[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Mon Nov 27 21:37:28 UTC 2017
On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > Attached is a fix for a regression introduced by
> > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> >
> > This results in the inability of winbind to enumerate trusts of trusted forests,
> > so we can't authenticate users from any child-domain (or additional tree-roots)
> > of the trusted forest.
>
> Can you explain to me why we need the trusted domain cache filled
> correctly to just log in? Where in the code path does that fail?
find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
bunch of other places that depend on the domain list as well, but with the
attached WIP patch I could get a smbclient login working with a user from a
trusted domain while trust enumeration in winbindd is completely disabled, so
the domain list contains only BUILTIN, the local SAM and the primary domain:
$ bin/wbinfo -m --verbose
Domain Name DNS Domain Trust Type Transitive In Out
BUILTIN None Yes Yes Yes
TITAN None Yes Yes Yes
SUBDOM21 SUBDOM21.WDOM2.SITE None Yes Yes Yes
With idmap_autorid basic stuff works nicely:
$ bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
$ bin/wbinfo -i "SUBDOM31\administrator"
SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false
$ bin/smbclient -U "wdom3\administrator%Passw1rd" //localhost/share -c quit
$ bin/wbinfo -i "wdom3\administrator"
WDOM3\administrator:*:2080500:2080513::/home/WDOM3/administrator:/bin/false
Now there are a bunch of places where we rely on the domain list, but we're not
that far away from being able to disable trust enumeration for the certain
setups.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
-------------- next part --------------
From 09804c745e03001f9f26773353048602dbfc8772 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 12:42:44 +0100
Subject: [PATCH 1/2] WIP: normalize_name_map...
---
source3/winbindd/wb_getpwsid.c | 8 +-------
source3/winbindd/winbindd_group.c | 11 +----------
source3/winbindd/winbindd_msrpc.c | 4 ++--
source3/winbindd/winbindd_proto.h | 2 +-
source3/winbindd/winbindd_rpc.c | 4 ++--
source3/winbindd/winbindd_util.c | 9 ++++++++-
6 files changed, 15 insertions(+), 23 deletions(-)
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
index dcb249287d9..01c2f9cebfb 100644
--- a/source3/winbindd/wb_getpwsid.c
+++ b/source3/winbindd/wb_getpwsid.c
@@ -69,7 +69,6 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
req, struct wb_getpwsid_state);
struct winbindd_pw *pw = state->pw;
struct wbint_userinfo *info;
- struct winbindd_domain *domain = NULL;
fstring acct_name, output_username;
char *mapped_name = NULL;
char *tmp;
@@ -91,11 +90,6 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
return;
}
- domain = find_domain_from_name_noinit(info->domain_name);
- if (tevent_req_nomem(domain, req)) {
- return;
- }
-
/*
* TODO:
* This function should be called in 'idmap winbind child'. It shouldn't
@@ -103,7 +97,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
* winbind.idl. This is a fix which can be backported for now.
*/
status = normalize_name_map(state,
- domain,
+ info->domain_name,
acct_name,
&mapped_name);
if (NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c
index b5c9d3cf94e..417565ecbf0 100644
--- a/source3/winbindd/winbindd_group.c
+++ b/source3/winbindd/winbindd_group.c
@@ -36,18 +36,9 @@ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
{
fstring full_group_name;
char *mapped_name = NULL;
- struct winbindd_domain *domain;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- domain = find_domain_from_name_noinit(dom_name);
- if (domain == NULL) {
- DEBUG(0, ("Failed to find domain '%s'. "
- "Check connection to trusted domains!\n",
- dom_name));
- return false;
- }
-
- nt_status = normalize_name_map(mem_ctx, domain, gr_name,
+ nt_status = normalize_name_map(mem_ctx, dom_name, gr_name,
&mapped_name);
/* Basic whitespace replacement */
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index c56537662ba..9bf4354f4e3 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -313,7 +313,7 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain,
DEBUG(5,("Mapped sid to [%s]\\[%s]\n", domains[0], *name));
- name_map_status = normalize_name_map(mem_ctx, domain, *name,
+ name_map_status = normalize_name_map(mem_ctx, domain->name, *name,
&mapped_name);
if (NT_STATUS_IS_OK(name_map_status) ||
NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
@@ -377,7 +377,7 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain,
if ((*types)[i] != SID_NAME_UNKNOWN) {
name_map_status = normalize_name_map(mem_ctx,
- domain,
+ domain->name,
ret_names[i],
&mapped_name);
if (NT_STATUS_IS_OK(name_map_status) ||
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 83136996dd2..cf01337aaad 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -471,7 +471,7 @@ NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
uint32_t *p_num_groups, struct dom_sid **user_sids);
NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
- struct winbindd_domain *domain,
+ const char *domain_name,
const char *name,
char **normalized);
NTSTATUS normalize_name_unmap(TALLOC_CTX *mem_ctx,
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 2c76e1abd6c..f50fb8fa5db 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -332,7 +332,7 @@ NTSTATUS rpc_sid_to_name(TALLOC_CTX *mem_ctx,
*ptype = (enum lsa_SidType) types[0];
map_status = normalize_name_map(mem_ctx,
- domain,
+ domain->name,
names[0],
&mapped_name);
if (NT_STATUS_IS_OK(map_status) ||
@@ -410,7 +410,7 @@ NTSTATUS rpc_rids_to_names(TALLOC_CTX *mem_ctx,
if (types[i] != SID_NAME_UNKNOWN) {
map_status = normalize_name_map(mem_ctx,
- domain,
+ domain->name,
names[i],
&mapped_name);
if (NT_STATUS_IS_OK(map_status) ||
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 7b443c79fa5..7d6496332ff 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1339,10 +1339,11 @@ NTSTATUS lookup_usergroups_cached(TALLOC_CTX *mem_ctx,
********************************************************************/
NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
- struct winbindd_domain *domain,
+ const char *domain_name,
const char *name,
char **normalized)
{
+ struct winbindd_domain *domain = NULL;
NTSTATUS nt_status;
if (!name || !normalized) {
@@ -1353,6 +1354,12 @@ NTSTATUS normalize_name_map(TALLOC_CTX *mem_ctx,
return NT_STATUS_PROCEDURE_NOT_FOUND;
}
+ domain = find_domain_from_name_noinit(domain_name);
+ if (domain == NULL) {
+ DBG_ERR("Failed to find domain '%s'\n", domain_name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* Alias support and whitespace replacement are mutually
exclusive */
--
2.13.6
From 59d4aadeacc9ad4bc7ba571745985b8b804e8833 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Nov 2017 13:14:28 +0100
Subject: [PATCH 2/2] HACK: winbindd: disable lp_allow_trusted_domains ...
---
source3/winbindd/winbindd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index ceb131e9b32..d189793b535 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1373,7 +1373,7 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
smb_nscd_flush_user_cache();
smb_nscd_flush_group_cache();
- if (lp_allow_trusted_domains()) {
+ if (0) {
if (tevent_add_timer(server_event_context(), NULL, timeval_zero(),
rescan_trusted_domains, NULL) == NULL) {
DEBUG(0, ("Could not trigger rescan_trusted_domains()\n"));
--
2.13.6
More information about the samba-technical
mailing list