RFC Reroute samlogon for trusted child domain user if samlogon fails

Fri Oct 30 10:29:51 UTC 2015

Hi,

revisiting the issue turned up in previous 'winbindd crash' thread

On 22/10/15 12:03, Stefan Metzmacher wrote:

> Hi Noel,
>
[...]

> I think what we really need is a way to return to the parent and have
> the fallback logic there,
> the parent should then re-route to the correct domain child by clearing
> WBFLAG_PAM_CONTACT_TRUSTDOM
> before calling find_auth_domain().

something like the patch attached ? is this the correct direction/approach ? 


Noel

-------------- next part --------------
From 56a6cf51f6bd4f0e7a4d0db61467444e4b10eed5 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power at suse.com>
Date: Thu, 22 Oct 2015 16:48:21 +0100
Subject: [PATCH] If samlogon for trusted child domain user fails attempt to
 reroute request

schannel netlogon connections from a domain child winbindd to the
domain controller when that domain is not 'our' domain are dissallowed
and thus the credentials are not available. The samlogon request when this
happens cannot be serviced. This patch attempts to detect this scenario
(pam_auth returns a status of NT_STATUS_CANT_ACCESS_DOMAIN_INFO) and
retries the authentication by chosing and sending the request to a domain
child that should be able it.

Signed-off-by: Noel Power <noel.power at suse.com>
---
 source3/winbindd/winbindd_pam_auth.c | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 4f963a3..d498f70 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -23,6 +23,7 @@
 struct winbindd_pam_auth_state {
 	struct winbindd_request *request;
 	struct winbindd_response *response;
+	bool inhibit_retry;
 };
 
 static void winbindd_pam_auth_done(struct tevent_req *subreq);
@@ -104,6 +105,49 @@ static void winbindd_pam_auth_done(struct tevent_req *subreq)
 		tevent_req_nterror(req, map_nt_error_from_unix(err));
 		return;
 	}
+	if (state->response->data.auth.nt_status && !state->inhibit_retry) {
+		NTSTATUS status =
+			NT_STATUS(state->response->data.auth.nt_status);
+
+		/*
+		 * status NT_STATUS_CANT_ACCESS_DOMAIN_INFO can indicate
+		 * a trust domain child couldn't access the NETLOGON pipe.
+		 * Try and reroute request to correct domain child.
+		 */
+		if (NT_STATUS_EQUAL(status,
+				    NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+			struct winbindd_domain *domain = NULL;
+			struct winbindd_request *request = state->request;
+			fstring name_domain, name_user;
+			uint32_t flags = request->flags;
+
+			if (!parse_domain_user(request->data.auth.user,
+					       name_domain, name_user)) {
+				tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+				tevent_req_post(req, winbind_event_context());
+				return;
+			}
+
+			flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
+			domain = find_auth_domain(flags, name_domain);
+
+			if (domain) {
+				state->inhibit_retry = true;
+				subreq = wb_domain_request_send(state,
+							winbind_event_context(),
+							domain,
+							state->request);
+				if (!subreq) {
+					tevent_req_nterror(req,
+							   NT_STATUS_NO_MEMORY);
+					return;
+				}
+				tevent_req_set_callback(subreq,
+						winbindd_pam_auth_done, req);
+				return;
+			}
+		}
+	}
 	tevent_req_done(req);
 }
 
-- 
1.8.5.6

