Bug 14602 - "winbind:ignore domains" doesn't prevent user login from trusted domain
Summary: "winbind:ignore domains" doesn't prevent user login from trusted domain
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-28 07:42 UTC by Lev
Modified: 2021-01-22 09:52 UTC (History)
1 user (show)

See Also:


Attachments
Patch for 4.13 and 4.14 cherry-picked from master (31.22 KB, patch)
2021-01-22 09:49 UTC, Ralph Böhme
slow: review? (jra)
Details
Patch for 4.12 backported from master (19.76 KB, patch)
2021-01-22 09:52 UTC, Ralph Böhme
slow: review? (jra)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2020-12-28 07:42:23 UTC
We have a primary domain ZADARA2, and trusted domain CHILD in the ignore list:

[global]
	allow trusted domains = true
	guest ok = No
	security = ADS
	realm = zadara2.lab
	workgroup = ZADARA2
	idmap config zadara2 : backend = rid
	idmap config zadara2 : range = 5000000-15000000
	idmap config * : backend = tdb
	idmap config * : range = 1000001-2000000
	winbind offline logon = yes
	winbind scan trusted domains = Yes
	winbind use default domain = No
	winbind:ignore domains = CHILD TREE ZADARA3
	
As expected wbinfo -m returns only primary domain:

# wbinfo -m
BUILTIN
VSA-00000004
ZADARA2

However user dimachild@CHILD now may successfully login:

C:\Users\dimachild>net use \\10.2.4.28\smb1
The command completed successfully.

Back in samba 4.5 it worked fine, i.e. login failed. I guess this was broken in samba 4.8 where "The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.". If this is now "by design", probably need at least fix documentation that says "Allows one to enter a list of trusted domains winbind should ignore (untrust)."
Comment 1 Ralph Böhme 2021-01-22 09:49:22 UTC
Created attachment 16400 [details]
Patch for 4.13 and 4.14 cherry-picked from master
Comment 2 Ralph Böhme 2021-01-22 09:52:44 UTC
Created attachment 16401 [details]
Patch for 4.12 backported from master

The first patch that modifies selftest infrastructure didn't apply due to heavy changes in selftest provision between 4.12 and 4.13.

I opted to simply remove the tests from the patches to avoid backporting the DNS domainname changes.