined($domain)) {
+ $domain = "SAMBA-TEST";
+ }
if (!defined($server)) {
$server = "LOCALNT4DC2";
}
my $vars = $self->provision(
prefix => $path,
- domain => "SAMBA-TEST",
+ domain => $domain,
server => $server,
password => "localntdc2pass",
extra_options => $nt4_dc_options);
@@ -352,7 +355,7 @@ sub setup_nt4_dc_smb1
client min protocol = CORE
server min protocol = LANMAN1
";
- return $self->setup_nt4_dc($path, $conf, "LCLNT4DC2SMB1");
+ return $self->setup_nt4_dc($path, $conf, "NT4SMB1", "LCLNT4DC2SMB1");
}
sub setup_nt4_dc_smb1_done
@@ -1415,6 +1418,7 @@ sub setup_ad_member_idmap_ad
idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
gensec_gssapi:requested_life_time = 5
+ winbind scan trusted domains = yes
";
my $ret = $self->provision(
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index dd1400633e8..2d449e4a652 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2376,7 +2376,7 @@ sub check_env($$)
ad_dc_no_nss => ["dns_hub"],
ad_dc_no_ntlm => ["dns_hub"],
- fl2008r2dc => ["ad_dc"],
+ fl2008r2dc => ["ad_dc", "nt4_dc"],
fl2003dc => ["ad_dc"],
fl2000dc => ["ad_dc"],
@@ -2571,25 +2571,76 @@ sub setup_fl2003dc
sub setup_fl2008r2dc
{
- my ($self, $path, $dc_vars) = @_;
+ my ($self, $path, $ad_dc_vars, $nt4_dc_vars) = @_;
my $env = $self->provision_fl2008r2dc($path);
- if (defined $env) {
- if (not defined($self->check_or_start($env, "standard"))) {
- return undef;
- }
+ if (!defined $env) {
+ return $env;
+ }
+
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
- my $upn_array = ["$env->{REALM}.upn"];
- my $spn_array = ["$env->{REALM}.spn"];
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
- if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
- return undef;
- }
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
- $env = $self->setup_trust($env, $dc_vars, "forest", "");
+ $env = $self->setup_trust($env, $ad_dc_vars, "forest", "");
+ if (!defined $env) {
+ return undef;
}
+ my $net = Samba::bindir_path($self, "net");
+ my $smbcontrol = Samba::bindir_path($self, "smbcontrol");
+
+ my $trustpw = "TrUsTpW";
+ $trustpw .= "$env->{SOCKET_WRAPPER_DEFAULT_IFACE}";
+ $trustpw .= "$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}";
+
+ my $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$env->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net rpc trust create ";
+ $cmd .= "otherdomainsid=$nt4_dc_vars->{SAMSID} ";
+ $cmd .= "otherdomain=$nt4_dc_vars->{DOMAIN} ";
+ $cmd .= "other_netbios_domain=$nt4_dc_vars->{DOMAIN} ";
+ $cmd .= "trustpw=$trustpw ";
+ $cmd .= "$env->{CONFIGURATION} ";
+ $cmd .= "-U $env->{DOMAIN}/$env->{USERNAME}\%$env->{PASSWORD} ";
+
+ if (system($cmd) != 0) {
+ warn("net rpc trust create failed\n$cmd");
+ return undef;
+ }
+
+ $cmd = "";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$nt4_dc_vars->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net rpc trustdom establish $env->{DOMAIN} -U/%$trustpw $nt4_dc_vars->{CONFIGURATION}";
+
+ if (system($cmd) != 0) {
+ warn("add failed\n$cmd");
+ return undef;
+ }
+
+ # Reload trusts
+ $cmd = "$smbcontrol winbindd reload-config $nt4_dc_vars->{CONFIGURATION}";
+
+ if (system($cmd) != 0) {
+ warn("add failed\n$cmd");
+ return undef;
+ }
+
+ $env->{NT4_TRUST_SERVER} = $nt4_dc_vars->{SERVER};
+ $env->{NT4_TRUST_SERVER_IP} = $nt4_dc_vars->{SERVER_IP};
+ $env->{NT4_TRUST_DOMAIN} = $nt4_dc_vars->{DOMAIN};
+ $env->{NT4_TRUST_DOMSID} = $nt4_dc_vars->{DOMSID};
+
return $env;
}
diff --git a/source3/script/tests/test_list_nt4_trust.sh b/source3/script/tests/test_list_nt4_trust.sh
new file mode 100755
index 00000000000..03ee7fc7063
--- /dev/null
+++ b/source3/script/tests/test_list_nt4_trust.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+incdir=$(dirname $0)/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+wbinfo="$BINDIR/wbinfo"
+smbclient="$BINDIR/smbclient"
+
+test_trust_wbinfo_m() {
+ i=0
+ # Give the server some time to list trusted domains
+ while [ $i -lt 10 ] ; do
+ $wbinfo -m --verbose | grep "SAMBA-TEST" && return 0
+ sleep 2
+ i=$((i + 1))
+ done
+ return 1
+}
+
+testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1)
+
+testok $0 $failed
diff --git a/source3/script/tests/test_nt4_trust.sh b/source3/script/tests/test_nt4_trust.sh
new file mode 100755
index 00000000000..b3d6ca60dc7
--- /dev/null
