Attachment 16400 Details for Bug 14602 – Patch for 4.13 and 4.14 cherry-picked from master

[patch] Patch for 4.13 and 4.14 cherry-picked from master

bug14602-v413,v414.patch (text/plain), 31.22 KB, created by Ralph Böhme on 2021-01-22 09:49:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ralph Böhme

Created: 2021-01-22 09:49:22 UTC

Size: 31.22 KB

patch

obsolete

>From 73d4a2c330644313692fc92b9a14bf0f011b1bbb Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Thu, 14 Jan 2021 08:14:46 +0100
>Subject: [PATCH 01/12] selftest: use correct DNS domain name for wrapper hosts
> file
>
>For some reason the join fails to register the DNS records when provisioning the
>member env:
>
>   Using short domain name -- SAMBA2008R2
>   Joined 'IDMAPADMEMBER' to dns domain 'samba2008r2.example.com'
>   DNS Update for idmapadmember.samba.example.com failed: ERROR_DNS_UPDATE_FAILED
>
>At the same time the hosts file used by the wrappers contains the wrong fqdn. As
>a result the test that the next commit is going do add fails due do the broken
>DNS resolution:
>
>...
>UNEXPECTED(failure): samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_ok_krb5(ad_member_idmap_ad:local)
>REASON: Exception: Exception: do_connect: Connection to idmapadmember.samba2008r2.example.com failed (Error NT_STATUS_UNSUCCESSFUL)
>...
>
>Checking DNS in the testenv, first the working record for the main DC:
>
>testenv$ dig @10.53.57.64 dc7.samba2008r2.example.com +short
>10.53.57.27
>
>testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com dc7 A -U Administrator%locDCpass7
>  Name=, Records=1, Children=0
>    A: 10.53.57.27 (flags=f0, serial=1, ttl=900)
>
>Now the failing idmapadmember:
>
>testenv$ dig @10.53.57.64 idmapadmember.samba2008r2.example.com +short
>
>testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com idmapadmember A -U Administrator%locDCpass7
>ERROR: Record or zone does not exist.
>
>Fixing the hosts file lets the tests work, fixing the broken DNS record
>registration is a task for another day.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit e1fc84138ca118c4187d87b7be4a7e6dd771dc4f)
>---
> selftest/target/Samba3.pm | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
>diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
>index ee20528a325..b3f0bca0110 100755
>--- a/selftest/target/Samba3.pm
>+++ b/selftest/target/Samba3.pm
>@@ -761,6 +761,7 @@ sub provision_ad_member
> 	my $ret = $self->provision(
> 	    prefix => $prefix,
> 	    domain => $dcvars->{DOMAIN},
>+	    realm => $dcvars->{REALM},
> 	    server => "LOCALADMEMBER",
> 	    password => "loCalMemberPass",
> 	    extra_options => $member_options,
>@@ -911,6 +912,7 @@ sub setup_ad_member_rfc2307
> 	my $ret = $self->provision(
> 	    prefix => $prefix,
> 	    domain => $dcvars->{DOMAIN},
>+	    realm => $dcvars->{REALM},
> 	    server => "RFC2307MEMBER",
> 	    password => "loCalMemberPass",
> 	    extra_options => $member_options,
>@@ -1008,6 +1010,7 @@ sub setup_ad_member_idmap_rid
> 	my $ret = $self->provision(
> 	    prefix => $prefix,
> 	    domain => $dcvars->{DOMAIN},
>+	    realm => $dcvars->{REALM},
> 	    server => "IDMAPRIDMEMBER",
> 	    password => "loCalMemberPass",
> 	    extra_options => $member_options,
>@@ -1107,6 +1110,7 @@ sub setup_ad_member_idmap_ad
> 	my $ret = $self->provision(
> 	    prefix => $prefix,
> 	    domain => $dcvars->{DOMAIN},
>+	    realm => $dcvars->{REALM},
> 	    server => "IDMAPADMEMBER",
> 	    password => "loCalMemberPass",
> 	    extra_options => $member_options,
>@@ -1965,6 +1969,7 @@ sub provision($$)
> 
> 	my $prefix = $args{prefix};
> 	my $domain = $args{domain};
>+	my $realm = $args{realm};
> 	my $server = $args{server};
> 	my $password = $args{password};
> 	my $extra_options = $args{extra_options};
>@@ -1982,6 +1987,12 @@ sub provision($$)
> 	my %createuser_env = ();
> 	my $server_ip = Samba::get_ipv4_addr($server);
> 	my $server_ipv6 = Samba::get_ipv6_addr($server);
>+	my $dns_domain;
>+	if (defined($realm)) {
>+	    $dns_domain = lc($realm);
>+	} else {
