The Samba-Bugzilla – Attachment 12178 Details for
Bug 11830
Domain member cannot resolve trusted domains' users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.4
4-4.patch (text/plain), 2.41 KB, created by
Andreas Schneider
on 2016-06-13 13:47:57 UTC
(
hide
)
Description:
patch for 4.4
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2016-06-13 13:47:57 UTC
Size:
2.41 KB
patch
obsolete
>From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 10 Jun 2016 16:51:18 +0200 >Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain > DCs > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) >--- > source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 45e3fad..f1f98db 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > struct cli_credentials *creds; > NTSTATUS status; > bool force_machine_account = false; >+ bool ok; > > /* If we are a DC and this is not our own domain */ > >@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > CRED_DONT_USE_KERBEROS); > } > >- if (creds_domain != domain) { >+ /* >+ * When we contact our own domain and get a list of the trusted domain >+ * we have the information if we are able to contact the DC with >+ * with our machine account password. >+ */ >+ ok = winbindd_can_contact_domain(domain); >+ if (!ok) { > /* > * We can only use schannel against a direct trust > */ >@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > > sec_chan_type = cli_credentials_get_secure_channel_type(creds); > if (sec_chan_type == SEC_CHAN_NULL) { >+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", >+ domain->name); > return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; > } > >@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > conn->netlogon_flags = netlogon_creds->negotiate_flags; > TALLOC_FREE(netlogon_creds); > >+ /* >+ * FIXME: Document in which case we are not able to contact >+ * a DC without schannel. Which information do we try to get >+ * from this DC? >+ */ > if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { > if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { > result = NT_STATUS_DOWNGRADE_DETECTED; >-- >2.8.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12178">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11830
:
11980
|
11981
|
11982
|
11983
|
12166
|
12174
|
12177
|
12178
|
12978
|
12979
|
12980