+++ b/source3/script/tests/test_nt4_trust.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+incdir=$(dirname $0)/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+wbinfo="$BINDIR/wbinfo"
+smbclient="$BINDIR/smbclient"
+
+test_trust_wbinfo_m() {
+ i=0
+ # Give the server some time to list trusted domains
+ while [ $i -lt 10 ] ; do
+ $wbinfo -m | grep SAMBA-TEST && return 0
+ sleep 2
+ i=$((i + 1))
+ done
+ return 1
+}
+
+test_trust_smbclient() {
+ $smbclient //$NT4_TRUST_SERVER_IP/tmp -U "$DOMAIN/$DOMAIN_USER%$DOMAIN_USER_PASSWORD" -c quit || return 1
+ return 0
+}
+
+testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1)
+testit "nt4trust_smbclient" test_trust_smbclient || failed=$(expr $failed + 1)
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 08518f57663..0901c2480c8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1857,6 +1857,14 @@ plansmbtorture4testsuite(
"vfs.fruit_validate_afpinfo", "fileserver",
'//$SERVER_IP/vfs_fruit_zero_fileid -U$USERNAME%$PASSWORD --option=torture:validate_afpinfo=no')
+plantestsuite("samba3.blackbox.nt4_trusts",
+ "fl2008r2dc",
+ [os.path.join(samba3srcdir, "script/tests/test_nt4_trust.sh")])
+
+plantestsuite("samba3.blackbox.list_nt4_trusts",
+ "ad_member_idmap_ad",
+ [os.path.join(samba3srcdir, "script/tests/test_list_nt4_trust.sh")])
+
def planclusteredmembertestsuite(tname, prefix):
'''Define a clustered test for the clusteredmember environment'''
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 814c34d5ffc..2a12b1a1335 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -6542,9 +6542,9 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
TALLOC_CTX *mem_ctx;
NTSTATUS nt_status, result;
struct dom_sid *domain_sid;
-
char* domain_name;
char* acct_name;
+ const char *pwd = NULL;
fstring pdc_name;
union lsa_PolicyInformation *info = NULL;
struct dcerpc_binding_handle *b;
@@ -6581,6 +6581,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
SAFE_FREE(acct_name);
return -1;
}
+ cli_credentials_set_username(c->creds, acct_name, CRED_SPECIFIED);
/*
* opt_workgroup will be used by connection functions further,
@@ -6590,9 +6591,6 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
c->opt_workgroup = smb_xstrdup(domain_name);
};
- c->opt_user_name = acct_name;
- c->opt_user_specified = true;
-
/* find the domain controller */
if (!net_find_pdc(&server_ss, pdc_name, domain_name)) {
DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name));
@@ -6705,7 +6703,9 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
* Store the password in secrets db
*/
- if (!pdb_set_trusteddom_pw(domain_name, c->opt_password, domain_sid)) {
+ pwd = cli_credentials_get_password(c->creds);
+
+ if (!pdb_set_trusteddom_pw(domain_name, pwd, domain_sid)) {
DEBUG(0, ("Storing password for trusted domain failed.\n"));
cli_shutdown(cli);
talloc_destroy(mem_ctx);
diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
index a5e397471f0..a3354ad68d4 100644
--- a/source3/utils/net_rpc_trust.c
+++ b/source3/utils/net_rpc_trust.c
@@ -116,6 +116,18 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx,
struct lsa_CreateTrustedDomainEx2 r;
struct lsa_TrustDomainInfoInfoEx trustinfo;
struct policy_handle trustdom_handle;
+ bool is_nt4 = trust_name_dns == NULL;
+
+ if (!is_nt4) {
+ fprintf(stdout, "Creating AD trust\n");
+ trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
+ trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
+ } else {
+ fprintf(stdout, "Creating NT4 trust\n");
+ trustinfo.trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
+ trustinfo.trust_attributes = 0;
+ trust_name_dns = trust_name;
+ }
trustinfo.sid = domsid;
trustinfo.netbios_name.string = trust_name;
@@ -124,10 +136,6 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx,
trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND |
LSA_TRUST_DIRECTION_OUTBOUND;
- trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL;
-
- trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
-
r.in.policy_handle = pol_hnd;
r.in.info = &trustinfo;
r.in.auth_info_internal = authinfo;
@@ -408,7 +416,7 @@ static void print_trust_usage(void)
"\totheruser=Admin user in other domain\n"
"\totherdomainsid=SID of other domain\n"
"\tother_netbios_domain=NetBIOS/short name of other domain\n"
- "\totherdomain=Full/DNS name of other domain\n"
