The Samba-Bugzilla – Attachment 14007 Details for
Bug 13299
trusted domains marked as CROSS_ORGANIZATION (with selective authentication) are implemented as domain wide authentication trusts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-8-test
tmp48.diff.txt (text/plain), 6.99 KB, created by
Stefan Metzmacher
on 2018-02-28 23:38:37 UTC
(
hide
)
Description:
Patches for v4-8-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2018-02-28 23:38:37 UTC
Size:
6.99 KB
patch
obsolete
>From 6128cd4debc646dcf0da77a86ddf8cf669b9341b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 1 Feb 2018 11:06:10 +0100 >Subject: [PATCH 1/4] winbindd: disable support for CROSS_ORGANIZATION domains > >We don't support selective authentication yet, >so we shouldn't silently allow domain wide authentication >for such a trust. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit afd97e72090aaf31b084646b5fcecaeb8cde653d) >--- > source3/winbindd/winbindd_util.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 73e6b76..b19c42f 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void) > trust_flags |= NETR_TRUST_FLAG_IN_FOREST; > } > >+ if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) { >+ /* >+ * We don't support selective authentication yet. >+ */ >+ DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to " >+ "domain[%s/%s]\n", >+ domains[i]->netbios_name, >+ domains[i]->domain_name); >+ continue; >+ } >+ > status = add_trusted_domain(domains[i]->netbios_name, > domains[i]->domain_name, > &domains[i]->security_identifier, >-- >1.9.1 > > >From fb3a95ad2a924e579e49a73f92c173a37e6c9f85 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 1 Feb 2018 11:10:14 +0100 >Subject: [PATCH 2/4] s4:kdc: make use of dsdb_trust_parse_tdo_info() in > samba_kdc_trust_message2entry() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df) >--- > source4/kdc/db-glue.c | 29 +++++++++++++++++++---------- > 1 file changed, 19 insertions(+), 10 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 69c54b0..5ca2c06 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -57,14 +57,17 @@ enum trust_direction { > }; > > static const char *trust_attrs[] = { >+ "securityIdentifier", >+ "flatName", > "trustPartner", >+ "trustAttributes", >+ "trustDirection", >+ "trustType", >+ "msDS-TrustForestTrustInfo", > "trustAuthIncoming", > "trustAuthOutgoing", > "whenCreated", > "msDS-SupportedEncryptionTypes", >- "trustAttributes", >- "trustDirection", >- "trustType", > NULL > }; > >@@ -1167,7 +1170,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > { > struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; > const char *our_realm = lpcfg_realm(lp_ctx); >- const char *dnsdomain = NULL; > char *partner_realm = NULL; > const char *realm = NULL; > const char *krbtgt_realm = NULL; >@@ -1183,7 +1185,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > uint32_t previous_kvno; > uint32_t num_keys = 0; > enum ndr_err_code ndr_err; >- int ret, trust_direction_flags; >+ int ret; > unsigned int i; > struct AuthenticationInformationArray *auth_array; > struct timeval tv; >@@ -1191,6 +1193,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > uint32_t *auth_kvno; > bool preferr_current = false; > uint32_t supported_enctypes = ENC_RC4_HMAC_MD5; >+ struct lsa_TrustDomainInfoInfoEx *tdo = NULL; >+ NTSTATUS status; > > if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) { > supported_enctypes = ldb_msg_find_attr_as_uint(msg, >@@ -1198,20 +1202,25 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > supported_enctypes); > } > >- trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0); >- if (!(trust_direction_flags & direction)) { >+ status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo); >+ if (!NT_STATUS_IS_OK(status)) { >+ krb5_clear_error_message(context); >+ ret = ENOMEM; >+ goto out; >+ } >+ >+ if (!(tdo->trust_direction & direction)) { > krb5_clear_error_message(context); > ret = SDB_ERR_NOENTRY; > goto out; > } > >- dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); >- if (dnsdomain == NULL) { >+ if (tdo->domain_name.string == NULL) { > krb5_clear_error_message(context); > ret = SDB_ERR_NOENTRY; > goto out; > } >- partner_realm = strupper_talloc(mem_ctx, dnsdomain); >+ partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string); > if (partner_realm == NULL) { > krb5_clear_error_message(context); > ret = ENOMEM; >-- >1.9.1 > > >From caadf6313e720ff18554a0a7196b6b4b29b12509 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 1 Feb 2018 11:10:14 +0100 >Subject: [PATCH 3/4] s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in > samba_kdc_trust_message2entry() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d0a813a173be630c2def93cc55e4514204d265a2) >--- > source4/kdc/db-glue.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 5ca2c06..9d633a6 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1215,6 +1215,16 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > goto out; > } > >+ if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) { >+ /* >+ * Only UPLEVEL domains support kerberos here, >+ * as we don't support LSA_TRUST_TYPE_MIT. >+ */ >+ krb5_clear_error_message(context); >+ ret = SDB_ERR_NOENTRY; >+ goto out; >+ } >+ > if (tdo->domain_name.string == NULL) { > krb5_clear_error_message(context); > ret = SDB_ERR_NOENTRY; >-- >1.9.1 > > >From 863eeaab64d93417264f3b5c99324c6edc2d0005 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 1 Feb 2018 11:06:10 +0100 >Subject: [PATCH 4/4] s4:kdc: disable support for CROSS_ORGANIZATION domains > >We don't support selective authentication yet, >so we shouldn't silently allow domain wide authentication >for such a trust. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144 > >(cherry picked from commit 31b5328c46c5f510ba234f75688886987276ee9e) >--- > source4/kdc/db-glue.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 9d633a6..8ccc34c 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1225,6 +1225,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > goto out; > } > >+ if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) { >+ /* >+ * We don't support selective authentication yet. >+ */ >+ krb5_clear_error_message(context); >+ ret = SDB_ERR_NOENTRY; >+ goto out; >+ } >+ > if (tdo->domain_name.string == NULL) { > krb5_clear_error_message(context); > ret = SDB_ERR_NOENTRY; >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14007">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 13299
: 14007