[PATCH] Can't authenticate user from child-domain of trusted forest

Ralph Böhme slow at samba.org
Mon Nov 27 19:50:15 UTC 2017 

Hi!

Attached is a fix for a regression introduced by
d7e31d9f4d9ce7395e458ac341dd83ac06255a20.

This results in the inability of winbind to enumerate trusts of trusted forests,
so we can't authenticate users from any child-domain (or additional tree-roots)
of the trusted forest.

I had filed a bugreport although the regression in only in master so we won't
need backports. I'm not sure about having the bug URLs in the commit messages in
this case.

Please review&push if ok. As usual, the funky stuff doesn't have tests. :)

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
-------------- next part --------------
From b6071186b4e395ef97e398f79191f3c3360ab98f Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 15:28:38 +0100
Subject: [PATCH 1/2] winbindd: restore SEC_CHAN_NULL fallback in
 cm_connect_netlogon_transport

This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.

Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.

This is a temporary hack that will go away once we get rid of the trusted domain
list.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd_cm.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index f88c704c014..16836bd05b5 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	struct messaging_context *msg_ctx = server_messaging_context();
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result;
+	enum netr_SchannelType sec_chan_type;
 	struct cli_credentials *creds = NULL;
 
 	*cli = NULL;
@@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
+	if (cli_credentials_is_anonymous(creds)) {
+		DBG_WARNING("get_trust_credential only gave anonymous for %s, "
+			    "unable to make get NETLOGON credentials\n",
+			    domain->name);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+
+	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+	if (sec_chan_type == SEC_CHAN_NULL) {
+		if (transport == NCACN_IP_TCP) {
+			DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
+				   "for %s, deny NCACN_IP_TCP and let the "
+				   "caller fallback to NCACN_NP.\n",
+				   domain->name);
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
+		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+			   "fallback to noauth on NCACN_NP.\n",
+			   domain->name);
+
+		result = cli_rpc_pipe_open_noauth_transport(
+			conn->cli,
+			transport,
+			&ndr_table_netlogon,
+			&conn->netlogon_pipe);
+		if (!NT_STATUS_IS_OK(result)) {
+			invalidate_cm_connection(domain);
+			return result;
+		}
+
+		*cli = conn->netlogon_pipe;
+		return NT_STATUS_OK;
+	}
+
 	result = rpccli_create_netlogon_creds_ctx(creds,
 						  domain->dcname,
 						  msg_ctx,
-- 
2.13.6


From 568f8d51dd5ab5cb50c3c40562a0ab91b2100030 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 26 Nov 2017 19:04:19 +0100
Subject: [PATCH 2/2] s3/cli_netlogon: remove SEC_CHAN_NULL fallback from
 rpccli_connect_netlogon()

The caller should handle secure-channel-type SEC_CHAN_NULL. The previous
commit already added handling of SEC_CHAN_NULL to
cm_connect_netlogon_transport.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/rpc_client/cli_netlogon.c | 30 ------------------------------
 1 file changed, 30 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a7676efb055..3973da635ef 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -284,7 +284,6 @@ NTSTATUS rpccli_connect_netlogon(
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct netlogon_creds_CredentialState *creds = NULL;
 	enum netlogon_creds_cli_lck_type lck_type;
-	enum netr_SchannelType sec_chan_type;
 	struct netlogon_creds_cli_lck *lck;
 	uint32_t negotiate_flags;
 	uint8_t found_session_key[16] = {0};
@@ -378,35 +377,6 @@ again:
 		goto fail;
 	}
 
-	sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
-	if (sec_chan_type == SEC_CHAN_NULL) {
-		if (transport == NCACN_IP_TCP) {
-			DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL "
-				   "for %s, deny NCACN_IP_TCP and let the "
-				   "caller fallback to NCACN_NP.\n",
-				   netlogon_creds_cli_debug_string(
-					   creds_ctx, frame));
-			status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-			goto fail;
-		}
-
-		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
-			   "for %s, fallback to noauth on NCACN_NP.\n",
-			   netlogon_creds_cli_debug_string(
-				   creds_ctx, frame));
-
-		TALLOC_FREE(lck);
-
-		status = cli_rpc_pipe_open_noauth_transport(
-			cli, transport, &ndr_table_netlogon, &rpccli);
-		if (!NT_STATUS_IS_OK(status)) {
-			DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
-				  "failed: %s\n", nt_errstr(status));
-			goto fail;
-		}
-		goto done;
-	}
-
 	status = rpccli_setup_netlogon_creds_locked(
 		cli, transport, creds_ctx, true, trust_creds,
 		&negotiate_flags);
-- 
2.13.6

More information about the samba-technical mailing list