[PATCH] Can't authenticate user from child-domain of trusted forest
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Nov 28 15:05:37 UTC 2017
On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:
> On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > auth still fails because add_trusted_domain() will only be called in the domain
> > > child, but not in the parent where we call find_domain_from_name_noinit().
> >
> > Hmm. Ok. Right. We could do either of two things: Always request info3
> > from the child and pull the information in the parent before sending
> > it out, and secondly make it a message. Probably the first way is
> > cleaner, it creates less hidden, secret protocol elements.
>
> I'm not sure the resulting struct winbind_domain is sufficiently initialized as
> it lacks the DNS name and trust flags. Ie after an attempt to auth user from
> previously unseed trusted domains wbinfo -m looks like this:
It's impossible for me to follow all code paths. But -- there is the
"initialized" flag in the domain struct. And whenever we actually want
to use a domain struct and it's not initialized, winbind should go and
try the initialization before it makes any decisions about flags. One
caller that does not do that is winbindd_can_contact_domain(). If that
defaults to "false" because the domain is not correctly initalized, I
am not too worried. The callers of winbindd_can_contact_domain are the
domain-enumerating ones, which are only semi-supportable anyway.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list