[PATCH] winbind: Fall back to msrpc for trusted_domains call

Christof Schmitt cs at samba.org
Mon Oct 10 22:00:41 UTC 2016 

On Mon, Oct 10, 2016 at 02:12:23PM -0700, Jeremy Allison wrote:
> On Fri, Oct 07, 2016 at 04:02:12PM -0700, Christof Schmitt wrote:
> > From 7326d74677fde1903d5de489eeed3ecd1254daca Mon Sep 17 00:00:00 2001
> > From: Christof Schmitt <cs at samba.org>
> > Date: Fri, 7 Oct 2016 15:39:00 -0700
> > Subject: [PATCH] winbind: Fall back to msrpc for trusted_domains call
> > 
> > The netlogon authentication requires a trust account that is not
> > available for domain members in another domain. Use the msrpc method
> > instead in this case.
> > 
> > Signed-off-by: Christof Schmitt <cs at samba.org>
> 
> Christof,
> 
> I'm trying to figure out under what circumstances
> we'd call this for our non-primary domain ?
> 
> The only way I can see this is from
> 
> rescan_forest_root_trusts() ->
> 	add_trusted_domains() ->
> 		wb_domain_request_send(WINBINDD_LIST_TRUSTDOM)
> 
> which causes the child to ask for a trusted domain
> list.
> 
> Here be dragons, so I'm trying to understand why
> we'd be doing this.. :-).

Correct. I have a test setup with a child and parent domain where this can be
easily recreated. log.winbindd shows that this goes through
rescan_forest_root_trusts:

[2016/10/10 14:51:56.893252, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:370(trustdom_list_done)
  trustdom_list_done: parsing response line 'EXAMPLE\example.com\S-1-5-21-2745666129-1984454212-2075974874\39\2\32
  SUBDOM\subdom.example.com\S-1-5-21-3412315737-4225092418-116001797\25\2\0'
[2016/10/10 14:51:56.893313, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4730(wcache_tdc_add_domain)
  wcache_tdc_add_domain: Adding domain EXAMPLE (example.com), SID S-1-5-21-2745666129-1984454212-2075974874, flags = 0x27, attributes = 0x20, type = 0x2
[2016/10/10 14:51:56.893350, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4440(add_wbdomain_to_tdc_array)
  add_wbdomain_to_tdc_array: Found existing record for EXAMPLE

... pack_tdb_domains ...

[2016/10/10 14:51:56.893513,  2, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc)
  Added domain EXAMPLE example.com S-1-5-21-2745666129-1984454212-2075974874
[2016/10/10 14:51:56.893536, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:370(trustdom_list_done)
  trustdom_list_done: parsing response line 'SUBDOM\subdom.example.com\S-1-5-21-3412315737-4225092418-116001797\25\2\0'
[2016/10/10 14:51:56.893565, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:519(rescan_forest_root_trusts)
  rescan_forest_root_trusts: Following trust path for domain tree root EXAMPLE (example.com)
[2016/10/10 14:51:56.893596, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1419(fork_domain_child)
  fork_domain_child called for domain 'EXAMPLE'
  
... (messaging) ...

[2016/10/10 14:51:56.971924, 10, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online)
  Domain EXAMPLE is marked as online now.
[2016/10/10 14:51:57.011420,  1, pid=23191, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain EXAMPLE


I think the intent here is to create a list of all domains in an arbitrarily
complex forest environment. The error indicates that a normal domain member
does not have the necessary trust permissions to do this, so i am wondering if
this is intended for DCs.

I also recall from past discussions with Volker and Metze that winbindd should
not rely on this information and always communicate with the DCs in the primary
domain. That would be larger change. Here i am trying to find a way to avoid
the warnings in the winbindd log and the error events in the DC. Maybe Volker
or metze might want to weigh in what is the best approach. Instead of falling
back to the RPC methods, we could also just return without doing anything in
this case, since we know that the authentication call won't succeed.

Christof

> 
> Cheers,
> 
> 	Jeremy.
> 
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12368
> > ---
> >  source3/winbindd/winbindd_ads.c | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
> > index dc92a4a..0ad4056 100644
> > --- a/source3/winbindd/winbindd_ads.c
> > +++ b/source3/winbindd/winbindd_ads.c
> > @@ -1556,6 +1556,16 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
> >  
> >  	DEBUG(3,("ads: trusted_domains\n"));
> >  
> > +	if (!IS_DC && !domain->primary) {
> > +		/*
> > +		 * The netlogon authentication below requires a trust
> > +		 * account that is not available to domain members,
> > +		 * fall back to the RPC methods call.
> > +		 */
> > +		return msrpc_methods.trusted_domains(domain, mem_ctx, trusts);
> > +	}
> > +
> > +
> >  	ZERO_STRUCTP(trusts);
> >  
> >  	/* If this is our primary domain or a root in our forest,
> > -- 
> > 1.8.3.1
> >

More information about the samba-technical mailing list