The Samba-Bugzilla – Attachment 12980 Details for
Bug 11830
Domain member cannot resolve trusted domains' users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-4-test
tmp44.diff.txt (text/plain), 3.10 KB, created by
Stefan Metzmacher
on 2017-02-27 19:05:59 UTC
(
hide
)
Description:
Patch for v4-4-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:05:59 UTC
Size:
3.10 KB
patch
obsolete
>From 355d224e2c5daf88da739d42da9d8c16b42d3103 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 24 Feb 2017 10:37:32 +0000 >Subject: [PATCH] s3:winbindd: try a NETLOGON connection with noauth over > NCACN_NP against trusted domains. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >We're using only NCACN_NP here as we rely on the smb signing restrictions >of cm_prepare_connection(). > >This should fix SMB authentication with a user of a domain >behind a transitive trust. > >With this change winbindd is able to call >dcerpc_netr_DsrEnumerateDomainTrusts against the >dc of a trusted domain again. This only works >for two-way trusts. > >The main problem is the usage of is_trusted_domain() >which doesn't know about the domain, if winbindd can't >enumerate the domains in the other forest. > >is_trusted_domain() is used in make_user_info_map(), >which is called in auth3_check_password() before >auth_check_ntlm_password(). > >That means we're mapping the user of such a domain >to our own local sam, before calling our auth modules. > >A much better fix, which removes the usage of is_trusted_domain() >in planed for master, but this should do the job for current releases. > >We should avoid talking to DCs of other domains and always >go via our primary domain. As we should code with one-way trusts >also, we need to avoid relying on a complete list of >domains in future. > >For now "wbinfo -m" lists domains behind a two-way transitive >trust again, but that is likely to change in future again! > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Günther Deschner <gd@samba.org> >(cherry picked from commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6) >--- > source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++++++++- > 1 file changed, 22 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 801be11..bbc5ae5 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -3292,7 +3292,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > > sec_chan_type = cli_credentials_get_secure_channel_type(creds); > if (sec_chan_type == SEC_CHAN_NULL) { >- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; >+ if (transport == NCACN_IP_TCP) { >+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " >+ " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n", >+ domain->name); >+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; >+ } >+ >+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " >+ "fallback to noauth on NCACN_NP.\n", >+ domain->name); >+ >+ result = cli_rpc_pipe_open_noauth_transport(conn->cli, >+ transport, >+ &ndr_table_netlogon, >+ &conn->netlogon_pipe); >+ if (!NT_STATUS_IS_OK(result)) { >+ invalidate_cm_connection(domain); >+ return result; >+ } >+ >+ *cli = conn->netlogon_pipe; >+ return NT_STATUS_OK; > } > > result = rpccli_create_netlogon_creds_with_creds(creds, >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
gd
:
review+
Actions:
View
Attachments on
bug 11830
:
11980
|
11981
|
11982
|
11983
|
12166
|
12174
|
12177
|
12178
|
12978
|
12979
| 12980