13173 – Dependency on trusted-domain list in winbindd in critical auth codepath

Bug 13173 - Dependency on trusted-domain list in winbindd in critical auth codepath

Summary: Dependency on trusted-domain list in winbindd in critical auth codepath

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-12-01 16:41 UTC by Ralph Böhme
Modified:	2017-12-06 09:30 UTC (History)
CC List:	1 user (show)

See Also:	12851 13167

Attachments
Patch for 4.7 cherry-picked from master (6.13 KB, patch) 2017-12-01 16:48 UTC, Ralph Böhme	metze: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2017-12-01 16:41:19 UTC

Commit 8a2bbba5cd0862ac196739c1e52385f7be1e3836 added a call to find_domain_from_name_noinit() to winbindd in a critical authentication codepath that is triggered with getpwsid which causes authentication failure with users from trusted domains that are not in the trusted domain list.

Commit 1ce165a73350e802500c32435dbefe3639340435 in master fixed this particular problematic use of find_domain_from_name_noinit(), but the real underlying problem is the use of a trusted-domain list in the first place.

But as 4.7 contains a backport of 8a2bbba5cd0862ac196739c1e52385f7be1e3836, we should backport 1ce165a73350e802500c32435dbefe3639340435 as well.

Comment 1 Ralph Böhme 2017-12-01 16:48:26 UTC

Created attachment 13834 [details]
Patch for 4.7 cherry-picked from master

Comment 2 Karolin Seeger 2017-12-05 09:34:16 UTC

(In reply to Ralph Böhme from comment #1)
Pushed to autobuild-v4-7-test.

Comment 3 Karolin Seeger 2017-12-06 09:30:07 UTC

Pushed to v4-7-test.
Closing out bug report.

Thanks!