Bug 13173 - Dependency on trusted-domain list in winbindd in critical auth codepath
Summary: Dependency on trusted-domain list in winbindd in critical auth codepath
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-12-01 16:41 UTC by Ralph Böhme
Modified: 2017-12-06 09:30 UTC (History)
1 user (show)

See Also:

Patch for 4.7 cherry-picked from master (6.13 KB, patch)
2017-12-01 16:48 UTC, Ralph Böhme
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-12-01 16:41:19 UTC
Commit 8a2bbba5cd0862ac196739c1e52385f7be1e3836 added a call to find_domain_from_name_noinit() to winbindd in a critical authentication codepath that is triggered with getpwsid which causes authentication failure with users from trusted domains that are not in the trusted domain list.

Commit 1ce165a73350e802500c32435dbefe3639340435 in master fixed this particular problematic use of find_domain_from_name_noinit(), but the real underlying problem is the use of a trusted-domain list in the first place.

But as 4.7 contains a backport of 8a2bbba5cd0862ac196739c1e52385f7be1e3836, we should backport 1ce165a73350e802500c32435dbefe3639340435 as well.
Comment 1 Ralph Böhme 2017-12-01 16:48:26 UTC
Created attachment 13834 [details]
Patch for 4.7 cherry-picked from master
Comment 2 Karolin Seeger 2017-12-05 09:34:16 UTC
(In reply to Ralph Böhme from comment #1)
Pushed to autobuild-v4-7-test.
Comment 3 Karolin Seeger 2017-12-06 09:30:07 UTC
Pushed to v4-7-test.
Closing out bug report.