[PATCH] Can't authenticate user from child-domain of trusted forest
Stefan Metzmacher
metze at samba.org
Wed Nov 29 12:16:04 UTC 2017
Am 29.11.2017 um 12:28 schrieb Ralph Böhme:
> On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
>> Hi!
>>
>> Attached is a fix for a regression introduced by
>> d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
>>
>> This results in the inability of winbind to enumerate trusts of trusted forests,
>> so we can't authenticate users from any child-domain (or additional tree-roots)
>> of the trusted forest.
>>
>> I had filed a bugreport although the regression in only in master so we won't
>> need backports. I'm not sure about having the bug URLs in the commit messages in
>> this case.
>>
>> Please review&push if ok. As usual, the funky stuff doesn't have tests. :)
>
> slightly modified version attached that keeps the SEC_CHAN_NULL check in
> rpccli_connect_netlogon(), triggering direct failure.
>
> Reviewed by metze, will push later on.
Thanks! I think that's good to fix the regression.
But the real bug is that we trigger the code path at all
and we need to continue improving things.
And adding winbind_domain structs on demand might be step on a long road
to get rid of the list in the end.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171129/c150edbd/signature.sig>
More information about the samba-technical
mailing list