[PATCH] Can't authenticate user from child-domain of trusted forest
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Nov 28 09:16:01 UTC 2017
On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > Attached is a fix for a regression introduced by
> > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > >
> > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > of the trusted forest.
> >
> > Can you explain to me why we need the trusted domain cache filled
> > correctly to just log in? Where in the code path does that fail?
>
> find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> bunch of other places that depend on the domain list as well, but with the
> attached WIP patch I could get a smbclient login working with a user from a
> trusted domain while trust enumeration in winbindd is completely disabled, so
> the domain list contains only BUILTIN, the local SAM and the primary domain:
Would the attached patch also work? No signed-off yes, because if this
works for you we need to do the same for the pac case too. I just
wanted a quick cross-check if this approach would be fine too.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 870260cce8f237c5d1e8484dc17d85bc45a5b665 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 09:04:08 +0100
Subject: [PATCH 1/2] winbindd: Make "add_trusted_domain" public
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/winbindd_proto.h | 3 +++
source3/winbindd/winbindd_util.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 83136996dd2..f16b7647a3e 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -436,6 +436,9 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
struct winbindd_domain *domain_list(void);
struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain);
+struct winbindd_domain *
+add_trusted_domain(const char *domain_name, const char *alt_name,
+ const struct dom_sid *sid);
bool domain_is_forest_root(const struct winbindd_domain *domain);
void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te,
struct timeval now, void *private_data);
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 7b443c79fa5..745b808d728 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -122,7 +122,7 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
If the domain already exists in the list,
return it and don't re-initialize. */
-static struct winbindd_domain *
+struct winbindd_domain *
add_trusted_domain(const char *domain_name, const char *alt_name,
const struct dom_sid *sid)
{
--
2.11.0
From 1040ff73612aeaa32fe2260f98e7809a5318de89 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 28 Nov 2017 10:05:58 +0100
Subject: [PATCH 2/2] winbindd: Add trusted domains after successful samlogon
---
source3/winbindd/winbindd_pam.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c3e1e94103d..8a67d5a3f66 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1921,6 +1921,7 @@ process_result:
}
}
+ add_trusted_domain(name_domain, NULL, info3->base.domain_sid);
wcache_invalidate_samlogon(find_domain_from_name(name_domain),
&user_sid);
netsamlogon_cache_store(name_user, info3);
@@ -2088,6 +2089,8 @@ process_result:
}
}
+ add_trusted_domain(name_domain, NULL,
+ (*info3)->base.domain_sid);
wcache_invalidate_samlogon(find_domain_from_name(name_domain),
&user_sid);
netsamlogon_cache_store(name_user, *info3);
--
2.11.0
More information about the samba-technical
mailing list