>+	    $dns_domain = "samba.example.com";
>+	}
> 
> 	my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`);
> 	chomp $unix_name;
>@@ -2987,8 +2998,8 @@ userdup:x:$gid_userdup:$unix_name
> 		warn("Unable to open $nss_wrapper_hosts");
> 		return undef;
> 	}
>-	print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n";
>-	print HOSTS "${server_ipv6} ${hostname}.samba.example.com ${hostname}\n";
>+	print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n";
>+	print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n";
> 	close(HOSTS);
> 
> 	$resolv_conf = "$privatedir/no_resolv.conf" unless defined($resolv_conf);
>-- 
>2.26.2
>
>
>From 56c72e8538384a6bd5bc26e46463b6f13c72bf04 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Wed, 20 Jan 2021 11:17:22 +0100
>Subject: [PATCH 02/12] winbind: move config-reloading code to winbindd_dual.c
>
>In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 81edc65e79aba121db800ec53aadd766e61a0001)
>---
> source3/winbindd/winbindd.c       | 23 ++++++-----------------
> source3/winbindd/winbindd_dual.c  | 15 +++++++++++++++
> source3/winbindd/winbindd_proto.h |  7 +++++++
> 3 files changed, 28 insertions(+), 17 deletions(-)
>
>diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
>index bff5b9a7282..9ae7912b9ff 100644
>--- a/source3/winbindd/winbindd.c
>+++ b/source3/winbindd/winbindd.c
>@@ -103,7 +103,7 @@ struct imessaging_context *winbind_imessaging_context(void)
> 
> /* Reload configuration */
> 
>-static bool reload_services_file(const char *lfile)
>+bool winbindd_reload_services_file(const char *lfile)
> {
> 	const struct loadparm_substitution *lp_sub =
> 		loadparm_s3_global_substitution();
>@@ -157,7 +157,7 @@ static void winbindd_status(void)
> 
> /* Flush client cache */
> 
>-static void flush_caches(void)
>+void winbindd_flush_caches(void)
> {
> 	/* We need to invalidate cached user list entries on a SIGHUP 
>            otherwise cached access denied errors due to restrict anonymous
>@@ -364,7 +364,7 @@ static void winbindd_sig_hup_handler(struct tevent_context *ev,
> 
> 	DEBUG(1,("Reloading services after SIGHUP\n"));
> 	flush_caches_noinit();
>-	reload_services_file(file);
>+	winbindd_reload_services_file(file);
> }
> 
> bool winbindd_setup_sig_hup_handler(const char *lfile)
>@@ -448,18 +448,6 @@ static bool winbindd_setup_sig_usr2_handler(void)
> 	return true;
> }
> 
>-/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/
>-static void msg_reload_services(struct messaging_context *msg,
>-				void *private_data,
>-				uint32_t msg_type,
>-				struct server_id server_id,
>-				DATA_BLOB *data)
>-{
>-        /* Flush various caches */
>-	flush_caches();
>-	reload_services_file((const char *) private_data);
>-}
>-
> /* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/
> static void msg_shutdown(struct messaging_context *msg,
> 			 void *private_data,
>@@ -1421,7 +1409,8 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
> 	/* React on 'smbcontrol winbindd reload-config' in the same way
> 	   as to SIGHUP signal */
> 	messaging_register(msg_ctx, NULL,
>-			   MSG_SMB_CONF_UPDATED, msg_reload_services);
>+			   MSG_SMB_CONF_UPDATED,
>+			   winbindd_msg_reload_services_parent);
> 	messaging_register(msg_ctx, NULL,
> 			   MSG_SHUTDOWN, msg_shutdown);
> 
>@@ -1812,7 +1801,7 @@ int main(int argc, const char **argv)
> 		exit(1);
> 	}
> 
>-	if (!reload_services_file(NULL)) {
>+	if (!winbindd_reload_services_file(NULL)) {
> 		DEBUG(0, ("error opening config file\n"));
> 		exit(1);
> 	}
>diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
>index a93a987df07..2885dd4d005 100644
>--- a/source3/winbindd/winbindd_dual.c
>+++ b/source3/winbindd/winbindd_dual.c
>@@ -929,6 +929,21 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx,
> 	forall_children(winbind_msg_relay_fn, &state);
> }
> 
>+/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/
>+void winbindd_msg_reload_services_parent(struct messaging_context *msg,
>+					 void *private_data,
>+					 uint32_t msg_type,
>+					 struct server_id server_id,
