winbindd crash

Stefan Metzmacher metze at samba.org
Thu Oct 22 11:03:45 UTC 2015 

Hi Noel,

> winbindd will crash in at least 4.1.x & 4.2.x when attempting to
> authenticate a trusted non 'own' domain user with samlogon (e.g. if we
> fallback from Kerberos), I attach a proposed fix for this here for
> discussion (haven't opened a bug yet but I will). Note: the core does
> not happen in 4.3 or master as cm_connect_netlogon seems to have changed
> quite a bit in these versions and this scenario is avoided.
> 
> But why the core dump happens just raised more questions for me, it
> seems we disallow the schannel netlogon connection from a domain child
> winbindd to the domain controller when that domain is not 'our' domain
> and thus the credentials are not available, ok that sounds reasonable
> but afaics it means that the fallback to samlogon for trusted domain
> users just can't succeed ever, is that really what we want? It should be
> noted that at least some older (3.x) versions did allow this so in some
> sense this appears to be a regression. The commit that brought in the
> change in behaviour is
> https://git.samba.org/?p=samba.git;a=commit;h=f73e480e1917712bfb6c9641f9a49c454a1e4a5f
> So, I wonder is this really what we want ? similar domain selection
> logic is still used for example in winbindd_dual_pam_auth_kerberos.
> Should we put that logic (or a variant of it) back? I'll happily propose
> a patch for that if it is appropriate

I think what we really need is a way to return to the parent and have
the fallback logic there,
the parent should then re-route to the correct domain child by clearing
WBFLAG_PAM_CONTACT_TRUSTDOM
before calling find_auth_domain().

Regarding the crash prevention I think we should do that in caller.
rpccli_netlogon_network_logon/rpccli_netlogon_password_logon or even
their callers
should check. They should never pass creds=NULL.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151022/f93549c7/signature.sig>

More information about the samba-technical mailing list