One way trusts...
Stefan (metze) Metzmacher
metze at samba.org
Wed Dec 17 18:25:03 MST 2014
Hi Andrew,
here're possible fixes.
Please review and push.
Thanks!
metze
>>> I'm currently testing our winbindd code (in v4-2-test/master)
>>> with one way trusts. From our point the trust is outgoing only.
>>> So we have a trust account S4xDOM$ in domain W2012R2-L4.BASE in the
>>> other domain.
>>>
>>> The Samba DC is called ub1204-161 (we also have ub1204-160).
>>> The Windows DC is called w2012r2-183.
>>>
>>> The current bahavior is that we just fail to get the cross-realm
>>> TGT, see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-machine-fail-01.pcap.gz
>>> frames 68/69.
>>>
>>> With the following hack:
>>>
>>> --- a/source3/winbindd/winbindd_cm.c
>>> +++ b/source3/winbindd/winbindd_cm.c
>>> @@ -905,6 +905,10 @@ static NTSTATUS get_trust_credentials(struct
>>> winbindd_domain *domain,
>>>
>>> /* If we are a DC and this is not our own domain */
>>>
>>> + if (domain->active_directory) {
>>> + netlogon = true;
>>> + }
>>> +
>>> if (IS_DC && netlogon) {
>>> creds_domain = domain;
>>> } else {
>>>
>>> we get a TGT as S4xDOM$@W2012R2-L4.BASE and everything works fine,
>>> see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-trust-ok-01.pcap.gz
>>> frames 42/43 and 57/58 followed by a SMB2 session setup in 64/66.
>>>
>>> With the following addtitional hack to force ntlmssp:
>>>
>>> @@ -934,6 +938,8 @@ static NTSTATUS get_trust_credentials(struct
>>> winbindd_domain *domain,
>>> cli_credentials_set_kerberos_state(creds,
>>> CRED_DONT_USE_KERBEROS);
>>> }
>>> + cli_credentials_set_kerberos_state(creds,
>>> + CRED_DONT_USE_KERBEROS);
>>>
>>> if (creds_domain != domain) {
>>> /*
>>>
>>> we fail in the session setup, which is the case you want to avoid by using
>>> the machine account instead of the trust account.
>>> See s4xdom-161-v4-2-w2012r2-l4-one-way-ntlmssp-trust-fail-01.pcap.gz in
>>> frame 24.
>>>
>>> I think for active directory domains we should always use krb5 with the
>>> trust account
>>> and for non ad domains we use the machine account if the trust is also
>>> incoming
>>> otherwise use fallback to anonymous.
>>
>> Is this also related to https://bugzilla.samba.org/show_bug.cgi?id=8630
>
> Not completely, that is about one-way trusts while we're a domain member.
> The above comments are for the case where we're a DC ourself.
>
> metze
>
-------------- next part --------------
From 4115d2b245f381c4dfc5820fc6f334fe7afaefdb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 09:45:15 +0000
Subject: [PATCH 1/4] s3:libsmb: let cli_session_setup_kerberos_recv() return a
useful error code
Forcing NT_STATUS_UNSUCCESSFUL is not a good idea, we should return
NT_STATUS_LOGON_FAILURE instead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2b1e2ec..7a9e648 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1302,11 +1302,18 @@ static struct tevent_req *cli_session_setup_kerberos_send(
rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg,
&state->session_key_krb5, 0, NULL, NULL);
if (rc) {
- DEBUG(1, ("cli_session_setup_kerberos: "
- "spnego_gen_krb5_negTokenInit failed: %s\n",
- error_message(rc)));
+ NTSTATUS status;
+
state->ads_status = ADS_ERROR_KRB5(rc);
- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ status = ads_ntstatus(state->ads_status);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
+ status = NT_STATUS_LOGON_FAILURE;
+ state->ads_status = ADS_ERROR_NT(status);
+ }
+ DEBUG(1, ("cli_session_setup_kerberos: "
+ "spnego_gen_krb5_negTokenInit failed: %s - %s\n",
+ error_message(rc), nt_errstr(status)));
+ tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
@@ -1384,9 +1391,18 @@ static ADS_STATUS cli_session_setup_kerberos_recv(struct tevent_req *req)
NTSTATUS status;
if (tevent_req_is_nterror(req, &status)) {
- return ADS_ERROR_NT(status);
+ ADS_STATUS ads = state->ads_status;
+
+ if (!ADS_ERR_OK(state->ads_status)) {
+ ads = state->ads_status;
+ } else {
+ ads = ADS_ERROR_NT(status);
+ }
+ tevent_req_received(req);
+ return ads;
}