>+					 DATA_BLOB *data)
>+{
>+	DBG_DEBUG("Got reload-config message\n");
>+
>+        /* Flush various caches */
>+	winbindd_flush_caches();
>+
>+	winbindd_reload_services_file((const char *)private_data);
>+}
>+
> /* Set our domains as offline and forward the offline message to our children. */
> 
> struct winbind_msg_on_offline_state {
>diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
>index 0f5c773e851..8923bb3124f 100644
>--- a/source3/winbindd/winbindd_proto.h
>+++ b/source3/winbindd/winbindd_proto.h
>@@ -31,6 +31,8 @@ bool winbindd_setup_sig_hup_handler(const char *lfile);
> bool winbindd_use_idmap_cache(void);
> bool winbindd_use_cache(void);
> char *get_winbind_priv_pipe_dir(void);
>+void winbindd_flush_caches(void);
>+bool winbindd_reload_services_file(const char *lfile);
> 
> /* The following definitions come from winbindd/winbindd_ads.c  */
> 
>@@ -341,6 +343,11 @@ void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx,
> 				   uint32_t msg_type,
> 				   struct server_id server_id,
> 				   DATA_BLOB *data);
>+void winbindd_msg_reload_services_parent(struct messaging_context *msg,
>+					 void *private_data,
>+					 uint32_t msg_type,
>+					 struct server_id server_id,
>+					 DATA_BLOB *data);
> NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself,
> 				    const char *logfilename);
> struct winbindd_domain *wb_child_domain(void);
>-- 
>2.26.2
>
>
>From 0db1534f31354e472f7abed2ed2c93b326a64de1 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Wed, 20 Jan 2021 12:27:23 +0100
>Subject: [PATCH 03/12] winbind: set logfile after reloading config
>
>lp_load_global() will overwrite whatever we've set with lp_set_logfile().
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac)
>---
> source3/winbindd/winbindd.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
>index 9ae7912b9ff..3049faa3237 100644
>--- a/source3/winbindd/winbindd.c
>+++ b/source3/winbindd/winbindd.c
>@@ -118,15 +118,15 @@ bool winbindd_reload_services_file(const char *lfile)
> 		TALLOC_FREE(fname);
> 	}
> 
>+	reopen_logs();
>+	ret = lp_load_global(get_dyn_CONFIGFILE());
>+
> 	/* if this is a child, restore the logfile to the special
> 	   name - <domain>, idmap, etc. */
> 	if (lfile && *lfile) {
> 		lp_set_logfile(lfile);
> 	}
> 
>-	reopen_logs();
>-	ret = lp_load_global(get_dyn_CONFIGFILE());
>-
> 	reopen_logs();
> 	load_interfaces();
> 	winbindd_setup_max_fds();
>-- 
>2.26.2
>
>
>From 2abcbaf95629db245baf1bf6b91bf3d07c516e99 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Wed, 20 Jan 2021 12:00:16 +0100
>Subject: [PATCH 04/12] winbind: handle MSG_SMB_CONF_UPDATED in the winbinds
> children
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 072ef48001710ed8326c83295f2d3cc301d27cfe)
>---
> source3/winbindd/winbindd_dual.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
>index 2885dd4d005..c13bf6e8b2f 100644
>--- a/source3/winbindd/winbindd_dual.c
>+++ b/source3/winbindd/winbindd_dual.c
>@@ -929,6 +929,16 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx,
> 	forall_children(winbind_msg_relay_fn, &state);
> }
> 
>+static void winbindd_msg_reload_services_child(struct messaging_context *msg,
>+					       void *private_data,
>+					       uint32_t msg_type,
>+					       struct server_id server_id,
>+					       DATA_BLOB *data)
>+{
>+	DBG_DEBUG("Got reload-config message\n");
>+	winbindd_reload_services_file((const char *)private_data);
>+}
>+
> /* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/
> void winbindd_msg_reload_services_parent(struct messaging_context *msg,
> 					 void *private_data,
>@@ -936,12 +946,20 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg,
> 					 struct server_id server_id,
> 					 DATA_BLOB *data)
> {
>+	struct winbind_msg_relay_state state = {
>+		.msg_ctx = msg,
>+		.msg_type = msg_type,
>+		.data = data,
>+	};
>+
> 	DBG_DEBUG("Got reload-config message\n");
> 
>         /* Flush various caches */
> 	winbindd_flush_caches();
> 
> 	winbindd_reload_services_file((const char *)private_data);
>+