+ "\totherdomain=Full/DNS name of other domain (if not used, create an NT4 trust)\n"
"\ttrustpw=Trust password\n"
"\nExamples:\n"
"\tnet rpc trust create otherserver=oname otheruser=ouser -S lname -U luser\n"
@@ -480,18 +488,24 @@ static int rpc_trust_common(struct net_context *net_ctx, int argc,
}
other_net_ctx->opt_host = other_dom_data->host;
- other_net_ctx->opt_user_name = other_dom_data->user_name;
- other_net_ctx->opt_user_specified = true;
+ other_net_ctx->creds = cli_credentials_init(other_net_ctx);
+ cli_credentials_parse_string(other_net_ctx->creds,
+ other_dom_data->user_name,
+ CRED_SPECIFIED);
} else {
dom_data[1].domsid = dom_sid_parse_talloc(mem_ctx,
other_dom_data->domain_sid_str);
dom_data[1].domain_name = other_dom_data->domain_name;
dom_data[1].dns_domain_name = other_dom_data->dns_domain_name;
+ if (dom_data[1].dns_domain_name == NULL) {
+ fprintf(stdout, "No DNS domain name passed, "
+ "assuming NT4 trust!\n");
+ }
+
if (dom_data[1].domsid == NULL ||
(op == TRUST_CREATE &&
- (dom_data[1].domain_name == NULL ||
- dom_data[1].dns_domain_name == NULL))) {
+ (dom_data[1].domain_name == NULL))) {
DEBUG(0, ("Missing required argument.\n"));
usage();
goto done;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index a89c0bdbca1..1685edbabaa 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -701,7 +701,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
- if (IS_AD_DC) {
+ if (IS_DC) {
if (domain->secure_channel_type == SEC_CHAN_NULL) {
/*
* Make sure we don't even try to
@@ -809,7 +809,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
try_ipc_auth = true;
}
- if (IS_AD_DC) {
+ if (IS_DC) {
/*
* As AD DC we only use netlogon and lsa
* using schannel over an anonymous transport
@@ -2924,7 +2924,7 @@ retry:
TALLOC_FREE(conn->lsa_pipe);
- if (IS_AD_DC) {
+ if (IS_DC) {
/*
* Make sure we only use schannel as AD DC.
*/
@@ -3050,7 +3050,7 @@ retry:
goto done;
}
- if (IS_AD_DC) {
+ if (IS_DC) {
/*
* Make sure we only use schannel as AD DC.
*/
@@ -3064,7 +3064,7 @@ retry:
anonymous:
- if (IS_AD_DC) {
+ if (IS_DC) {
/*
* Make sure we only use schannel as AD DC.
*/
@@ -3183,7 +3183,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
*cli = NULL;
- if (IS_AD_DC) {
+ if (IS_DC) {
if (domain->secure_channel_type == SEC_CHAN_NULL) {
/*
* Make sure we don't even try to
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index ff78b844688..e63b4052fd8 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -948,6 +948,7 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg,
.msg_type = msg_type,
.data = data,
};
+ bool ok;
DBG_DEBUG("Got reload-config message\n");
@@ -963,6 +964,11 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg,
tevent_thread_call_depth_set_callback(NULL, NULL);
}
+ ok = add_trusted_domains_dc();
+ if (!ok) {
+ DBG_ERR("add_trusted_domains_dc() failed\n");
+ }
+
forall_children(winbind_msg_relay_fn, &state);
}
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index f0fd18a8fa6..bbdaf6e5807 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -2055,10 +2055,11 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p,
struct wbint_ListTrustedDomains *r)
{
struct winbindd_domain *domain = wb_child_domain();
- uint32_t i, n;
+ uint32_t i;
NTSTATUS result;
struct netr_DomainTrustList trusts;
- struct netr_DomainTrustList *out = NULL;
+ uint32_t count = 0;
+ struct netr_DomainTrust *array = NULL;
pid_t client_pid;
if (domain == NULL) {
@@ -2082,53 +2083,44 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p,
return result;
}
- out = talloc_zero(p->mem_ctx, struct netr_DomainTrustList);
- if (out == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- r->out.domains = out;
-
for (i=0; i<trusts.count; i++) {
- if (trusts.array[i].sid == NULL) {
+ struct netr_DomainTrust *st = &trusts.array[i];
+ struct netr_DomainTrust *dt = NULL;
+
+ if (st->sid == NULL) {
continue;
}
- if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) {
+ if (dom_sid_equal(st->sid, &global_sid_NULL)) {
continue;
}
- n = out->count;
- out->array = talloc_realloc(out, out->array,
- struct netr_DomainTrust,
- n + 1);
- if (out->array == NULL) {
+ array = talloc_realloc(r->out.domains, array,
+ struct netr_DomainTrust,
--
Samba Shared Repository
More information about the samba-cvs
mailing list