[Samba] _Truly_ disabling trusted domains?
Michael Adam
obnox at samba.org
Mon Dec 22 13:52:39 GMT 2008
Hey Jerry,
I just checked, these changes are in none of the branches
master, v3-3-test, v3-2-test. Do you want to push them or
do you want me to do it? I think this definitely should be in!
Cheers - Michael
Gerald (Jerry) Carter wrote:
> Michael Adam wrote:
> > Hi Nick,
> >
> > Nick wrote:
> >> Is there a way to completely disable trusted domains in samba/winbind? Some
> >> of the trusted domains are inaccessible to the client machines, which causes
> >> winbind not to work due to all the timeouts/errors. I tried setting "allow
> >> trusted domains = no", but when looking at the debug logs it's obvious that
> >> winbind is still trying to look them up. It appears that winbind doesn't
> >> respect the "allow trusted domains" at all.
> >
> > Hmmm, you are right: The manual page seems to promise too much
> > in the description of "allow trusted domain". In fact looking at
> > the code, it is a smbd-only option. It prevents smbd to perform
> > explicit requests (like authentication) for trusted domains, but
> > it does not prevent winbind from walking the list of trusted domains
> > and trying to establish a connection to each of them (for instance
> > when enumating users).
>
> Thought I had fixed this. Patch against 3.2 that should work is attached.
>
>
>
>
>
>
> cheers, jerry
> - --
> =====================================================================
> Samba ------- http://www.samba.org
> Likewise Software --------- http://www.likewisesoftware.com
> "What man is a man who does not make the world better?" --Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJT5kgIR7qMdg1EfYRAoZSAKDbR45MTOWwhuOcsTOJ4weMdfv9owCfUioL
> bF4kwk9p/PjerzN8+il46p8=
> =7fGD
> -----END PGP SIGNATURE-----
> >From 695addd1eb9324d50ef87bc8c8ed5b8eb351fb19 Mon Sep 17 00:00:00 2001
> From: Gerald (Jerry) Carter <jerry at samba.org>
> Date: Mon, 22 Dec 2008 07:40:04 -0600
> Subject: [PATCH] Winbind: Honor the "allow trusted domains" option when scanning or adding a trusted domain.
>
> ---
> source/winbindd/winbindd_util.c | 12 +++++++++++-
> 1 files changed, 11 insertions(+), 1 deletions(-)
>
> diff --git a/source/winbindd/winbindd_util.c b/source/winbindd/winbindd_util.c
> index a2a248b..34a5188 100644
> --- a/source/winbindd/winbindd_util.c
> +++ b/source/winbindd/winbindd_util.c
> @@ -506,7 +506,12 @@ static void rescan_forest_trusts( void )
> void rescan_trusted_domains( void )
> {
> time_t now = time(NULL);
> -
> +
> + /* Check that we allow trusted domains at all */
> +
> + if (!lp_allow_trusted_domains())
> + return;
> +
> /* see if the time has come... */
>
> if ((now >= last_trustdom_scan) &&
> @@ -763,6 +768,11 @@ void check_domain_trusted( const char *name, const DOM_SID *user_sid )
> DOM_SID dom_sid;
> uint32 rid;
>
> + /* Check if we even care */
> +
> + if (!lp_allow_trusted_domains())
> + return;
> +
> domain = find_domain_from_name_noinit( name );
> if ( domain )
> return;
> --
> 1.5.6.3
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
--
Michael Adam <ma at sernet.de> <obnox at samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20081222/67cae776/attachment.bin
More information about the samba
mailing list