[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Tue Nov 28 11:58:22 UTC 2017
On Tue, Nov 28, 2017 at 10:30:24AM +0100, Ralph Böhme wrote:
> On Tue, Nov 28, 2017 at 10:16:01AM +0100, Volker Lendecke wrote:
> > On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> > > On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > > > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > > > Attached is a fix for a regression introduced by
> > > > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > > > >
> > > > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > > > of the trusted forest.
> > > >
> > > > Can you explain to me why we need the trusted domain cache filled
> > > > correctly to just log in? Where in the code path does that fail?
> > >
> > > find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> > > bunch of other places that depend on the domain list as well, but with the
> > > attached WIP patch I could get a smbclient login working with a user from a
> > > trusted domain while trust enumeration in winbindd is completely disabled, so
> > > the domain list contains only BUILTIN, the local SAM and the primary domain:
> >
> > Would the attached patch also work? No signed-off yes, because if this
> > works for you we need to do the same for the pac case too. I just
> > wanted a quick cross-check if this approach would be fine too.
>
> at first glance this looks like a brilliant idea. I'll give it a whirl...
auth still fails because add_trusted_domain() will only be called in the domain
child, but not in the parent where we call find_domain_from_name_noinit().
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list