>+	forall_children(winbind_msg_relay_fn, &state);
> }
> 
> /* Set our domains as offline and forward the offline message to our children. */
>@@ -1784,6 +1802,10 @@ static bool fork_domain_child(struct winbindd_child *child)
> 	messaging_register(global_messaging_context(), NULL,
> 			   MSG_WINBIND_DISCONNECT_DC,
> 			   winbind_msg_disconnect_dc);
>+	messaging_register(global_messaging_context(),
>+			   override_logfile ? NULL : child->logfilename,
>+			   MSG_SMB_CONF_UPDATED,
>+			   winbindd_msg_reload_services_child);
> 
> 	primary_domain = find_our_domain();
> 
>-- 
>2.26.2
>
>
>From 73a1fa37af353fcc01eb58fb87ec1c1660e11eee Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Wed, 13 Jan 2021 11:54:40 +0100
>Subject: [PATCH 05/12] selftest: add a test for "winbind:ignore domains"
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 32197d21dabecaee9bc1d6cd557578892220fe4c)
>---
> .../samba3.blackbox.winbind_ignore_domain     |   3 +
> .../tests/test_winbind_ignore_domains.sh      | 104 ++++++++++++++++++
> source3/selftest/tests.py                     |   3 +
> 3 files changed, 110 insertions(+)
> create mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
> create mode 100755 source3/script/tests/test_winbind_ignore_domains.sh
>
>diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>new file mode 100644
>index 00000000000..e20ea025655
>--- /dev/null
>+++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>@@ -0,0 +1,3 @@
>+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip$ad_member_idmap_ad:local$
>+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn$ad_member_idmap_ad:local$
>+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5$ad_member_idmap_ad:local$
>diff --git a/source3/script/tests/test_winbind_ignore_domains.sh b/source3/script/tests/test_winbind_ignore_domains.sh
>new file mode 100755
>index 00000000000..adce8abb09c
>--- /dev/null
>+++ b/source3/script/tests/test_winbind_ignore_domains.sh
>@@ -0,0 +1,104 @@
>+#!/bin/sh
>+
>+incdir=`dirname $0`/../../../testprogs/blackbox
>+. $incdir/subunit.sh
>+. $incdir/common_test_fns.inc
>+
>+failed=0
>+
>+smbclient="$BINDIR/smbclient"
>+smbcontrol="$BINDIR/smbcontrol"
>+ldbmodify="$BINDIR/ldbmodify"
>+ldbsearch="$BINDIR/ldbsearch"
>+wbinfo="$BINDIR/wbinfo"
>+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
>+SERVER_FQDN=$(echo "$SERVER.$REALM" | awk '{print tolower($0)}')
>+
>+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
>+if [ $? -ne 0 ] ; then
>+    echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad"
>+    exit 1
>+fi
>+
>+#
>+# Add POSIX ids to trusted domain
>+#
>+add_posix_ids() {
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+add: uidNumber
>+uidNumber: 2500000
>+EOF
>+
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+add: gidNumber
>+gidNumber: 2500001
>+EOF
>+
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+add: gidNumber
>+gidNumber: 2500002
>+EOF
>+}
>+
>+#
>+# Remove POSIX ids from trusted domain
>+#
>+remove_posix_ids() {
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+delete: uidNumber
>+uidNumber: 2500000
>+EOF
>+
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+delete: gidNumber
>+gidNumber: 2500001
>+EOF
>+
>+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
>+       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
>+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
>+changetype: modify
>+delete: gidNumber
>+gidNumber: 2500002
>+EOF
>+}
>+
>+add_posix_ids
>+
>+echo "" > $global_inject_conf
>+$smbcontrol winbindd reload-config
>+$wbinfo -p
>+
>+test_smbclient "test_winbind_ignore_domains_ok_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1`
>+test_smbclient "test_winbind_ignore_domains_ok_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1`
>+test_smbclient "test_winbind_ignore_domains_ok_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1`
>+
>+echo "winbind:ignore domains = $TRUST_DOMAIN" > $global_inject_conf
>+$smbcontrol winbindd reload-config
>+$wbinfo -p
>+
>+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1`
