[PATCH] Can't authenticate user from child-domain of trusted forest

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Nov 28 09:16:01 UTC 2017


On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > Attached is a fix for a regression introduced by
> > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > > 
> > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > of the trusted forest.
> > 
> > Can you explain to me why we need the trusted domain cache filled
> > correctly to just log in? Where in the code path does that fail?
> 
> find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> bunch of other places that depend on the domain list as well, but with the
> attached WIP patch I could get a smbclient login working with a user from a
> trusted domain while trust enumeration in winbindd is completely disabled, so
> the domain list contains only BUILTIN, the local SAM and the primary domain:

Would the attached patch also work? No signed-off yes, because if this
works for you we need to do the same for the pac case too. I just
wanted a quick cross-check if this approach would be fine too.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 870260cce8f237c5d1e8484dc17d85bc45a5b665 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 09:04:08 +0100
Subject: [PATCH 1/2] winbindd: Make "add_trusted_domain" public

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/winbindd_proto.h | 3 +++
 source3/winbindd/winbindd_util.c  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 83136996dd2..f16b7647a3e 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -436,6 +436,9 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 
 struct winbindd_domain *domain_list(void);
 struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain);
+struct winbindd_domain *
+add_trusted_domain(const char *domain_name, const char *alt_name,
+		   const struct dom_sid *sid);
 bool domain_is_forest_root(const struct winbindd_domain *domain);
 void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
 			    struct timeval now, void *private_data);
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 7b443c79fa5..745b808d728 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -122,7 +122,7 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
    If the domain already exists in the list,
    return it and don't re-initialize.  */
 
-static struct winbindd_domain *
+struct winbindd_domain *
 add_trusted_domain(const char *domain_name, const char *alt_name,
 		   const struct dom_sid *sid)
 {
-- 
2.11.0


From 1040ff73612aeaa32fe2260f98e7809a5318de89 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 10:05:58 +0100
Subject: [PATCH 2/2] winbindd: Add trusted domains after successful samlogon

---
 source3/winbindd/winbindd_pam.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c3e1e94103d..8a67d5a3f66 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1921,6 +1921,7 @@ process_result:
 			}
 		}
 
+		add_trusted_domain(name_domain, NULL, info3->base.domain_sid);
 		wcache_invalidate_samlogon(find_domain_from_name(name_domain),
 					   &user_sid);
 		netsamlogon_cache_store(name_user, info3);
@@ -2088,6 +2089,8 @@ process_result:
 			}
 		}
 
+		add_trusted_domain(name_domain, NULL,
+				   (*info3)->base.domain_sid);
 		wcache_invalidate_samlogon(find_domain_from_name(name_domain),
 					   &user_sid);
 		netsamlogon_cache_store(name_user, *info3);
-- 
2.11.0



More information about the samba-technical mailing list