14602 – "winbind:ignore domains" doesn't prevent user login from trusted domain

Bug 14602 - "winbind:ignore domains" doesn't prevent user login from trusted domain

Summary: "winbind:ignore domains" doesn't prevent user login from trusted domain

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.12.9
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-12-28 07:42 UTC by Lev
Modified:	2021-03-11 11:47 UTC (History)
CC List:	1 user (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/1753

Attachments
Patch for 4.13 and 4.14 cherry-picked from master (31.22 KB, patch) 2021-01-22 09:49 UTC, Ralph Böhme	jra: review+	Details
Patch for 4.12 backported from master (19.76 KB, patch) 2021-01-22 09:52 UTC, Ralph Böhme	jra: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lev 2020-12-28 07:42:23 UTC

We have a primary domain ZADARA2, and trusted domain CHILD in the ignore list:

[global]
	allow trusted domains = true
	guest ok = No
	security = ADS
	realm = zadara2.lab
	workgroup = ZADARA2
	idmap config zadara2 : backend = rid
	idmap config zadara2 : range = 5000000-15000000
	idmap config * : backend = tdb
	idmap config * : range = 1000001-2000000
	winbind offline logon = yes
	winbind scan trusted domains = Yes
	winbind use default domain = No
	winbind:ignore domains = CHILD TREE ZADARA3
	
As expected wbinfo -m returns only primary domain:

# wbinfo -m
BUILTIN
VSA-00000004
ZADARA2

However user dimachild@CHILD now may successfully login:

C:\Users\dimachild>net use \\10.2.4.28\smb1
The command completed successfully.

Back in samba 4.5 it worked fine, i.e. login failed. I guess this was broken in samba 4.8 where "The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.". If this is now "by design", probably need at least fix documentation that says "Allows one to enter a list of trusted domains winbind should ignore (untrust)."

Comment 1 Ralph Böhme 2021-01-22 09:49:22 UTC

Created attachment 16400 [details]
Patch for 4.13 and 4.14 cherry-picked from master

Comment 2 Ralph Böhme 2021-01-22 09:52:44 UTC

Created attachment 16401 [details]
Patch for 4.12 backported from master

The first patch that modifies selftest infrastructure didn't apply due to heavy changes in selftest provision between 4.12 and 4.13.

I opted to simply remove the tests from the patches to avoid backporting the DNS domainname changes.

Comment 3 Jeremy Allison 2021-01-22 21:00:46 UTC

Re-assigning to Karolin for inclusion in 4.14.next, 4.13.next, 4.12.next.

Comment 4 Karolin Seeger 2021-01-27 10:21:36 UTC

(In reply to Jeremy Allison from comment #3)
Pushed to autobuild-v4-{14,13,12}-test.

Comment 5 Samba QA Contact 2021-01-29 13:53:58 UTC

This bug was referenced in samba master:

e1fc84138ca118c4187d87b7be4a7e6dd771dc4f
81edc65e79aba121db800ec53aadd766e61a0001
0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac
072ef48001710ed8326c83295f2d3cc301d27cfe
32197d21dabecaee9bc1d6cd557578892220fe4c
894caca79476d25a0268d89b2ad8a5758b7e31f3
4cefdf03fec91cdcf700922b1a5ceca02407e259
c17bc9c6115e4e92132f3cb912547eac78227938
4bc17600bc50fbc0e54d9d019d8db67001fc3eef
88e92faace7ec17810903166fa3433aa4842a4e3
da474ddd13d84f07f5da81c843e651844f33a003
df5fe2d835169161d3930acf1e9c750dd2bc64b6

Comment 6 Samba QA Contact 2021-01-29 13:54:48 UTC

This bug was referenced in samba v4-12-test:

aaa8dac1550519161a5e8a83ef77a185e0487531
32c2b3cf6106755099b9cec3eecc611a8bf8214e
6b9669863b81075b494f03bb146b7fea3df4e7de
f3c47cdc1d3fe5a03879bec7f2892a393e3b0211
56d9705ca7618856e735447c4a54b256fdbbf5b5
2a73dfcf27a7407f932112fd978fc84d47d29682
cf410814e252886b8bce28289654a237616d8a52
3505998d0a76011f21b8238e1beb9369f709c11d
7362b5b31cd75ab1f8cdd84fb0a800376d097e2c
8c846741a4514fc01513ddd3f83afc61f186806a

Comment 7 Samba QA Contact 2021-01-29 13:54:56 UTC

This bug was referenced in samba v4-14-test:

