[PATCH] Can't authenticate user from child-domain of trusted forest

[Volker Lendecke]

On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> auth still fails because add_trusted_domain() will only be called in the domain
> child, but not in the parent where we call find_domain_from_name_noinit().

What about that one?

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From cd87d200fd6d0f3262bbda7397dccaf3d1e4d059 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 14:28:35 +0100
Subject: [PATCH] next try

---
 source3/winbindd/winbindd_pam_auth.c      | 14 ++++++++++++++
 source3/winbindd/winbindd_pam_auth_crap.c | 19 +++++++++++++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 7ff44888975..0f6b8fe62dd 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_state {
 	struct winbindd_request *request;
@@ -127,6 +128,19 @@ NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
 		return status;
 	}
 
+	if (state->request->flags & WBFLAG_PAM_INFO3_TEXT) {
+		struct dom_sid domain_sid;
+		bool ok;
+
+		ok = dom_sid_parse(state->response->data.auth.info3.dom_sid,
+				   &domain_sid);
+		if (ok) {
+			add_trusted_domain(
+				state->response->data.auth.info3.logon_dom,
+				NULL, &domain_sid);
+		}
+	}
+
 	if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
 
 		/* Store in-memory creds for single-signon using ntlm_auth. */
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index cfeafbcfda8..8aae8f9bf45 100644
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_crap_state {
 	struct winbindd_response *response;
@@ -45,10 +46,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
 		return NULL;
 	}
 
-	if (request->flags & WBFLAG_PAM_AUTH_PAC) {
+	state->flags = request->flags;
+
+	if (state->flags & WBFLAG_PAM_AUTH_PAC) {
 		NTSTATUS status;
 
-		state->flags = request->flags;
 		status = winbindd_pam_auth_pac_send(cli, &state->info3);
 		if (NT_STATUS_IS_OK(status)) {
 			/* Defer filling out response to recv */
@@ -131,6 +133,19 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
 		return status;
 	}
 
+	if (state->flags & WBFLAG_PAM_INFO3_TEXT) {
+		struct dom_sid domain_sid;
+		bool ok;
+
+		ok = dom_sid_parse(state->response->data.auth.info3.dom_sid,
+				   &domain_sid);
+		if (ok) {
+			add_trusted_domain(
+				state->response->data.auth.info3.logon_dom,
+				NULL, &domain_sid);
+		}
+	}
+
 	if (state->flags & WBFLAG_PAM_AUTH_PAC) {
 		return append_auth_data(response, response, state->flags,
 					state->info3, NULL, NULL);
-- 
2.11.0