[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Wed Nov 29 11:28:47 UTC 2017
On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> Hi!
>
> Attached is a fix for a regression introduced by
> d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
>
> This results in the inability of winbind to enumerate trusts of trusted forests,
> so we can't authenticate users from any child-domain (or additional tree-roots)
> of the trusted forest.
>
> I had filed a bugreport although the regression in only in master so we won't
> need backports. I'm not sure about having the bug URLs in the commit messages in
> this case.
>
> Please review&push if ok. As usual, the funky stuff doesn't have tests. :)
slightly modified version attached that keeps the SEC_CHAN_NULL check in
rpccli_connect_netlogon(), triggering direct failure.
Reviewed by metze, will push later on.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
-------------- next part --------------
From 8c3ea92776009d63d820994e530d273e927f356f Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 15:28:38 +0100
Subject: [PATCH 1/2] winbindd: restore SEC_CHAN_NULL fallback in
cm_connect_netlogon_transport
This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.
Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.
This is a temporary hack that will go away once we get rid of the trusted domain
list.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index f88c704c014..16836bd05b5 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
struct messaging_context *msg_ctx = server_messaging_context();
struct winbindd_cm_conn *conn;
NTSTATUS result;
+ enum netr_SchannelType sec_chan_type;
struct cli_credentials *creds = NULL;
*cli = NULL;
@@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
+ if (cli_credentials_is_anonymous(creds)) {
+ DBG_WARNING("get_trust_credential only gave anonymous for %s, "
+ "unable to make get NETLOGON credentials\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ if (sec_chan_type == SEC_CHAN_NULL) {
+ if (transport == NCACN_IP_TCP) {
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
+ "for %s, deny NCACN_IP_TCP and let the "
+ "caller fallback to NCACN_NP.\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ "fallback to noauth on NCACN_NP.\n",
+ domain->name);
+
+ result = cli_rpc_pipe_open_noauth_transport(
+ conn->cli,
+ transport,
+ &ndr_table_netlogon,
+ &conn->netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ invalidate_cm_connection(domain);
+ return result;
+ }
+
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+
result = rpccli_create_netlogon_creds_ctx(creds,
domain->dcname,
msg_ctx,
--
2.13.6
From b1facdab329d16ab03ec9077f2e1a3bf0e4c7ceb Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 26 Nov 2017 19:04:19 +0100
Subject: [PATCH 2/2] s3/cli_netlogon: remove SEC_CHAN_NULL fallback from
rpccli_connect_netlogon()
The caller should handle secure-channel-type SEC_CHAN_NULL. The previous
commit already added handling of SEC_CHAN_NULL to
cm_connect_netlogon_transport.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_client/cli_netlogon.c | 38 ++++++++------------------------------
1 file changed, 8 insertions(+), 30 deletions(-)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a7676efb055..a67b6928ebf 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -285,7 +285,7 @@ NTSTATUS rpccli_connect_netlogon(
struct netlogon_creds_CredentialState *creds = NULL;
enum netlogon_creds_cli_lck_type lck_type;
enum netr_SchannelType sec_chan_type;
- struct netlogon_creds_cli_lck *lck;
+ struct netlogon_creds_cli_lck *lck = NULL;
uint32_t negotiate_flags;
uint8_t found_session_key[16] = {0};
bool found_existing_creds = false;
@@ -294,6 +294,13 @@ NTSTATUS rpccli_connect_netlogon(
NTSTATUS status;
bool retry = false;
+ sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
+ if (sec_chan_type == SEC_CHAN_NULL) {
+ DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
+ status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ goto fail;
+ }
+
again:
/*
@@ -378,35 +385,6 @@ again:
goto fail;
}
- sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
- if (sec_chan_type == SEC_CHAN_NULL) {
- if (transport == NCACN_IP_TCP) {
- DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL "
- "for %s, deny NCACN_IP_TCP and let the "
- "caller fallback to NCACN_NP.\n",
- netlogon_creds_cli_debug_string(
- creds_ctx, frame));
- status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- goto fail;
- }
-
- DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
- "for %s, fallback to noauth on NCACN_NP.\n",
- netlogon_creds_cli_debug_string(
- creds_ctx, frame));
-
- TALLOC_FREE(lck);
-
- status = cli_rpc_pipe_open_noauth_transport(
- cli, transport, &ndr_table_netlogon, &rpccli);
- if (!NT_STATUS_IS_OK(status)) {
- DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
- "failed: %s\n", nt_errstr(status));
- goto fail;
- }
- goto done;
- }
-
status = rpccli_setup_netlogon_creds_locked(
cli, transport, creds_ctx, true, trust_creds,
&negotiate_flags);
--
2.13.6
More information about the samba-technical
mailing list