need to re-evaluate enumerating users

Thu Nov 10 19:14:01 GMT 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Allison wrote:
| On Thu, Nov 10, 2005 at 09:56:08AM -0600, Gerald (Jerry) Carter wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Jeremy & Volker,
|>
|> Yeah. So Volker's right.  There is really no way to enumerate
|> users in a trusted AD domain without kerberos.
|
|>From what Volker told me there is no way to do this even
| with kerberos also (unless you're connecting as domain
| admin). The ACLs on the memberOf attribute only allow
| owner and admin read access. Nothing else. That was
| my understanding from our conversation.

Here's my working patch....And comments from the patch itself:

- -----comments-------------
OK.  listen up because I'm only going to say this once.
We have the following scenarios to consider
(a) trusted AD domains on a Samba DC,
(b) trusted AD domains and we are joined to a non-kerberos domain
(c) trusted AD domains and we are joined to a kerberos (AD) domain

For (a) we can always contact the trusted domain using krb5
since we have the domain trust account password

For (b) we can only use RPC since we have no way of
getting a krb5 ticket in our own domain

For (c) we can always use krb5 since we have a kerberos trust
- -----comments-------------

For the principal names:

Scenario (a) uses OURDOMAIN at TRUSTED.REALM

Scenario (b) always uses RPC

Scenario (c) users the sAMAccountName at OUR.REALM for
security = domain (the account created when we join the domain
has no SPN).  Otherwise we use the host/global_myname()@OUR.REALM
SPN.

The end result is that is that it doesn't matter if you
use domain or ads for the security value.  Thinks just work.

Comments welcome.



cheer,s jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."               --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDc5v4IR7qMdg1EfYRAn8iAJ9OtFoWpd/Xbz7HCxgEE0UVk5SgAwCgncGg
YdGGvTxmSP0ntKtKQi9HnI4=
=TFjT
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: libads/kerberos.c
===================================================================

--- libads/kerberos.c	(revision 11650)
+++ libads/kerberos.c	(working copy)
@@ -130,8 +130,25 @@
 {
 	char *s;
 	int ret;
+	const char *account_name;
+	fstring acct_name;
 
-	if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+	if ( IS_DC ) {
+		/* this will end up getting a ticket for DOMAIN at RUSTED.REA.LM */
+		account_name = lp_workgroup();
+	} else {
+		/* always use the sAMAccountName for security = domain */
+		/* global_myname()$@REA.LM */
+		if ( lp_security() == SEC_DOMAIN ) {
+			fstr_sprintf( acct_name, "%s$", global_myname() );
+			account_name = acct_name;
+		}
+		else 
+			/* This looks like host/global_myname()@REA.LM */
+			account_name = ads->auth.user_name;
+	}
+
+	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
 		return KRB5_CC_NOMEM;
 	}
 
Index: nsswitch/winbindd_ads.c
===================================================================
--- nsswitch/winbindd_ads.c	(revision 11650)
+++ nsswitch/winbindd_ads.c	(working copy)
@@ -68,12 +68,40 @@
 	}
 
 	/* the machine acct password might have change - fetch it every time */
+
 	SAFE_FREE(ads->auth.password);
-	ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
 	SAFE_FREE(ads->auth.realm);
-	ads->auth.realm = SMB_STRDUP(lp_realm());
 
+	if ( IS_DC ) {
+		DOM_SID sid;
+		time_t last_set_time;
+
+		if ( !secrets_fetch_trusted_domain_password( domain->name, &ads->auth.password, &sid, &last_set_time ) ) {
+			ads_destroy( &ads );
+			return NULL;
+		}
+		ads->auth.realm = SMB_STRDUP( ads->server.realm );
+		strupper_m( ads->auth.realm );
+	}
+	else {
+		struct winbindd_domain *our_domain = domain;
+
+		ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+
+		/* always give preference to the alt_name in our 
+		   primary domain if possible */
+
+		if ( !domain->primary )
+			our_domain = find_our_domain();
+
+		if ( our_domain->alt_name[0] != '\0' ) {
+			ads->auth.realm = SMB_STRDUP( our_domain->alt_name );
+			strupper_m( ads->auth.realm );
+		}
+		else
+			ads->auth.realm = SMB_STRDUP( lp_realm() );
+	}
+
 	status = ads_connect(ads);
 	if (!ADS_ERR_OK(status) || !ads->config.realm) {
 		extern struct winbindd_methods msrpc_methods, cache_methods;
Index: nsswitch/winbindd_cache.c
===================================================================
--- nsswitch/winbindd_cache.c	(revision 11650)
+++ nsswitch/winbindd_cache.c	(working copy)
@@ -100,43 +100,52 @@
 static struct winbind_cache *get_cache(struct winbindd_domain *domain)
 {
 	struct winbind_cache *ret = wcache;
+	struct winbindd_domain *our_domain = domain;
 
 	/* we have to know what type of domain we are dealing with first */
 
 	if ( !domain->initialized )
 		set_dc_type_and_flags( domain );
 
+	/* 
+	   OK.  listen up becasue I'm only going to say this once.
+	   We have the following scenarios to consider
+	   (a) trusted AD domains on a Samba DC,
+	   (b) trusted AD domains and we are joined to a non-kerberos domain
+	   (c) trusted AD domains and we are joined to a kerberos (AD) domain
+
+	   For (a) we can always contact the trusted domain using krb5 
+	   since we have the domain trust account password
+
+	   For (b) we can only use RPC since we have no way of 
+	   getting a krb5 ticket in our own domain
+
+	   For (c) we can always use krb5 since we have a kerberos trust
+
+	   --jerry
+	 */
+
 	if (!domain->backend) {
 		extern struct winbindd_methods reconnect_methods;
-		switch (lp_security()) {
 #ifdef HAVE_ADS
-		case SEC_ADS: {
-			extern struct winbindd_methods ads_methods;
-			/* always obey the lp_security parameter for our domain */
-			if (domain->primary) {
-				domain->backend = &ads_methods;
-				break;
-			}
+		extern struct winbindd_methods ads_methods;
 
-			/* only use ADS for native modes at the momment.
-			   The problem is the correct detection of mixed 
-			   mode domains from NT4 BDC's    --jerry */
-			
-			if ( domain->native_mode ) {
-				DEBUG(5,("get_cache: Setting ADS methods for domain %s\n",
-					domain->name));
-				domain->backend = &ads_methods;
-				break;
-			}
+		/* find our domain first so we can figure out if we 
+		   are joined to a kerberized domain */
 
-			/* fall through */
-		}	
-#endif
-		default:
-			DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n",
-				domain->name));
+		if ( !domain->primary )
+			our_domain = find_our_domain();
+
+		if ( (our_domain->active_directory || IS_DC) && domain->active_directory ) {
+			DEBUG(5,("get_cache: Setting ADS methods for domain %s\n", domain->name));
+			domain->backend = &ads_methods;
+		} else {
+#endif	/* HAVE_ADS */
+			DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n", domain->name));
 			domain->backend = &reconnect_methods;
+#ifdef HAVE_ADS
 		}
+#endif	/* HAVE_ADS */
 	}
 
 	if (ret)