- return state->ads_status;
+ tevent_req_received(req);
+ return ADS_SUCCESS;
}
#endif /* HAVE_KRB5 */
--
1.9.1
From 6ec9216f9d2c81aa169d4b39eef2c185c074dcce Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 18 Dec 2014 01:20:29 +0000
Subject: [PATCH 2/4] s3:winbindd: also try to fallback to anonymous if we get
NT_STATUS_INVALID_ACCOUNT_NAME
Kerberos authentication may return NT_STATUS_INVALID_ACCOUNT_NAME (PRINCIPAL_UNKNOWN)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 52e3fa1..94fdfdf 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1149,6 +1149,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
*/
if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
|| NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
|| NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
{
if (cli_credentials_is_anonymous(creds)) {
--
1.9.1
From 93283de3d81c61c82fceac7a383bc27decfe61ed Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 11:28:41 +0000
Subject: [PATCH 3/4] s3:winbindd: fix anon fallback in cm_prepare_connection()
We should not crash with machine_password==NULL.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 19 +------------------
1 file changed, 1 insertion(+), 18 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 94fdfdf..8ce286f 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1229,16 +1229,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto done;
}
- creds = cli_credentials_init_anon(talloc_tos());
- if (creds == NULL) {
- result = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- machine_account = cli_credentials_get_username(creds);
- machine_password = cli_credentials_get_password(creds);
- machine_domain = cli_credentials_get_domain(creds);
-
/* Fall back to anonymous connection, this might fail later */
DEBUG(10,("cm_prepare_connection: falling back to anonymous "
"connection for DC %s\n",
@@ -1246,14 +1236,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
(*cli)->use_kerberos = False;
- result = cli_session_setup(*cli,
- machine_account,
- machine_password,
- strlen(machine_password)+1,
- machine_password,
- strlen(machine_password)+1,
- machine_domain);
-
+ result = cli_session_setup(*cli, "", "", 0, "", 0, "");
if (NT_STATUS_IS_OK(result)) {
DEBUG(5, ("Connected anonymously\n"));
goto session_setup_done;
--
1.9.1
From 5e220d459d0b6dbcd0795bdf086e47cca4122e0a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 09:05:39 +0000
Subject: [PATCH 4/4] s3:winbindd: try to use the trust account with kerberos
if possible
This trust account is usable for SMB authentication via kerberos,
so we should try that if we think the domain is active directory.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 8ce286f..4b01348 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -902,10 +902,24 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
const struct winbindd_domain *creds_domain = NULL;
struct cli_credentials *creds;
NTSTATUS status;
+ bool force_machine_account = false;
/* If we are a DC and this is not our own domain */
- if (IS_DC && netlogon) {
+ if (!domain->active_directory) {
+ if (!netlogon) {
+ /*
+ * For non active directory domains
+ * we can only use NTLMSSP for SMB.
+ *
+ * But the trust account is not allowed
+ * to use SMB with NTLMSSP.
+ */
+ force_machine_account = true;
+ }
+ }
+
+ if (IS_DC && !force_machine_account) {
creds_domain = domain;
} else {
creds_domain = find_our_domain();
@@ -922,15 +936,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
goto ipc_fallback;
}
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
- }
-
if (domain->primary && lp_security() == SEC_ADS) {
cli_credentials_set_kerberos_state(creds,
CRED_AUTO_USE_KERBEROS);
- } else if (!domain->active_directory) {
+ } else if (domain->active_directory) {
+ cli_credentials_set_kerberos_state(creds,
+ CRED_MUST_USE_KERBEROS);
+ } else {
cli_credentials_set_kerberos_state(creds,
CRED_DONT_USE_KERBEROS);
}
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141218/11d99f0a/attachment.pgp>
More information about the samba-technical
mailing list