[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Mon Nov 27 19:50:15 UTC 2017
Hi!
Attached is a fix for a regression introduced by
d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
This results in the inability of winbind to enumerate trusts of trusted forests,
so we can't authenticate users from any child-domain (or additional tree-roots)
of the trusted forest.
I had filed a bugreport although the regression in only in master so we won't
need backports. I'm not sure about having the bug URLs in the commit messages in
this case.
Please review&push if ok. As usual, the funky stuff doesn't have tests. :)
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
-------------- next part --------------
From b6071186b4e395ef97e398f79191f3c3360ab98f Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 15:28:38 +0100
Subject: [PATCH 1/2] winbindd: restore SEC_CHAN_NULL fallback in
cm_connect_netlogon_transport
This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.
Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.
This is a temporary hack that will go away once we get rid of the trusted domain
list.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/winbindd/winbindd_cm.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index f88c704c014..16836bd05b5 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
struct messaging_context *msg_ctx = server_messaging_context();
struct winbindd_cm_conn *conn;
NTSTATUS result;
+ enum netr_SchannelType sec_chan_type;
struct cli_credentials *creds = NULL;
*cli = NULL;
@@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
+ if (cli_credentials_is_anonymous(creds)) {
+ DBG_WARNING("get_trust_credential only gave anonymous for %s, "
+ "unable to make get NETLOGON credentials\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ if (sec_chan_type == SEC_CHAN_NULL) {
+ if (transport == NCACN_IP_TCP) {
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
+ "for %s, deny NCACN_IP_TCP and let the "
+ "caller fallback to NCACN_NP.\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ "fallback to noauth on NCACN_NP.\n",
+ domain->name);
+
+ result = cli_rpc_pipe_open_noauth_transport(
+ conn->cli,
+ transport,
+ &ndr_table_netlogon,
+ &conn->netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(domain);
+ return result;
+ }
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+
result = rpccli_create_netlogon_creds_ctx(creds,
domain->dcname,
msg_ctx,
--
2.13.6
From 568f8d51dd5ab5cb50c3c40562a0ab91b2100030 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 26 Nov 2017 19:04:19 +0100
Subject: [PATCH 2/2] s3/cli_netlogon: remove SEC_CHAN_NULL fallback from
rpccli_connect_netlogon()
The caller should handle secure-channel-type SEC_CHAN_NULL. The previous
commit already added handling of SEC_CHAN_NULL to
cm_connect_netlogon_transport.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/rpc_client/cli_netlogon.c | 30 ------------------------------
1 file changed, 30 deletions(-)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a7676efb055..3973da635ef 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -284,7 +284,6 @@ NTSTATUS rpccli_connect_netlogon(
TALLOC_CTX *frame = talloc_stackframe();
struct netlogon_creds_CredentialState *creds = NULL;
enum netlogon_creds_cli_lck_type lck_type;
- enum netr_SchannelType sec_chan_type;
struct netlogon_creds_cli_lck *lck;
uint32_t negotiate_flags;
uint8_t found_session_key[16] = {0};
@@ -378,35 +377,6 @@ again:
goto fail;
}
- sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
- if (sec_chan_type == SEC_CHAN_NULL) {
- if (transport == NCACN_IP_TCP) {
- DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL "
- "for %s, deny NCACN_IP_TCP and let the "
- "caller fallback to NCACN_NP.\n",
- netlogon_creds_cli_debug_string(
- creds_ctx, frame));
- status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- goto fail;
- }
-
- DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
- "for %s, fallback to noauth on NCACN_NP.\n",
- netlogon_creds_cli_debug_string(
- creds_ctx, frame));
-
- TALLOC_FREE(lck);
-
- status = cli_rpc_pipe_open_noauth_transport(
- cli, transport, &ndr_table_netlogon, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
- DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
- "failed: %s\n", nt_errstr(status));
- goto fail;
- }
- goto done;
- }
-
status = rpccli_setup_netlogon_creds_locked(
cli, transport, creds_ctx, true, trust_creds,
&negotiate_flags);
--
2.13.6
More information about the samba-technical
mailing list