The Samba-Bugzilla – Attachment 16400 Details for
Bug 14602
"winbind:ignore domains" doesn't prevent user login from trusted domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.13 and 4.14 cherry-picked from master
bug14602-v413,v414.patch (text/plain), 31.22 KB, created by
Ralph Böhme
on 2021-01-22 09:49:22 UTC
(
hide
)
Description:
Patch for 4.13 and 4.14 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2021-01-22 09:49:22 UTC
Size:
31.22 KB
patch
obsolete
>From 73d4a2c330644313692fc92b9a14bf0f011b1bbb Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 14 Jan 2021 08:14:46 +0100 >Subject: [PATCH 01/12] selftest: use correct DNS domain name for wrapper hosts > file > >For some reason the join fails to register the DNS records when provisioning the >member env: > > Using short domain name -- SAMBA2008R2 > Joined 'IDMAPADMEMBER' to dns domain 'samba2008r2.example.com' > DNS Update for idmapadmember.samba.example.com failed: ERROR_DNS_UPDATE_FAILED > >At the same time the hosts file used by the wrappers contains the wrong fqdn. As >a result the test that the next commit is going do add fails due do the broken >DNS resolution: > >... >UNEXPECTED(failure): samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_ok_krb5(ad_member_idmap_ad:local) >REASON: Exception: Exception: do_connect: Connection to idmapadmember.samba2008r2.example.com failed (Error NT_STATUS_UNSUCCESSFUL) >... > >Checking DNS in the testenv, first the working record for the main DC: > >testenv$ dig @10.53.57.64 dc7.samba2008r2.example.com +short >10.53.57.27 > >testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com dc7 A -U Administrator%locDCpass7 > Name=, Records=1, Children=0 > A: 10.53.57.27 (flags=f0, serial=1, ttl=900) > >Now the failing idmapadmember: > >testenv$ dig @10.53.57.64 idmapadmember.samba2008r2.example.com +short > >testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com idmapadmember A -U Administrator%locDCpass7 >ERROR: Record or zone does not exist. > >Fixing the hosts file lets the tests work, fixing the broken DNS record >registration is a task for another day. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit e1fc84138ca118c4187d87b7be4a7e6dd771dc4f) >--- > selftest/target/Samba3.pm | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index ee20528a325..b3f0bca0110 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -761,6 +761,7 @@ sub provision_ad_member > my $ret = $self->provision( > prefix => $prefix, > domain => $dcvars->{DOMAIN}, >+ realm => $dcvars->{REALM}, > server => "LOCALADMEMBER", > password => "loCalMemberPass", > extra_options => $member_options, >@@ -911,6 +912,7 @@ sub setup_ad_member_rfc2307 > my $ret = $self->provision( > prefix => $prefix, > domain => $dcvars->{DOMAIN}, >+ realm => $dcvars->{REALM}, > server => "RFC2307MEMBER", > password => "loCalMemberPass", > extra_options => $member_options, >@@ -1008,6 +1010,7 @@ sub setup_ad_member_idmap_rid > my $ret = $self->provision( > prefix => $prefix, > domain => $dcvars->{DOMAIN}, >+ realm => $dcvars->{REALM}, > server => "IDMAPRIDMEMBER", > password => "loCalMemberPass", > extra_options => $member_options, >@@ -1107,6 +1110,7 @@ sub setup_ad_member_idmap_ad > my $ret = $self->provision( > prefix => $prefix, > domain => $dcvars->{DOMAIN}, >+ realm => $dcvars->{REALM}, > server => "IDMAPADMEMBER", > password => "loCalMemberPass", > extra_options => $member_options, >@@ -1965,6 +1969,7 @@ sub provision($$) > > my $prefix = $args{prefix}; > my $domain = $args{domain}; >+ my $realm = $args{realm}; > my $server = $args{server}; > my $password = $args{password}; > my $extra_options = $args{extra_options}; >@@ -1982,6 +1987,12 @@ sub provision($$) > my %createuser_env = (); > my $server_ip = Samba::get_ipv4_addr($server); > my $server_ipv6 = Samba::get_ipv6_addr($server); >+ my $dns_domain; >+ if (defined($realm)) { >+ $dns_domain = lc($realm); >+ } else { >+ $dns_domain = "samba.example.com"; >+ } > > my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`); > chomp $unix_name; >@@ -2987,8 +2998,8 @@ userdup:x:$gid_userdup:$unix_name > warn("Unable to open $nss_wrapper_hosts"); > return undef; > } >- print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n"; >- print HOSTS "${server_ipv6} ${hostname}.samba.example.com ${hostname}\n"; >+ print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n"; >+ print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n"; > close(HOSTS); > > $resolv_conf = "$privatedir/no_resolv.conf" unless defined($resolv_conf); >-- >2.26.2 > > >From 56c72e8538384a6bd5bc26e46463b6f13c72bf04 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 20 Jan 2021 11:17:22 +0100 >Subject: [PATCH 02/12] winbind: move config-reloading code to winbindd_dual.c > >In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 81edc65e79aba121db800ec53aadd766e61a0001) >--- > source3/winbindd/winbindd.c | 23 ++++++----------------- > source3/winbindd/winbindd_dual.c | 15 +++++++++++++++ > source3/winbindd/winbindd_proto.h | 7 +++++++ > 3 files changed, 28 insertions(+), 17 deletions(-) > >diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c >index bff5b9a7282..9ae7912b9ff 100644 >--- a/source3/winbindd/winbindd.c >+++ b/source3/winbindd/winbindd.c >@@ -103,7 +103,7 @@ struct imessaging_context *winbind_imessaging_context(void) > > /* Reload configuration */ > >-static bool reload_services_file(const char *lfile) >+bool winbindd_reload_services_file(const char *lfile) > { > const struct loadparm_substitution *lp_sub = > loadparm_s3_global_substitution(); >@@ -157,7 +157,7 @@ static void winbindd_status(void) > > /* Flush client cache */ > >-static void flush_caches(void) >+void winbindd_flush_caches(void) > { > /* We need to invalidate cached user list entries on a SIGHUP > otherwise cached access denied errors due to restrict anonymous >@@ -364,7 +364,7 @@ static void winbindd_sig_hup_handler(struct tevent_context *ev, > > DEBUG(1,("Reloading services after SIGHUP\n")); > flush_caches_noinit(); >- reload_services_file(file); >+ winbindd_reload_services_file(file); > } > > bool winbindd_setup_sig_hup_handler(const char *lfile) >@@ -448,18 +448,6 @@ static bool winbindd_setup_sig_usr2_handler(void) > return true; > } > >-/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ >-static void msg_reload_services(struct messaging_context *msg, >- void *private_data, >- uint32_t msg_type, >- struct server_id server_id, >- DATA_BLOB *data) >-{ >- /* Flush various caches */ >- flush_caches(); >- reload_services_file((const char *) private_data); >-} >- > /* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/ > static void msg_shutdown(struct messaging_context *msg, > void *private_data, >@@ -1421,7 +1409,8 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx, > /* React on 'smbcontrol winbindd reload-config' in the same way > as to SIGHUP signal */ > messaging_register(msg_ctx, NULL, >- MSG_SMB_CONF_UPDATED, msg_reload_services); >+ MSG_SMB_CONF_UPDATED, >+ winbindd_msg_reload_services_parent); > messaging_register(msg_ctx, NULL, > MSG_SHUTDOWN, msg_shutdown); > >@@ -1812,7 +1801,7 @@ int main(int argc, const char **argv) > exit(1); > } > >- if (!reload_services_file(NULL)) { >+ if (!winbindd_reload_services_file(NULL)) { > DEBUG(0, ("error opening config file\n")); > exit(1); > } >diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c >index a93a987df07..2885dd4d005 100644 >--- a/source3/winbindd/winbindd_dual.c >+++ b/source3/winbindd/winbindd_dual.c >@@ -929,6 +929,21 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx, > forall_children(winbind_msg_relay_fn, &state); > } > >+/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ >+void winbindd_msg_reload_services_parent(struct messaging_context *msg, >+ void *private_data, >+ uint32_t msg_type, >+ struct server_id server_id, >+ DATA_BLOB *data) >+{ >+ DBG_DEBUG("Got reload-config message\n"); >+ >+ /* Flush various caches */ >+ winbindd_flush_caches(); >+ >+ winbindd_reload_services_file((const char *)private_data); >+} >+ > /* Set our domains as offline and forward the offline message to our children. */ > > struct winbind_msg_on_offline_state { >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index 0f5c773e851..8923bb3124f 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -31,6 +31,8 @@ bool winbindd_setup_sig_hup_handler(const char *lfile); > bool winbindd_use_idmap_cache(void); > bool winbindd_use_cache(void); > char *get_winbind_priv_pipe_dir(void); >+void winbindd_flush_caches(void); >+bool winbindd_reload_services_file(const char *lfile); > > /* The following definitions come from winbindd/winbindd_ads.c */ > >@@ -341,6 +343,11 @@ void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx, > uint32_t msg_type, > struct server_id server_id, > DATA_BLOB *data); >+void winbindd_msg_reload_services_parent(struct messaging_context *msg, >+ void *private_data, >+ uint32_t msg_type, >+ struct server_id server_id, >+ DATA_BLOB *data); > NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself, > const char *logfilename); > struct winbindd_domain *wb_child_domain(void); >-- >2.26.2 > > >From 0db1534f31354e472f7abed2ed2c93b326a64de1 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 20 Jan 2021 12:27:23 +0100 >Subject: [PATCH 03/12] winbind: set logfile after reloading config > >lp_load_global() will overwrite whatever we've set with lp_set_logfile(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac) >--- > source3/winbindd/winbindd.