[Patches] Bug 11830 - Domain member cannot resolve trusted domains' users
Stefan Metzmacher
metze at samba.org
Fri Feb 24 13:03:32 UTC 2017
Hi,
here're some patches which make it possible to authenticate
users from domains behind transitive trusts again for SMB access.
This is just a fix to avoid the problem in the current branches,
more cleanup and a real fix also for
https://bugzilla.samba.org/show_bug.cgi?id=8630
is planed for master in the next weeks.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 109cf702e5f2522961d3107200228b0e33b1f52e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 13:19:59 +0100
Subject: [PATCH 1/2] Revert "s3-winbind: Fix schannel connections against
trusted domain DCs"
This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee.
This change doesn't solve the real problem, it just
causes useless network traffic and the following error:
rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.
A better fix will follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 41a0076..fc403e2 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
struct cli_credentials *creds;
NTSTATUS status;
bool force_machine_account = false;
- bool ok;
/* If we are a DC and this is not our own domain */
@@ -948,13 +947,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
CRED_DONT_USE_KERBEROS);
}
- /*
- * When we contact our own domain and get a list of the trusted domain
- * we have the information if we are able to contact the DC with
- * with our machine account password.
- */
- ok = winbindd_can_contact_domain(domain);
- if (!ok) {
+ if (creds_domain != domain) {
/*
* We can only use schannel against a direct trust
*/
@@ -3246,8 +3239,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
- DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
- domain->name);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -3287,11 +3278,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
conn->netlogon_flags = netlogon_creds->negotiate_flags;
TALLOC_FREE(netlogon_creds);
- /*
- * FIXME: Document in which case we are not able to contact
- * a DC without schannel. Which information do we try to get
- * from this DC?
- */
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
result = NT_STATUS_DOWNGRADE_DETECTED;
--
1.9.1
From 5f02da409c66a6199ae3f3418d0130408a9ff680 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 10:37:32 +0000
Subject: [PATCH 2/2] s3:winbindd: try a NETLOGON connection with noauth over
NCACN_NP against trusted domains.
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().
This should fix SMB authentication with a user of a domain
behind a transitive trust.
The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.
is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().
That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.
A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
---
source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fc403e2..7516419 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3239,7 +3239,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ if (transport == NCACN_IP_TCP) {
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ "fallback to noauth on NCACN_NP.\n",
+ domain->name);
+
+ result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+ transport,
+ &ndr_table_netlogon,
+ &conn->netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(domain);
+ return result;
+ }
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
}
result = rpccli_create_netlogon_creds_with_creds(creds,
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170224/327abcc4/signature.sig>
More information about the samba-technical
mailing list