>+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1`
>+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1`
>+
>+echo "" > $global_inject_conf
>+$smbcontrol winbindd reload-config
>+$wbinfo -p
>+remove_posix_ids
>+
>+testok $0 $failed
>diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
>index c7280c630dc..0250eb11684 100755
>--- a/source3/selftest/tests.py
>+++ b/source3/selftest/tests.py
>@@ -1037,6 +1037,9 @@ plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local",
>               [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"),
>                smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"])
> 
>+plantestsuite("samba3.blackbox.winbind_ignore_domain", "ad_member_idmap_ad:local",
>+              [os.path.join(samba3srcdir, "script/tests/test_winbind_ignore_domains.sh")])
>+
> plantestsuite("samba3.blackbox.durable_v2_delay", "simpleserver:local",
>               [os.path.join(samba3srcdir, "script/tests/test_durable_handle_reconnect.sh")])
> 
>-- 
>2.26.2
>
>
>From ff875901e26ee70c729466d4e747fc7e781ea15f Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 11 Jan 2021 16:15:15 +0100
>Subject: [PATCH 06/12] winbind: move "winbind:ignore domain" logic to a
> seperate function
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 894caca79476d25a0268d89b2ad8a5758b7e31f3)
>---
> source3/include/proto.h          |  1 +
> source3/lib/util_names.c         | 20 ++++++++++++++++++++
> source3/winbindd/winbindd_util.c | 10 ++--------
> 3 files changed, 23 insertions(+), 8 deletions(-)
>
>diff --git a/source3/include/proto.h b/source3/include/proto.h
>index 6c9cf130d04..16cd587ed30 100644
>--- a/source3/include/proto.h
>+++ b/source3/include/proto.h
>@@ -304,6 +304,7 @@ struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user);
> /* The following definitions come from lib/util_names.c  */
> const char *get_global_sam_name(void);
> const char *my_sam_name(void);
>+bool is_allowed_domain(const char *domain_name);
> 
> /* The following definitions come from lib/util.c  */
> 
>diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
>index 15236c913df..630a25875c7 100644
>--- a/source3/lib/util_names.c
>+++ b/source3/lib/util_names.c
>@@ -182,3 +182,23 @@ const char *my_sam_name(void)
> 
> 	return lp_workgroup();
> }
>+
>+bool is_allowed_domain(const char *domain_name)
>+{
>+	const char **ignored_domains = NULL;
>+	const char **dom = NULL;
>+
>+	ignored_domains = lp_parm_string_list(-1,
>+					      "winbind",
>+					      "ignore domains",
>+					      NULL);
>+
>+	for (dom = ignored_domains; dom != NULL && *dom != NULL; dom++) {
>+		if (gen_fnmatch(*dom, domain_name) == 0) {
>+			DBG_NOTICE("Ignoring domain '%s'\n", domain_name);
>+			return false;
>+		}
>+	}
>+
>+	return true;
>+}
>diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
>index a5f5defcd87..414b770a271 100644
>--- a/source3/winbindd/winbindd_util.c
>+++ b/source3/winbindd/winbindd_util.c
>@@ -126,8 +126,6 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
> 				   struct winbindd_domain **_d)
> {
> 	struct winbindd_domain *domain = NULL;
>-	const char **ignored_domains = NULL;
>-	const char **dom = NULL;
> 	int role = lp_server_role();
> 	struct dom_sid_buf buf;
> 
>@@ -136,12 +134,8 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
> 		return NT_STATUS_INVALID_PARAMETER;
> 	}
> 
>-	ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
>-	for (dom=ignored_domains; dom && *dom; dom++) {
>-		if (gen_fnmatch(*dom, domain_name) == 0) {
>-			DEBUG(2,("Ignoring domain '%s'\n", domain_name));
>-			return NT_STATUS_NO_SUCH_DOMAIN;
>-		}
>+	if (!is_allowed_domain(domain_name)) {
>+		return NT_STATUS_NO_SUCH_DOMAIN;
> 	}
> 
> 	/*
>-- 
>2.26.2
>
>
>From e72cba47088e9bb762244237ba524f0a11b76d65 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 11 Jan 2021 16:50:31 +0100
>Subject: [PATCH 07/12] winbind: check for allowed domains in
> winbindd_dual_pam_auth()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259)
>---
