[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Wed Nov 29 14:45:16 UTC 2017
On Wed, Nov 29, 2017 at 01:16:04PM +0100, Stefan Metzmacher wrote:
> Am 29.11.2017 um 12:28 schrieb Ralph Böhme:
> > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> >> Hi!
> >>
> >> Attached is a fix for a regression introduced by
> >> d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> >>
> >> This results in the inability of winbind to enumerate trusts of trusted forests,
> >> so we can't authenticate users from any child-domain (or additional tree-roots)
> >> of the trusted forest.
> >>
> >> I had filed a bugreport although the regression in only in master so we won't
> >> need backports. I'm not sure about having the bug URLs in the commit messages in
> >> this case.
> >>
> >> Please review&push if ok. As usual, the funky stuff doesn't have tests. :)
> >
> > slightly modified version attached that keeps the SEC_CHAN_NULL check in
> > rpccli_connect_netlogon(), triggering direct failure.
> >
> > Reviewed by metze, will push later on.
>
> Thanks! I think that's good to fix the regression.
thanks! Pushed.
> But the real bug is that we trigger the code path at all
> and we need to continue improving things.
>
> And adding winbind_domain structs on demand might be step on a long road
> to get rid of the list in the end.
yup! I will pursue this.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list