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c >index 9ae7912b9ff..3049faa3237 100644 >--- a/source3/winbindd/winbindd.c >+++ b/source3/winbindd/winbindd.c >@@ -118,15 +118,15 @@ bool winbindd_reload_services_file(const char *lfile) > TALLOC_FREE(fname); > } > >+ reopen_logs(); >+ ret = lp_load_global(get_dyn_CONFIGFILE()); >+ > /* if this is a child, restore the logfile to the special > name - <domain>, idmap, etc. */ > if (lfile && *lfile) { > lp_set_logfile(lfile); > } > >- reopen_logs(); >- ret = lp_load_global(get_dyn_CONFIGFILE()); >- > reopen_logs(); > load_interfaces(); > winbindd_setup_max_fds(); >-- >2.26.2 > > >From 2abcbaf95629db245baf1bf6b91bf3d07c516e99 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 20 Jan 2021 12:00:16 +0100 >Subject: [PATCH 04/12] winbind: handle MSG_SMB_CONF_UPDATED in the winbinds > children > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 072ef48001710ed8326c83295f2d3cc301d27cfe) >--- > source3/winbindd/winbindd_dual.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > >diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c >index 2885dd4d005..c13bf6e8b2f 100644 >--- a/source3/winbindd/winbindd_dual.c >+++ b/source3/winbindd/winbindd_dual.c >@@ -929,6 +929,16 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx, > forall_children(winbind_msg_relay_fn, &state); > } > >+static void winbindd_msg_reload_services_child(struct messaging_context *msg, >+ void *private_data, >+ uint32_t msg_type, >+ struct server_id server_id, >+ DATA_BLOB *data) >+{ >+ DBG_DEBUG("Got reload-config message\n"); >+ winbindd_reload_services_file((const char *)private_data); >+} >+ > /* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ > void winbindd_msg_reload_services_parent(struct messaging_context *msg, > void *private_data, >@@ -936,12 +946,20 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, > struct server_id server_id, > DATA_BLOB *data) > { >+ struct winbind_msg_relay_state state = { >+ .msg_ctx = msg, >+ .msg_type = msg_type, >+ .data = data, >+ }; >+ > DBG_DEBUG("Got reload-config message\n"); > > /* Flush various caches */ > winbindd_flush_caches(); > > winbindd_reload_services_file((const char *)private_data); >+ >+ forall_children(winbind_msg_relay_fn, &state); > } > > /* Set our domains as offline and forward the offline message to our children. */ >@@ -1784,6 +1802,10 @@ static bool fork_domain_child(struct winbindd_child *child) > messaging_register(global_messaging_context(), NULL, > MSG_WINBIND_DISCONNECT_DC, > winbind_msg_disconnect_dc); >+ messaging_register(global_messaging_context(), >+ override_logfile ? NULL : child->logfilename, >+ MSG_SMB_CONF_UPDATED, >+ winbindd_msg_reload_services_child); > > primary_domain = find_our_domain(); > >-- >2.26.2 > > >From 73a1fa37af353fcc01eb58fb87ec1c1660e11eee Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 13 Jan 2021 11:54:40 +0100 >Subject: [PATCH 05/12] selftest: add a test for "winbind:ignore domains" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 32197d21dabecaee9bc1d6cd557578892220fe4c) >--- > .../samba3.blackbox.winbind_ignore_domain | 3 + > .../tests/test_winbind_ignore_domains.sh | 104 ++++++++++++++++++ > source3/selftest/tests.py | 3 + > 3 files changed, 110 insertions(+) > create mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain > create mode 100755 source3/script/tests/test_winbind_ignore_domains.sh > >diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >new file mode 100644 >index 00000000000..e20ea025655 >--- /dev/null >+++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >@@ -0,0 +1,3 @@ >+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip\(ad_member_idmap_ad:local\) >+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) >+^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) >diff --git a/source3/script/tests/test_winbind_ignore_domains.sh b/source3/script/tests/test_winbind_ignore_domains.sh >new file mode 100755 >index 00000000000..adce8abb09c >--- /dev/null >+++ b/source3/script/tests/test_winbind_ignore_domains.sh >@@ -0,0 +1,104 @@ >+#!