> source3/winbindd/winbindd_pam.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 10c5ff2a7e2..560a2b992a8 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -2405,6 +2405,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
> 			goto done;
> 		}
> 
>+		if (!is_allowed_domain(info3->base.logon_domain.string)) {
>+			DBG_NOTICE("Authentication failed for user [%s] "
>+				   "from firewalled domain [%s]\n",
>+				   info3->base.account_name.string,
>+				   info3->base.logon_domain.string);
>+			result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+			goto done;
>+		}
>+
> 		result = append_auth_data(state->mem_ctx, state->response,
> 					  state->request->flags,
> 					  validation_level,
>-- 
>2.26.2
>
>
>From d9faaff2ae767cb905aa441e4caae39cc6a4bcbe Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 11 Jan 2021 17:10:19 +0100
>Subject: [PATCH 08/12] winbind: check for allowed domains in
> winbindd_dual_pam_auth_crap()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit c17bc9c6115e4e92132f3cb912547eac78227938)
>---
> .../knownfail.d/samba3.blackbox.winbind_ignore_domain  |  1 -
> source3/winbindd/winbindd_pam.c                        | 10 ++++++++++
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
>diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>index e20ea025655..e1eedc9aa2a 100644
>--- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>+++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>@@ -1,3 +1,2 @@
>-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip$ad_member_idmap_ad:local$
> ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn$ad_member_idmap_ad:local$
> ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5$ad_member_idmap_ad:local$
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 560a2b992a8..25ebd82c638 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -2767,6 +2767,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
> 			goto done;
> 		}
> 
>+		if (!is_allowed_domain(info3->base.logon_domain.string)) {
>+			DBG_NOTICE("Authentication failed for user [%s] "
>+				   "from firewalled domain [%s]\n",
>+				   info3->base.account_name.string,
>+				   info3->base.logon_domain.string);
>+			state->response->data.auth.authoritative = true;
>+			result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+			goto done;
>+		}
>+
> 		result = append_auth_data(state->mem_ctx, state->response,
> 					  state->request->flags,
> 					  validation_level,
>-- 
>2.26.2
>
>
>From c58beb56a63da4e341f4ce66aa84e62c1c868efe Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 11 Jan 2021 17:19:05 +0100
>Subject: [PATCH 09/12] winbind: check for allowed domains in
> winbindd_dual_pam_chng_pswd_auth_crap()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef)
>---
> source3/winbindd/winbindd_pam.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 25ebd82c638..5dcfeb11b99 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -3106,6 +3106,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
> 		fstrcpy(domain,lp_workgroup());
> 	}
> 
>+	if (!is_allowed_domain(domain)) {
>+		DBG_NOTICE("Authentication failed for user [%s] "
>+			   "from firewalled domain [%s]\n",
>+			   state->request->data.chng_pswd_auth_crap.user,
>+			   domain);
>+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+		goto done;
>+	}
>+
> 	if(!*user) {
> 		fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
> 	}
>-- 
>2.26.2
>
>
>From 487650b54bae7c75693521fabaf8ff1354e48a1f Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 11 Jan 2021 17:59:48 +0100
>Subject: [PATCH 10/12] winbind: check for allowed domains in
> winbindd_dual_pam_chauthtok()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3)
>---
> source3/winbindd/winbindd_pam.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 5dcfeb11b99..3375af66821 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -2845,6 +2845,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
> 		goto done;
> 	}
> 
>+	if (!is_allowed_domain(domain)) {
>+		DBG_NOTICE("Authentication failed for user [%s] "
>+			   "from firewalled domain [%s]\n",
