[PATCH] New option to disable scanning of trusted domains in winbindd

Ralph Böhme slow at samba.org
Thu Jan 11 13:07:49 UTC 2018 

Hi!

Attached is a patch from metze that adds a new option to winbindd "winbind scan
trusted domains" that specifies whether winbindd enumerates trust.

With the recent changes to winbindd to learn about trusted domains when a user
of that domain authenticates plus mucho preperational stuff (the large patchsets
from yesterday), it is not necessary anymore to enumerate trusts in most
scenarios, so this option could be set to "no" in many setups. It remains
enabled for the upcoming release however as some stuff needs more work in
winbindd like pam_winbindd or idmap_rfc2307.

metze and I would like to get this into 4.8, so this is going to be included in
the final autobuild.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
-------------- next part --------------
From 332bdb4cb6923545e2943d98805cf318e3ed141a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 29 Nov 2017 16:02:28 +0100
Subject: [PATCH 1/2] winbindd: avoid automatic enumerating trusts on DCs

We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 82673779918..7e7a0c28467 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1280,6 +1280,7 @@ bool winbindd_use_cache(void)
 static void winbindd_register_handlers(struct messaging_context *msg_ctx,
 				       bool foreground)
 {
+	bool scan_trusts = true;
 	NTSTATUS status;
 	/* Setup signal handlers */
 
@@ -1362,7 +1363,15 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
 	smb_nscd_flush_user_cache();
 	smb_nscd_flush_group_cache();
 
-	if (lp_allow_trusted_domains()) {
+	if (!lp_allow_trusted_domains()) {
+		scan_trusts = false;
+	}
+
+	if (IS_DC) {
+		scan_trusts = false;
+	}
+
+	if (scan_trusts) {
 		if (tevent_add_timer(server_event_context(), NULL, timeval_zero(),
 			      rescan_trusted_domains, NULL) == NULL) {
 			DEBUG(0, ("Could not trigger rescan_trusted_domains()\n"));
-- 
2.13.6


From 47c583836db657f1627972a997f49eb0f0083252 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 29 Nov 2017 16:02:28 +0100
Subject: [PATCH 2/2] winbindd: add "winbind scan trusted domains = no" to
 avoid trust enumeration

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 .../winbind/winbindscantrusteddomains.xml          | 29 ++++++++++++++++++++++
 lib/param/loadparm.c                               |  1 +
 source3/param/loadparm.c                           |  1 +
 source3/winbindd/winbindd.c                        |  4 +++
 4 files changed, 35 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 00000000000..31afdc92b53
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to
+    <constant>domain</constant> or <constant>ads</constant>.
+    If it is set to yes (the default), winbindd periodically tries to scan for new
+    trusted domains and adds them to a global list inside of winbindd.
+    The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+    This matches the behaviour of Samba 4.7 and older.</para>
+
+    <para>The construction of that global list is not reliable and often
+    incomplete in complex trust setups. In most situations the list is
+    not needed any more for winbindd to operate correctly.
+    E.g. for plain file serving via SMB using a simple idmap setup
+    with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+    However some more complex setups require the list, e.g.
+    if you specify idmap backends for specific domains.
+    Some pam_winbind setups may also require the global list.</para>
+
+    <para>If you have a setup that doesn't require the global list, you should set
+    <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+    </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 45c89b9c9e5..7854f57a158 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
 	lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+	lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
 	lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 06d1c49060a..096c23f4fb3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
 	Globals.winbind_refresh_tickets = false;
 	Globals.winbind_offline_logon = false;
+	Globals.winbind_scan_trusted_domains = true;
 
 	Globals.idmap_cache_time = 86400 * 7; /* a week by default */
 	Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 7e7a0c28467..0a8d146dfdc 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1363,6 +1363,10 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
 	smb_nscd_flush_user_cache();
 	smb_nscd_flush_group_cache();
 
+	if (!lp_winbind_scan_trusted_domains()) {
+		scan_trusts = false;
+	}
+
 	if (!lp_allow_trusted_domains()) {
 		scan_trusts = false;
 	}
-- 
2.13.6

More information about the samba-technical mailing list