/bin/sh >+ >+incdir=`dirname $0`/../../../testprogs/blackbox >+. $incdir/subunit.sh >+. $incdir/common_test_fns.inc >+ >+failed=0 >+ >+smbclient="$BINDIR/smbclient" >+smbcontrol="$BINDIR/smbcontrol" >+ldbmodify="$BINDIR/ldbmodify" >+ldbsearch="$BINDIR/ldbsearch" >+wbinfo="$BINDIR/wbinfo" >+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf >+SERVER_FQDN=$(echo "$SERVER.$REALM" | awk '{print tolower($0)}') >+ >+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') >+if [ $? -ne 0 ] ; then >+ echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad" >+ exit 1 >+fi >+ >+# >+# Add POSIX ids to trusted domain >+# >+add_posix_ids() { >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: uidNumber >+uidNumber: 2500000 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: gidNumber >+gidNumber: 2500001 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: gidNumber >+gidNumber: 2500002 >+EOF >+} >+ >+# >+# Remove POSIX ids from trusted domain >+# >+remove_posix_ids() { >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: uidNumber >+uidNumber: 2500000 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: gidNumber >+gidNumber: 2500001 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: gidNumber >+gidNumber: 2500002 >+EOF >+} >+ >+add_posix_ids >+ >+echo "" > $global_inject_conf >+$smbcontrol winbindd reload-config >+$wbinfo -p >+ >+test_smbclient "test_winbind_ignore_domains_ok_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` >+test_smbclient "test_winbind_ignore_domains_ok_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` >+test_smbclient "test_winbind_ignore_domains_ok_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1` >+ >+echo "winbind:ignore domains = $TRUST_DOMAIN" > $global_inject_conf >+$smbcontrol winbindd reload-config >+$wbinfo -p >+ >+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` >+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` >+test_smbclient_expect_failure "test_winbind_ignore_domains_fail_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1` >+ >+echo "" > $global_inject_conf >+$smbcontrol winbindd reload-config >+$wbinfo -p >+remove_posix_ids >+ >+testok $0 $failed >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index c7280c630dc..0250eb11684 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -1037,6 +1037,9 @@ plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local", > [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"), > smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"]) > >+plantestsuite("samba3.blackbox.winbind_ignore_domain", "ad_member_idmap_ad:local", >+ [os.path.join(samba3srcdir, "script/tests/test_winbind_ignore_domains.sh")]) >+ > plantestsuite("samba3.blackbox.durable_v2_delay", "simpleserver:local", > [os.path.join(samba3srcdir, "script/tests/test_durable_handle_reconnect.sh")]) > >-- >2.26.2 > > >From ff875901e26ee70c729466d4e747fc7e781ea15f Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 11 Jan 2021 16:15:15 +0100 >Subject: [PATCH 06/12] winbind: move "winbind:ignore domain" logic to a > seperate function > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 894caca79476d25a0268d89b2ad8a5758b7e31f3) >--- > source3/include/proto.h | 1 + > source3/lib/util_names.c | 20 ++++++++++++++++++++ > source3/winbindd/winbindd_util.c | 10 ++-------- > 3 files changed, 23 insertions(+), 8 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 6c9cf130d04..16cd587ed30 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -304,6 +304,7 @@ struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user); > /* The following definitions come from lib/util_names.c */ > const char *get_global_sam_name(void); > const char *my_sam_name(void); >+bool is_allowed_domain(const char *domain_name); > > /* The following definitions come from lib/util.c */ > >diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c >index 15236c913df..630a25875c7 100644 >--- a/source3/lib/util_names.c >+++ b/source3/lib/util_names.c >@@ -182,3 +182,23 @@ const char *my_sam_name(void) > > return lp_workgroup(); > } >+ >+bool is_allowed_domain(const char *domain_name) >+{ >+ const char **ignored_domains = NULL; >+ const char **dom = NULL; >+ >+ ignored_domains = lp_parm_string_list(-1, >+ "winbind", >+ "ignore domains", >+ NULL); >+ >+ for (dom = ignored_domains; dom != NULL && *dom != NULL; dom++) { >+ if (gen_fnmatch(*dom, domain_name) == 0) { >+ DBG_NOTICE("Ignoring domain '%s'\n", domain_name); >+ return false; >+ } >+ } >+ >+ return true; >+} >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index a5f5defcd87..414b770a271 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -126,8 +126,6 @@ static NTSTATUS add_trusted_domain(const char *domain_name, > struct winbindd_domain **_d) > { > struct winbindd_domain *domain = NULL; >- const char **ignored_domains = NULL; >- const char **dom = NULL; > int role = lp_server_role(); > struct dom_sid_buf buf; > >@@ -136,12 +134,8 @@ static NTSTATUS add_trusted_domain(const char *domain_name, > return NT_STATUS_INVALID_PARAMETER; > } > >- ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); >- for (dom=ignored_domains; dom && *dom; dom++) { >- if (gen_fnmatch(*dom, domain_name) == 0) { >- DEBUG(2,("Ignoring domain '%s'\n", domain_name)); >- return NT_STATUS_NO_SUCH_DOMAIN; >- } >+ if (!is_allowed_domain(domain_name)) { >+ return NT_STATUS_NO_SUCH_DOMAIN; > } > > /* >-- >2.26.2 > > >From e72cba47088e9bb762244237ba524f0a11b76d65 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 11 Jan 2021 16:50:31 +0100 >Subject: [PATCH 07/12] winbind: check for allowed domains in > winbindd_dual_pam_auth() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259) >--- > source3/winbindd/winbindd_pam.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 10c5ff2a7e2..560a2b992a8 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -2405,6 +2405,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, > goto done; > } > >+ if (!is_allowed_domain(info3->base.logon_domain.string)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ info3->base.account_name.string, >+ info3->base.logon_domain.string); >+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ goto done; >+ } >+ > result = append_auth_data(state->mem_ctx, state->response, > state->request->flags, > validation_level, >-- >2.26.2 > > >From d9faaff2ae767cb905aa441e4caae39cc6a4bcbe Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 11 Jan 2021 17:10:19 +0100 >Subject: [PATCH 08/12] winbind: check for allowed domains in > winbindd_dual_pam_auth_crap() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit c17bc9c6115e4e92132f3cb912547eac78227938) >--- > .../knownfail.d/samba3.blackbox.winbind_ignore_domain | 1 - > source3/winbindd/winbindd_pam.c | 10 ++++++++++ > 2 files changed, 10 insertions(+), 1 deletion(-) > >diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >index e20ea025655..e1eedc9aa2a 100644 >--- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >+++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >@@ -1,3 +1,2 @@ >-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip\(ad_member_idmap_ad:local\) > ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) > ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 560a2b992a8..25ebd82c638 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -2767,6 +2767,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, > goto done; > } > >+ if (!is_allowed_domain(info3->base.logon_domain.string)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ info3->base.account_name.string, >+ info3->base.logon_domain.string); >+ state->response->data.auth.authoritative = true; >+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ goto done; >+ } >+ > result = append_auth_data(state->mem_ctx, state->response, > state->request->flags, > validation_level, >-- >2.26.2 > > >From c58beb56a63da4e341f4ce66aa84e62c1c868efe Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 11 Jan 2021 17:19:05 +0100 >Subject: [PATCH 09/12] winbind: check for allowed domains in > winbindd_dual_pam_chng_pswd_auth_crap() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef) >--- > source3/winbindd/winbindd_pam.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 25ebd82c638..5dcfeb11b99 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -3106,6 +3106,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai > fstrcpy(domain,lp_workgroup()); > } > >+ if (!is_allowed_domain(domain)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ state->request->data.chng_pswd_auth_crap.user, >+ domain); >+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ goto done; >+ } >+ > if(!