[PATCH] Can't authenticate user from child-domain of trusted forest
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Nov 28 13:29:30 UTC 2017
On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> auth still fails because add_trusted_domain() will only be called in the domain
> child, but not in the parent where we call find_domain_from_name_noinit().
What about that one?
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From cd87d200fd6d0f3262bbda7397dccaf3d1e4d059 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 14:28:35 +0100
Subject: [PATCH] next try
---
source3/winbindd/winbindd_pam_auth.c | 14 ++++++++++++++
source3/winbindd/winbindd_pam_auth_crap.c | 19 +++++++++++++++++--
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 7ff44888975..0f6b8fe62dd 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -19,6 +19,7 @@
#include "includes.h"
#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
struct winbindd_pam_auth_state {
struct winbindd_request *request;
@@ -127,6 +128,19 @@ NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
return status;
}
+ if (state->request->flags & WBFLAG_PAM_INFO3_TEXT) {
+ struct dom_sid domain_sid;
+ bool ok;
+
+ ok = dom_sid_parse(state->response->data.auth.info3.dom_sid,
+ &domain_sid);
+ if (ok) {
+ add_trusted_domain(
+ state->response->data.auth.info3.logon_dom,
+ NULL, &domain_sid);
+ }
+ }
+
if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
/* Store in-memory creds for single-signon using ntlm_auth. */
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index cfeafbcfda8..8aae8f9bf45 100644
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -19,6 +19,7 @@
#include "includes.h"
#include "winbindd.h"
+#include "libcli/security/dom_sid.h"
struct winbindd_pam_auth_crap_state {
struct winbindd_response *response;
@@ -45,10 +46,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
return NULL;
}
- if (request->flags & WBFLAG_PAM_AUTH_PAC) {
+ state->flags = request->flags;
+
+ if (state->flags & WBFLAG_PAM_AUTH_PAC) {
NTSTATUS status;
- state->flags = request->flags;
status = winbindd_pam_auth_pac_send(cli, &state->info3);
if (NT_STATUS_IS_OK(status)) {
/* Defer filling out response to recv */
@@ -131,6 +133,19 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
return status;
}
+ if (state->flags & WBFLAG_PAM_INFO3_TEXT) {
+ struct dom_sid domain_sid;
+ bool ok;
+
+ ok = dom_sid_parse(state->response->data.auth.info3.dom_sid,
+ &domain_sid);
+ if (ok) {
+ add_trusted_domain(
+ state->response->data.auth.info3.logon_dom,
+ NULL, &domain_sid);
+ }
+ }
+
if (state->flags & WBFLAG_PAM_AUTH_PAC) {
return append_auth_data(response, response, state->flags,
state->info3, NULL, NULL);
--
2.11.0
More information about the samba-technical
mailing list