winbindd crash
Noel Power
nopower at suse.com
Thu Oct 22 09:44:21 UTC 2015
Hi,
winbindd will crash in at least 4.1.x & 4.2.x when attempting to
authenticate a trusted non 'own' domain user with samlogon (e.g. if we
fallback from Kerberos), I attach a proposed fix for this here for
discussion (haven't opened a bug yet but I will). Note: the core does
not happen in 4.3 or master as cm_connect_netlogon seems to have changed
quite a bit in these versions and this scenario is avoided.
But why the core dump happens just raised more questions for me, it
seems we disallow the schannel netlogon connection from a domain child
winbindd to the domain controller when that domain is not 'our' domain
and thus the credentials are not available, ok that sounds reasonable
but afaics it means that the fallback to samlogon for trusted domain
users just can't succeed ever, is that really what we want? It should be
noted that at least some older (3.x) versions did allow this so in some
sense this appears to be a regression. The commit that brought in the
change in behaviour is
https://git.samba.org/?p=samba.git;a=commit;h=f73e480e1917712bfb6c9641f9a49c454a1e4a5f
So, I wonder is this really what we want ? similar domain selection
logic is still used for example in winbindd_dual_pam_auth_kerberos.
Should we put that logic (or a variant of it) back? I'll happily propose
a patch for that if it is appropriate
thanks,
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-prevent-null-ptr-access-by-returning-error-if-no-cre.patch
Type: text/x-patch
Size: 1196 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151022/5fee8d67/0001-prevent-null-ptr-access-by-returning-error-if-no-cre.bin>
More information about the samba-technical
mailing list