*user) { > fstrcpy(user, state->request->data.chng_pswd_auth_crap.user); > } >-- >2.26.2 > > >From 487650b54bae7c75693521fabaf8ff1354e48a1f Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 11 Jan 2021 17:59:48 +0100 >Subject: [PATCH 10/12] winbind: check for allowed domains in > winbindd_dual_pam_chauthtok() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3) >--- > source3/winbindd/winbindd_pam.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 5dcfeb11b99..3375af66821 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -2845,6 +2845,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact > goto done; > } > >+ if (!is_allowed_domain(domain)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ user, domain); >+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ goto done; >+ } >+ > /* Change password */ > > oldpass = state->request->data.chauthtok.oldpass; >-- >2.26.2 > > >From 862a956823766ae238658cc29746adcb4ec05958 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 14 Jan 2021 10:42:53 +0100 >Subject: [PATCH 11/12] winbind: check for allowed domains in > winbindd_pam_auth_pac_verify() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003) >--- > .../knownfail.d/samba3.blackbox.winbind_ignore_domain | 2 -- > source3/winbindd/winbindd_pam.c | 8 ++++++++ > 2 files changed, 8 insertions(+), 2 deletions(-) > delete mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain > >diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >deleted file mode 100644 >index e1eedc9aa2a..00000000000 >--- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain >+++ /dev/null >@@ -1,2 +0,0 @@ >-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) >-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 3375af66821..f27802ee065 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -3325,6 +3325,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state, > return result; > } > >+ if (!is_allowed_domain(info6->base.logon_domain.string)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ info6->base.account_name.string, >+ info6->base.logon_domain.string); >+ return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ } >+ > result = map_info6_to_validation(state->mem_ctx, > info6, > &validation_level, >-- >2.26.2 > > >From 45343a6487146a6dc3804b0c791ed13c9505d8d8 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 15 Jan 2021 12:56:25 +0100 >Subject: [PATCH 12/12] s3/auth: implement "winbind:ignore domains" > >Under the following conditions a user from an ignored domain might be able to >authenticate: > >- using Kerberos > >- successfully previous authentication so the idmap and name caches are filled > >- winbind not running (fwiw, winbindd is mandatory on a domain member) > >- nscd running with a cached getpwnam for the ignored user (otherwise auth fails > because getpwnam fails) > >- lookup_name() function being modified to look into the name cache before > contacting winbindd. Currently it talks directly to winbindd and that will > check the cache. > >Currently, authentication will only fail because creating the local token for >the user fails because an LSA lookupname RPC call fails (because winbindd is not >running). > >All of this makes a successfull authentication unlikelly, but that is more by >accident then by design. > >To ensures that if winbindd is not running and as such winbindd itself can not >enforce the restriction, also implement the ignored domains check in the auth >system as a last line of defense. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 >RN: "winbind:ignore domains" doesn't prevent user login from trusted domain > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6) >--- > source3/auth/auth_util.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 9427c05f573..4686b29111e 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -485,6 +485,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > return NT_STATUS_LOGON_FAILURE; > } > >+ if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { >+ DBG_NOTICE("Authentication failed for user [%s] " >+ "from firewalled domain [%s]\n", >+ server_info->info3->base.account_name.string, >+ server_info->info3->base.logon_domain.string); >+ return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ } >+ > if (server_info->cached_session_info != NULL) { > session_info = copy_session_info(mem_ctx, > server_info->cached_session_info); >-- >2.26.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 14602
: 16400 |
16401