[PATCH] Can't authenticate user from child-domain of trusted forest
slow at samba.org
Tue Nov 28 09:30:24 UTC 2017
On Tue, Nov 28, 2017 at 10:16:01AM +0100, Volker Lendecke wrote:
> On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> > On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > > Attached is a fix for a regression introduced by
> > > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > > >
> > > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > > of the trusted forest.
> > >
> > > Can you explain to me why we need the trusted domain cache filled
> > > correctly to just log in? Where in the code path does that fail?
> > find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> > bunch of other places that depend on the domain list as well, but with the
> > attached WIP patch I could get a smbclient login working with a user from a
> > trusted domain while trust enumeration in winbindd is completely disabled, so
> > the domain list contains only BUILTIN, the local SAM and the primary domain:
> Would the attached patch also work? No signed-off yes, because if this
> works for you we need to do the same for the pac case too. I just
> wanted a quick cross-check if this approach would be fine too.
at first glance this looks like a brilliant idea. I'll give it a whirl...
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical