[PATCH] Can't authenticate user from child-domain of trusted forest

Ralph Böhme slow at samba.org
Mon Nov 27 21:37:28 UTC 2017


On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > Attached is a fix for a regression introduced by
> > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > 
> > This results in the inability of winbind to enumerate trusts of trusted forests,
> > so we can't authenticate users from any child-domain (or additional tree-roots)
> > of the trusted forest.
> 
> Can you explain to me why we need the trusted domain cache filled
> correctly to just log in? Where in the code path does that fail?

find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
bunch of other places that depend on the domain list as well, but with the
attached WIP patch I could get a smbclient login working with a user from a
trusted domain while trust enumeration in winbindd is completely disabled, so
the domain list contains only BUILTIN, the local SAM and the primary domain:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain           Trust Type  Transitive  In   Out
BUILTIN                              None        Yes         Yes  Yes
TITAN                                None        Yes         Yes  Yes
SUBDOM21        SUBDOM21.WDOM2.SITE  None        Yes         Yes  Yes

With idmap_autorid basic stuff works nicely:

$ bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
$ bin/wbinfo -i "SUBDOM31\administrator"
SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false

$ bin/smbclient -U "wdom3\administrator%Passw1rd" //localhost/share -c quit
$ bin/wbinfo -i "wdom3\administrator"
WDOM3\administrator:*:2080500:2080513::/home/WDOM3/administrator:/bin/false

Now there are a bunch of places where we rely on the domain list, but we're not
that far away from being able to disable trust enumeration for the certain
setups.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
-------------- next part --------------
From 09804c745e03001f9f26773353048602dbfc8772 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 12:42:44 +0100
Subject: [PATCH 1/2] WIP: normalize_name_map...

---
 source3/winbindd/wb_getpwsid.c    |  8 +-------
 source3/winbindd/winbindd_group.c | 11 +----------
 source3/winbindd/winbindd_msrpc.c |  4 ++--
 source3/winbindd/winbindd_proto.h |  2 +-
 source3/winbindd/winbindd_rpc.c   |  4 ++--
 source3/winbindd/winbindd_util.c  |  9 ++++++++-
 6 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
index dcb249287d9..01c2f9cebfb 100644
--- a/source3/winbindd/wb_getpwsid.c
+++ b/source3/winbindd/wb_getpwsid.c
@@ -69,7 +69,6 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
 		req, struct wb_getpwsid_state);
 	struct winbindd_pw *pw = state->pw;
 	struct wbint_userinfo *info;
-	struct winbindd_domain *domain = NULL;
 	fstring acct_name, output_username;
 	char *mapped_name = NULL;
 	char *tmp;
@@ -91,11 +90,6 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
 		return;
 	}
 
-	domain = find_domain_from_name_noinit(info->domain_name);
-	if (tevent_req_nomem(domain, req)) {
-		return;
-	}
-
 	/*
 	 * TODO:
 	 * This function should be called in 'idmap winbind child'. It shouldn't
@@ -103,7 +97,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
 	 * winbind.idl. This is a fix which can be backported for now.
 	 */
 	status = normalize_name_map(state,
-				    domain,
+				    info->domain_name,
 				    acct_name,
 				    &mapped_name);
 	if (NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c
index b5c9d3cf94e..417565ecbf0 100644
--- a/source3/winbindd/winbindd_group.c
+++ b/source3/winbindd/winbindd_group.c
@@ -36,18 +36,9 @@ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
 {
 	fstring full_group_name;
 	char *mapped_name = NULL;
-	struct winbindd_domain *domain;
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 
-	domain = find_domain_from_name_noinit(dom_name);
-	if (domain == NULL) {
-		DEBUG(0, ("Failed to find domain '%s'. "
-			  "Check connection to trusted domains!\n",
-			  dom_name));
-		return false;
-	}
-
-	nt_status = normalize_name_map(mem_ctx, domain, gr_name,
+	nt_status = normalize_name_map(mem_ctx, dom_name, gr_name,
 				       &mapped_name);
 
 	/* Basic whitespace replacement */
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index c56537662ba..9bf4354f4e3 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -313,7 +313,7 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
 
 	DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
 
-	name_map_status = normalize_name_map(mem_ctx, domain, *name,
+	name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
 					     &mapped_name);
 	if (NT_STATUS_IS_OK(name_map_status) ||
 	    NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
@@ -377,7 +377,7 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
 
 		if ((*types)[i] != SID_NAME_UNKNOWN) {
 			name_map_status = normalize_name_map(mem_ctx,
-							     domain,
+							     domain->name,
 							     ret_names[i],
 							     &mapped_name);
 			if (NT_STATUS_IS_OK(name_map_status) ||
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 83136996dd2..cf01337aaad 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -471,7 +471,7 @@ NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
 				  uint32_t *p_num_groups, struct dom_sid **user_sids);
 
 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
-			     struct winbindd_domain *domain,
+			     const char *domain_name,
 			     const char *name,
 			     char **normalized);
 NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 2c76e1abd6c..f50fb8fa5db 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -332,7 +332,7 @@ NTSTATUS rpc_sid_to_name(TALLOC_CTX *mem_ctx,
 	*ptype = (enum lsa_SidType) types[0];
 
 	map_status = normalize_name_map(mem_ctx,
-					domain,
+					domain->name,
 					names[0],
 					&mapped_name);
 	if (NT_STATUS_IS_OK(map_status) ||
@@ -410,7 +410,7 @@ NTSTATUS rpc_rids_to_names(TALLOC_CTX *mem_ctx,
 
 		if (types[i] != SID_NAME_UNKNOWN) {
 			map_status = normalize_name_map(mem_ctx,
-							domain,
+							domain->name,
 							names[i],
 							&mapped_name);
 			if (NT_STATUS_IS_OK(map_status) ||
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 7b443c79fa5..7d6496332ff 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1339,10 +1339,11 @@ NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
 ********************************************************************/
 
 NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
-			     struct winbindd_domain *domain,
+			     const char *domain_name,
 			     const char *name,
 			     char **normalized)
 {
+	struct winbindd_domain *domain = NULL;
 	NTSTATUS nt_status;
 
 	if (!name || !normalized) {
@@ -1353,6 +1354,12 @@ NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_PROCEDURE_NOT_FOUND;
 	}
 
+	domain = find_domain_from_name_noinit(domain_name);
+	if (domain == NULL) {
+		DBG_ERR("Failed to find domain '%s'\n",	domain_name);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	/* Alias support and whitespace replacement are mutually
 	   exclusive */
 
-- 
2.13.6


From 59d4aadeacc9ad4bc7ba571745985b8b804e8833 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 13:14:28 +0100
Subject: [PATCH 2/2] HACK: winbindd: disable lp_allow_trusted_domains ...

---
 source3/winbindd/winbindd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index ceb131e9b32..d189793b535 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1373,7 +1373,7 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
 	smb_nscd_flush_user_cache();
 	smb_nscd_flush_group_cache();
 
-	if (lp_allow_trusted_domains()) {
+	if (0) {
 		if (tevent_add_timer(server_event_context(), NULL, timeval_zero(),
 			      rescan_trusted_domains, NULL) == NULL) {
 			DEBUG(0, ("Could not trigger rescan_trusted_domains()\n"));
-- 
2.13.6



More information about the samba-technical mailing list