The Samba-Bugzilla – Attachment 12978 Details for
Bug 11830
Domain member cannot resolve trusted domains' users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-6-test
tmp46.diff.txt (text/plain), 6.03 KB, created by
Stefan Metzmacher
on 2017-02-27 19:04:44 UTC
(
hide
)
Description:
Patches for v4-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:04:44 UTC
Size:
6.03 KB
patch
obsolete
>From 0edd44e011a848e51e5bf2e175365116172406c7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 24 Feb 2017 13:19:59 +0100 >Subject: [PATCH 1/2] Revert "s3-winbind: Fix schannel connections against > trusted domain DCs" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee. > >This change doesn't solve the real problem, it just >causes useless network traffic and the following error: > >rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON >credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT > >While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without >network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT. > >A better fix will follow. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Günther Deschner <gd@samba.org> >(cherry picked from commit 0bf1a7492bee2f7678cb37ef9515b8aefd26233b) >--- > source3/winbindd/winbindd_cm.c | 16 +--------------- > 1 file changed, 1 insertion(+), 15 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index e4dfc38..ff8f6fd 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > struct cli_credentials *creds; > NTSTATUS status; > bool force_machine_account = false; >- bool ok; > > /* If we are a DC and this is not our own domain */ > >@@ -948,13 +947,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > CRED_DONT_USE_KERBEROS); > } > >- /* >- * When we contact our own domain and get a list of the trusted domain >- * we have the information if we are able to contact the DC with >- * with our machine account password. >- */ >- ok = winbindd_can_contact_domain(domain); >- if (!ok) { >+ if (creds_domain != domain) { > /* > * We can only use schannel against a direct trust > */ >@@ -3246,8 +3239,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > > sec_chan_type = cli_credentials_get_secure_channel_type(creds); > if (sec_chan_type == SEC_CHAN_NULL) { >- DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", >- domain->name); > return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; > } > >@@ -3287,11 +3278,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > conn->netlogon_flags = netlogon_creds->negotiate_flags; > TALLOC_FREE(netlogon_creds); > >- /* >- * FIXME: Document in which case we are not able to contact >- * a DC without schannel. Which information do we try to get >- * from this DC? >- */ > if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { > if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { > result = NT_STATUS_DOWNGRADE_DETECTED; >-- >1.9.1 > > >From 85994ed391b7fdd56bafcc83667d84e46fbda674 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 24 Feb 2017 10:37:32 +0000 >Subject: [PATCH 2/2] s3:winbindd: try a NETLOGON connection with noauth over > NCACN_NP against trusted domains. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >We're using only NCACN_NP here as we rely on the smb signing restrictions >of cm_prepare_connection(). > >This should fix SMB authentication with a user of a domain >behind a transitive trust. > >With this change winbindd is able to call >dcerpc_netr_DsrEnumerateDomainTrusts against the >dc of a trusted domain again. This only works >for two-way trusts. > >The main problem is the usage of is_trusted_domain() >which doesn't know about the domain, if winbindd can't >enumerate the domains in the other forest. > >is_trusted_domain() is used in make_user_info_map(), >which is called in auth3_check_password() before >auth_check_ntlm_password(). > >That means we're mapping the user of such a domain >to our own local sam, before calling our auth modules. > >A much better fix, which removes the usage of is_trusted_domain() >in planed for master, but this should do the job for current releases. > >We should avoid talking to DCs of other domains and always >go via our primary domain. As we should code with one-way trusts >also, we need to avoid relying on a complete list of >domains in future. > >For now "wbinfo -m" lists domains behind a two-way transitive >trust again, but that is likely to change in future again! > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Günther Deschner <gd@samba.org> >(cherry picked from commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6) >--- > source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++++++++- > 1 file changed, 22 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index ff8f6fd..24e0d46 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -3239,7 +3239,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > > sec_chan_type = cli_credentials_get_secure_channel_type(creds); > if (sec_chan_type == SEC_CHAN_NULL) { >- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; >+ if (transport == NCACN_IP_TCP) { >+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " >+ " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n", >+ domain->name); >+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; >+ } >+ >+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " >+ "fallback to noauth on NCACN_NP.\n", >+ domain->name); >+ >+ result = cli_rpc_pipe_open_noauth_transport(conn->cli, >+ transport, >+ &ndr_table_netlogon, >+ &conn->netlogon_pipe); >+ if (!NT_STATUS_IS_OK(result)) { >+ invalidate_cm_connection(domain); >+ return result; >+ } >+ >+ *cli = conn->netlogon_pipe; >+ return NT_STATUS_OK; > } > > result = rpccli_create_netlogon_creds_with_creds(creds, >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12978">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
gd
:
review+
vl
:
review+
Actions:
View
Attachments on
bug 11830
:
11980
|
11981
|
11982
|
11983
|
12166
|
12174
|
12177
|
12178
| 12978 |
12979
|
12980