samba4.winbind.struct flapping test uncovers a real issue

Andrew Bartlett abartlet at samba.org
Mon Oct 6 00:28:13 MDT 2014 

Many of you would have been frustrated by failures like this one:

[1433/1686 in 1h24m54s] samba4.winbind.struct(s3member:local)
Running WINBINDD_DOMAIN_INFO (struct based)
DOMAIN 'BUILTIN' => '' [ ]
DOMAIN 'LOCALADMEMBER' => '' [ ]
DOMAIN 'SAMBADOMAIN' => 'samba.example.com' [ PR AD NA ]
UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
REASON: _StringException: _StringException: ../source4/torture/winbind/struct_based.c:434: rep.data.domain_info.name was SAMBADOMAIN, expected torturedom00: Netbios domain name doesn't match

I think I have finally found out why this happens.  In our AD DC, our
NETLOGON DsRGetDCNameEx2 implementation is frankly, fantasy.  It returns
it's own IP or 127.0.0.1 for essentially any input.  So, we then contact our primary
domain or localhost, thinking it is the trust, and then overwrite details of the
trust.  This could happen in the real-world if IPs were switched, or by
a malicious actor intercepting traffic.  (Hence my desire to enforce SMB
signing).

With the attached patches, I think I've addressed the flapping test, and it not, I've at least improved the error messages so we can dianose it better.

See for example this from an earlier run, showing how we now give enough information to understand the real failure.

[1432/1686 in 1h27m47s] samba4.winbind.pac(s4member:local)
[1433/1686 in 1h27m47s] samba4.winbind.struct(s3member:local)
Running WINBINDD_DOMAIN_INFO (struct based)
DOMAIN 'BUILTIN' => '' [ ] [S-1-5-32]
DOMAIN 'LOCALADMEMBER' => '' [ ] [S-1-5-21-1134438427-3415451756-3748806739]
DOMAIN 'SAMBADOMAIN' => 'samba.example.com' [ PR AD NA ] [S-1-5-21-2713267906-3234219033-185379325]
DOMAIN 'torturedom00' => 'torturedom00.samba.example.com' [ AD NA ] [S-1-5-21-97398-379795-10000]
DOMAIN 'torturedom01' => 'torturedom01.samba.example.com' [ AD NA ] [S-1-5-21-97398-379795-10001]
DOMAIN 'torturedom02' => 'torturedom02.samba.example.com' [ AD NA ] [S-1-5-21-97398-379795-10002]
DOMAIN 'torturedom03' => 'torturedom03.samba.example.com' [ AD NA ] [S-0-0]
UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
REASON: _StringException: _StringException: ../source4/torture/winbind/struct_based.c:459: Expression `ok' failed: SID's doesn't match

I still don't have a full explanation, but clearly not trusting the DC
to assert it's own names is a good start.  We should reject such
connections, and try again with another DC, but we don't do that currently.

Any thoughts?  Should we review/push this much?

This is part of my subdomain-wip4 branch that I'm still trying to sort
out.  I'm still chasing down the wbinfo -t issue there.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Reorder-torture_winbind_struct_domain_info-t.patch
Type: text/x-patch
Size: 2640 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141006/ee343c0d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-winbindd-Do-not-overwrite-domain-list-with-conflicti.patch
Type: text/x-patch
Size: 3758 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141006/ee343c0d/attachment-0001.bin>

More information about the samba-technical mailing list