>+			   user, domain);
>+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+		goto done;
>+	}
>+
> 	/* Change password */
> 
> 	oldpass = state->request->data.chauthtok.oldpass;
>-- 
>2.26.2
>
>
>From 862a956823766ae238658cc29746adcb4ec05958 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Thu, 14 Jan 2021 10:42:53 +0100
>Subject: [PATCH 11/12] winbind: check for allowed domains in
> winbindd_pam_auth_pac_verify()
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003)
>---
> .../knownfail.d/samba3.blackbox.winbind_ignore_domain     | 2 --
> source3/winbindd/winbindd_pam.c                           | 8 ++++++++
> 2 files changed, 8 insertions(+), 2 deletions(-)
> delete mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>
>diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>deleted file mode 100644
>index e1eedc9aa2a..00000000000
>--- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
>+++ /dev/null
>@@ -1,2 +0,0 @@
>-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn$ad_member_idmap_ad:local$
>-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5$ad_member_idmap_ad:local$
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 3375af66821..f27802ee065 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -3325,6 +3325,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
> 		return result;
> 	}
> 
>+	if (!is_allowed_domain(info6->base.logon_domain.string)) {
>+		DBG_NOTICE("Authentication failed for user [%s] "
>+			   "from firewalled domain [%s]\n",
>+			   info6->base.account_name.string,
>+			   info6->base.logon_domain.string);
>+		return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+	}
>+
> 	result = map_info6_to_validation(state->mem_ctx,
> 					 info6,
> 					 &validation_level,
>-- 
>2.26.2
>
>
>From 45343a6487146a6dc3804b0c791ed13c9505d8d8 Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Fri, 15 Jan 2021 12:56:25 +0100
>Subject: [PATCH 12/12] s3/auth: implement "winbind:ignore domains"
>
>Under the following conditions a user from an ignored domain might be able to
>authenticate:
>
>- using Kerberos
>
>- successfully previous authentication so the idmap and name caches are filled
>
>- winbind not running (fwiw, winbindd is mandatory on a domain member)
>
>- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
>  because getpwnam fails)
>
>- lookup_name() function being modified to look into the name cache before
>  contacting winbindd. Currently it talks directly to winbindd and that will
>  check the cache.
>
>Currently, authentication will only fail because creating the local token for
>the user fails because an LSA lookupname RPC call fails (because winbindd is not
>running).
>
>All of this makes a successfull authentication unlikelly, but that is more by
>accident then by design.
>
>To ensures that if winbindd is not running and as such winbindd itself can not
>enforce the restriction, also implement the ignored domains check in the auth
>system as a last line of defense.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
>RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Jeremy Allison <jra@samba.org>
>(cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6)
>---
> source3/auth/auth_util.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
>index 9427c05f573..4686b29111e 100644
>--- a/source3/auth/auth_util.c
>+++ b/source3/auth/auth_util.c
>@@ -485,6 +485,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
> 		return NT_STATUS_LOGON_FAILURE;
> 	}
> 
>+	if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
>+		DBG_NOTICE("Authentication failed for user [%s] "
>+			   "from firewalled domain [%s]\n",
>+			   server_info->info3->base.account_name.string,
>+			   server_info->info3->base.logon_domain.string);
>+		return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
>+	}
>+
> 	if (server_info->cached_session_info != NULL) {
> 		session_info = copy_session_info(mem_ctx,
> 				server_info->cached_session_info);
>-- 
>2.26.2
>

Flags:

jra: review+

Actions: View

Attachments on bug 14602: 16400 | 16401