835fd283fec6965ce17f7d2c538312be474903c6
9e797518fb53e66e52209b27dab0851f8c9b002b
4df20674da1942425cb64fac25bf876b2778d164
115c987aa58a2cdd5430dc0809c1a8ee94e3261e
bee8a1cb9e9ff6ace3894aef26a37370fae240a1
4f69adab43c8f8844a5060e040dcf6e5f79c8d8b
56076c98dbbef59aba182ab2c57aeca989cc68b3
ccc4efd52112c8a0c26748faab178ac7c26fda9d
647d1ca5e79786053c250e1e2c84f0e36a8242a5
9b717968bd75d04800cbd39d680962d6ddf9c01f
77f07ddb8ee1e5134bc873262165bf693dd01aaf
5041731ca022c1f4edd11d8abd0642072e3088f9

Comment 8 Samba QA Contact 2021-02-01 08:48:04 UTC

This bug was referenced in samba v4-13-test:

7003d050b0c27498b791113a54b6241c174b7641
19f39e67942968c5a2c0e99179c938b99ba2250e
3b5fa17d9bd1b256dcb563f0b066938a95b7eccf
27dc8f4e90b4222b88cabf0fe7b85b82a04f3504
2e2e854f04e26f02ccb1ab3d63d71457fec3d659
86a96954c1f4efb9ad546afd276701180970b0e1
c983012811ee5e77cdb5a8deabd27278e867ec42
7878dec1da0c314a20b7d1ff98bd1576a861f0c4
888e1d67229bee948c7ef17bdbde517db211e8a6
f0225b0adcbd54bd81684ba7799a4a12c41dc1e7
b236cbcf9d2db5f7f18989a1efa1f5644dc68a04
2c0987d65646aa41d0bc81f9e1c06f2ad9b5b485

Comment 9 Karolin Seeger 2021-02-01 08:48:56 UTC

Closing out bug report.

Thanks!

Comment 10 Samba QA Contact 2021-02-04 08:26:50 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.0rc2):

835fd283fec6965ce17f7d2c538312be474903c6
9e797518fb53e66e52209b27dab0851f8c9b002b
4df20674da1942425cb64fac25bf876b2778d164
115c987aa58a2cdd5430dc0809c1a8ee94e3261e
bee8a1cb9e9ff6ace3894aef26a37370fae240a1
4f69adab43c8f8844a5060e040dcf6e5f79c8d8b
56076c98dbbef59aba182ab2c57aeca989cc68b3
ccc4efd52112c8a0c26748faab178ac7c26fda9d
647d1ca5e79786053c250e1e2c84f0e36a8242a5
9b717968bd75d04800cbd39d680962d6ddf9c01f
77f07ddb8ee1e5134bc873262165bf693dd01aaf
5041731ca022c1f4edd11d8abd0642072e3088f9

Comment 11 Samba QA Contact 2021-03-09 11:02:00 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.5):

7003d050b0c27498b791113a54b6241c174b7641
19f39e67942968c5a2c0e99179c938b99ba2250e
3b5fa17d9bd1b256dcb563f0b066938a95b7eccf
27dc8f4e90b4222b88cabf0fe7b85b82a04f3504
2e2e854f04e26f02ccb1ab3d63d71457fec3d659
86a96954c1f4efb9ad546afd276701180970b0e1
c983012811ee5e77cdb5a8deabd27278e867ec42
7878dec1da0c314a20b7d1ff98bd1576a861f0c4
888e1d67229bee948c7ef17bdbde517db211e8a6
f0225b0adcbd54bd81684ba7799a4a12c41dc1e7
b236cbcf9d2db5f7f18989a1efa1f5644dc68a04
2c0987d65646aa41d0bc81f9e1c06f2ad9b5b485

Comment 12 Samba QA Contact 2021-03-11 11:47:47 UTC

This bug was referenced in samba v4-12-stable (Release samba-4.12.12):

aaa8dac1550519161a5e8a83ef77a185e0487531
32c2b3cf6106755099b9cec3eecc611a8bf8214e
6b9669863b81075b494f03bb146b7fea3df4e7de
f3c47cdc1d3fe5a03879bec7f2892a393e3b0211
56d9705ca7618856e735447c4a54b256fdbbf5b5
2a73dfcf27a7407f932112fd978fc84d47d29682
cf410814e252886b8bce28289654a237616d8a52
3505998d0a76011f21b8238e1beb9369f709c11d
7362b5b31cd75ab1f8cdd84fb0a800376d097e2c
8c846741a4514fc01513ddd3f83afc61f186806a