From 9928c592d094ea7443b375a5dae252aee517b3b2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 8 Dec 2018 22:48:33 +0100 Subject: [PATCH 1/3] s3:auth_winbind: remove fallback to optional backend This is not possible anymore, as the trustdomain backend was removed in commit 75c152c0d764165a4a9dd0a85390af063dd0192a. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy (cherry picked from commit f3bac8c91121871bf8ce852bc3e3ea2e834d3f27) --- source3/auth/auth.c | 2 +- source3/auth/auth_winbind.c | 16 ---------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4df74f9f39fc..cdf4f1db4309 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -545,7 +545,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx, switch (lp_server_role()) { case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: - methods = "sam_netlogon3 winbind:trustdomain"; + methods = "sam_netlogon3 winbind"; break; default: diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 6bf2118037dc..10e6c53c1085 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -110,12 +110,6 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - struct auth_methods *auth_method = - (struct auth_methods *)my_private_data; - - if ( auth_method ) - return auth_method->auth(auth_context, auth_method->private_data, - mem_ctx, user_info, server_info); return NT_STATUS_LOGON_FAILURE; } @@ -164,16 +158,6 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char result->name = "winbind"; result->auth = check_winbind_security; - if (param && *param) { - /* we load the 'fallback' module - if winbind isn't here, call this - module */ - auth_methods *priv; - if (!load_auth_module(auth_context, param, &priv)) { - return NT_STATUS_UNSUCCESSFUL; - } - result->private_data = (void *)priv; - } - *auth_method = result; return NT_STATUS_OK; } -- 2.17.1 From 82345de1d486fd225047623da8d707161614f018 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 8 Dec 2018 22:53:21 +0100 Subject: [PATCH 2/3] s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy (cherry picked from commit ec3adc1e5b3cc953576efa795dfb25af08a8ab79) --- source3/auth/auth_winbind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 10e6c53c1085..0f5d684ff18a 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -110,7 +110,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NO_LOGON_SERVERS; } if (wbc_status == WBC_ERR_AUTH_ERROR) { -- 2.17.1 From 4f41601cc7dc0ecccf19cb8f37132407f6036765 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 8 Dec 2018 23:25:40 +0100 Subject: [PATCH 3/3] s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 Signed-off-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Autobuild-User(master): Alexander Bokovoy Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144 (cherry picked from commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1) --- source3/auth/auth_winbind.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0f5d684ff18a..93b832265cfa 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -22,6 +22,7 @@ #include "includes.h" #include "auth.h" +#include "passdb.h" #include "nsswitch/libwbclient/wbclient.h" #undef DBGC_CLASS @@ -110,7 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - return NT_STATUS_NO_LOGON_SERVERS; + struct pdb_trusted_domain **domains = NULL; + uint32_t num_domains = 0; + NTSTATUS status; + + if (lp_server_role() == ROLE_DOMAIN_MEMBER) { + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_ERR("winbindd not running - " + "but required as domain member: %s\n", + nt_errstr(status)); + return status; + } + + status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("pdb_enum_trusted_domains() failed - %s\n", + nt_errstr(status)); + return status; + } + TALLOC_FREE(domains); + + if (num_domains == 0) { + DBG_DEBUG("winbindd not running - ignoring without " + "trusted domains\n"); + return NT_STATUS_NOT_IMPLEMENTED; + } + + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_ERR("winbindd not running - " + "but required as DC with trusts: %s\n", + nt_errstr(status)); + return status; } if (wbc_status == WBC_ERR_AUTH_ERROR) { -- 2.17.1