[Patches] Bug 11830 - Domain member cannot resolve trusted domains' users

Stefan Metzmacher metze at samba.org
Fri Feb 24 14:03:36 UTC 2017 

Here with an improved commit message...

Am 24.02.2017 um 14:03 schrieb Stefan Metzmacher:
> Hi,
> 
> here're some patches which make it possible to authenticate
> users from domains behind transitive trusts again for SMB access.
> 
> This is just a fix to avoid the problem in the current branches,
> more cleanup and a real fix also for
> https://bugzilla.samba.org/show_bug.cgi?id=8630
> is planed for master in the next weeks.
> 
> Please review and push:-)
> 
> Thanks!
> metze
> 
-------------- next part --------------
From 109cf702e5f2522961d3107200228b0e33b1f52e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 13:19:59 +0100
Subject: [PATCH 1/2] Revert "s3-winbind: Fix schannel connections against
 trusted domain DCs"

This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee.

This change doesn't solve the real problem, it just
causes useless network traffic and the following error:

rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT

While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.

A better fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_cm.c | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 41a0076..fc403e2 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 	struct cli_credentials *creds;
 	NTSTATUS status;
 	bool force_machine_account = false;
-	bool ok;
 
 	/* If we are a DC and this is not our own domain */
 
@@ -948,13 +947,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 						   CRED_DONT_USE_KERBEROS);
 	}
 
-	/*
-	 * When we contact our own domain and get a list of the trusted domain
-	 * we have the information if we are able to contact the DC with
-	 * with our machine account password.
-	 */
-	ok = winbindd_can_contact_domain(domain);
-	if (!ok) {
+	if (creds_domain != domain) {
 		/*
 		 * We can only use schannel against a direct trust
 		 */
@@ -3246,8 +3239,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
 	if (sec_chan_type == SEC_CHAN_NULL) {
-		DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
-			    domain->name);
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
@@ -3287,11 +3278,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	conn->netlogon_flags = netlogon_creds->negotiate_flags;
 	TALLOC_FREE(netlogon_creds);
 
-	/*
-	 * FIXME: Document in which case we are not able to contact
-	 * a DC without schannel. Which information do we try to get
-	 * from this DC?
-	 */
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
 		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
 			result = NT_STATUS_DOWNGRADE_DETECTED;
-- 
1.9.1


From 8078d0c0a527bddc7d1625bd3d9dc41980b5865b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 10:37:32 +0000
Subject: [PATCH 2/2] s3:winbindd: try a NETLOGON connection with noauth over
 NCACN_NP against trusted domains.

We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().

This should fix SMB authentication with a user of a domain
behind a transitive trust.

With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.

The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.

is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().

That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.

A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.

We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.

For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fc403e2..7516419 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3239,7 +3239,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
 	if (sec_chan_type == SEC_CHAN_NULL) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		if (transport == NCACN_IP_TCP) {
+			DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+				   " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n",
+				   domain->name);
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
+		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+			   "fallback to noauth on NCACN_NP.\n",
+			   domain->name);
+
+		result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+							    transport,
+							    &ndr_table_netlogon,
+							    &conn->netlogon_pipe);
+		if (!NT_STATUS_IS_OK(result)) {
+			invalidate_cm_connection(domain);
+			return result;
+		}
+
+		*cli = conn->netlogon_pipe;
+		return NT_STATUS_OK;
 	}
 
 	result = rpccli_create_netlogon_creds_with_creds(creds,
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170224/b1b2addc/signature.sig>

More information about the samba-technical mailing list