Bug 13278 - Winbindd (on an AD DC) should only use netlogon/lsa against trusted domains
Winbindd (on an AD DC) should only use netlogon/lsa against trusted domains
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.8.0rc2
All All
: P5 regression
: 4.8
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on: 13289
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-19 11:04 UTC by Stefan Metzmacher
Modified: 2018-02-28 11:39 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 4.8 cherry-picked from master (13.20 KB, patch)
2018-02-27 11:04 UTC, Ralph Böhme
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2018-02-19 11:04:41 UTC
Currently winbindd tries to contact trusted domains also via
SAMR or LDAP.

It was a big mistake to do this on a domain member, but users
seem to rely on some of this features.

We should not make the same mistake again and make sure
winbindd only uses netlogon and lsa lookup sid/names
using netlogon secure channel protection over an anonymous
dcerpc transport (ncacn_ip_tcp or ncacn_np as anonymous).
Comment 1 Ralph Böhme 2018-02-27 11:04:50 UTC
Created attachment 14004 [details]
Patch for 4.8 cherry-picked from master
Comment 2 Stefan Metzmacher 2018-02-27 16:11:23 UTC
Pushed to autobuild-v4-8-test.
Comment 3 Karolin Seeger 2018-02-28 11:39:52 UTC
Pushed to v4-8-test.
Closing out bug report.

Thanks!