Regression triggered by the bug #11830 fixes (4.4.10, 4.6.0rc4 and v4-5-test)

Stefan Metzmacher metze at samba.org
Thu Mar 2 11:20:04 UTC 2017 

Hi,

the problem is that we blindly take the trust_flags, trust_attribs...
from the enumeration of trusts of other forests.

As result we have NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST
on domain which are not within our forest.

Please review and push:-)

Thanks!
metze

Am 01.03.2017 um 18:30 schrieb Stefan Metzmacher:
> Hi,
> 
> if someone wants a debugging challenge please have a look at
> the logfiles in https://bugzilla.samba.org/show_bug.cgi?id=12605.
> 
> It seems to start with the following in log.winbindd:
> 
> [2017/03/01 17:30:49.851743, 10, pid=6517, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_util.c:369(trustdom_list_done)
>   trustdom_list_done: parsing response line
> 'BLA\bla.base\S-1-5-21-4053568372-2049667917-3384589010\34\2\8
>   W2012R2-L6\w2012r2-l6.base\S-1-5-21-2072033271-969857664-807811056\34\2\4
>   W4EDOM-L4\w4edom-l4.base\S-1-5-21-278041429-3399921908-1452754838\29\2\0'
> 
> I'll have a look at it again tomorrow...
> 
> Thanks!
> metze
> 
-------------- next part --------------
From 2c956efc8077c549d3653d9ba99e2833d074ff28 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 2 Mar 2017 08:13:57 +0100
Subject: [PATCH] s3:winbindd: fix endless forest trust scan

Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
disabled the enumeration of trusts in other forests.

The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.

Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
ability to enumerate trusts of other forests again, in order to
fix https://bugzilla.samba.org/show_bug.cgi?id=11830

Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_ads.c  |  8 ++++++++
 source3/winbindd/winbindd_util.c | 22 ++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 05ef2ec..cde9099 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1133,6 +1133,14 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 			}
 			TALLOC_FREE(parent);
 
+			/*
+			 * We need to pass the modified properties
+			 * to the caller.
+			 */
+			trust->trust_flags = d.domain_flags;
+			trust->trust_type = d.domain_type;
+			trust->trust_attributes = d.domain_trust_attribs;
+
 			wcache_tdc_add_domain( &d );
 			ret_count++;
 		}
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index ffcb09d..ab6862d 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -342,6 +342,20 @@ static void trustdom_list_done(struct tevent_req *req)
 	char *p;
 	struct winbindd_tdc_domain trust_params = {0};
 	ptrdiff_t extra_len;
+	bool within_forest = false;
+
+	/*
+	 * Only when we enumerate our primary domain
+	 * or our forest root domain, we should keep
+	 * the NETR_TRUST_FLAG_IN_FOREST flag, in
+	 * all other cases we need to clear it as the domain
+	 * is not part of our forest.
+	 */
+	if (state->domain->primary) {
+		within_forest = true;
+	} else if (domain_is_forest_root(state->domain)) {
+		within_forest = true;
+	}
 
 	res = wb_domain_request_recv(req, state, &response, &err);
 	if ((res == -1) || (response->result != WINBINDD_OK)) {
@@ -427,6 +441,14 @@ static void trustdom_list_done(struct tevent_req *req)
 
 		trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
 
+		if (!within_forest) {
+			trust_params.trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
+		}
+
+		if (!state->domain->primary) {
+			trust_params.trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
+		}
+
 		/*
 		 * We always call add_trusted_domain() cause on an existing
 		 * domain structure, it will update the SID if necessary.
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170302/c16710ae/signature.sig>

More information about the samba-technical mailing list