Bug 4069 - winbind issue on trusted domains
Summary: winbind issue on trusted domains
Status: RESOLVED DUPLICATE of bug 3661
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.23
Hardware: PA-RISC Windows XP
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-29 15:11 UTC by Ying Li
Modified: 2014-07-23 12:24 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ying Li 2006-08-29 15:11:40 UTC
I already posted trusted domain issue on mailing list. But I couldn't see response for trusted domain fix. By search bugzilla, not find such issue.
So I fill this. Hope to track the issue.

Here is my circumstance of trusted domains.
Parent domain 
   |-- Child1 domain  <== Samba joined to
   |-- Child2 domain
   |-- Child3 domain
   |-- Child4 domain
   |-- Child5 domain
All domains are Windows 2003 DC.

smb.conf
[global]
    workgroup = child1
    security = ads
    idmap uid = 20000-60000
    idmap gid = 20000-60000

First of all, trusted domains can work with 3.0.14a. But it didn't work with Samba3.0.22/23a. I checked Samba3.0.23b code that has the same issue(not tested).

- In the Samba-3.0.14a, it allows S-0-0 domain sid saving to the trust global variable domain_list. But from Samba-3.0.22, it did disallow saving such domains. The behavior change caused a block of lookup or auth for trusted domains. Since there was unknown reason on RPC_NETLOGON dsrEnumerateDomainTrusts response with NULL pointer for some trusted domains in trusted domain array, the new code of trustdom_recv() did a check on string_to_sid(), and reject addition of trusted domains with S-0-0 domain sid into domain_list.
I feel this might not be very reasonable because I have following domain list

log.winbindd:  Added domain CHILD1 CHILD1.MYDOM.COM S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
log.winbindd:  Added domain BUILTIN  S-1-5-32
log.winbindd:  Added domain MYNETBIOS  S-1-5-21-YYYYYYYYYY-YYYYYYYYYY-YYYYYYYYYY
log.winbindd:  Added domain PARENT mydom.com S-1-5-21-ZZZZZZZZZZ-ZZZZZZZZZZ-ZZZZZZZZZZZ
log.winbindd:  Added domain CHILD2 child2.mydom.com S-0-0
log.winbindd:  Added domain CHILD3 child3.mydom.com S-0-0
log.winbindd:  Added domain CHILD4 child4.mydom.com S-1-5-21-WWWWWWWWWW-WWWWWWWWWWW-WWWWWWWWWW
log.winbindd:  Added domain CHILD5 child5.mydom.com S-1-5-21-VVVVVVVVVV-VVVVVVVVVVV-VVVVVVVVVV

That showed child2 and child3 got S-0-0 sid. Meanwhile the code would reject to add child4 and child5 into domain list. I think it's worth to remove "break" statement, so that those trusted domains with S-0-0 still are added into domain_list. When enumerating trust returns a NULL sid pointer, this doesn't mean winbind rpc lookup failed. Actually, Winbind rpc lookup was always successful for those S-0-0 trusted domains.

- If S-0-0 is allowed to add into domain_list, I can see a strange problem when trusted domain user logon. For example child4\avaliduser logon. we can see winbind initilize winbind domain to child1 domain that was the first element in domain_list due to using find_lookup_domain_from_name|sid() calls in winbindd_async.c winbindd_util.c and winbindd_cache.c. Since trusted domain was never BUILTIN, SAM, local Netbios domain, find_lookup_domain_from_name(|sid() switch it to our own domain, so that trusted domain winbind request didn't go to trusted child process, it went to our own winbind child process.
I've verified this and fix it by changing find_lookup_domain_from_name|sid() to find_domain_from_name|sid(). This would let winbind to initialize trusted domain and send request to the right winbind child process.

With about two fixes, I can fix following trusted domain issue.
- wbinfo -u/-g list all trusted domain users/groups.
- wbinfo -- sequence got right results.
- trusted domain users can logon.

Here is a patch, based on 3.0.22.
diff winbindd_async.c winbindd_async.c_my
561c561
<       domain = find_lookup_domain_from_sid(sid);
---
>       domain = find_domain_from_sid(sid);
652c652
<       domain = find_lookup_domain_from_name(dom_name);
---
>       domain = find_domain_from_name(dom_name);

diff winbindd_util.c winbindd_util.c_my
267d266
<                       break;
726c725
<       domain = find_lookup_domain_from_sid(sid);
---
>       domain = find_domain_from_sid(sid);

diff winbindd_cache.c winbindd_cache.c_my
1587c1587
<       domain = find_lookup_domain_from_sid(sid);
---
>       domain = find_domain_from_sid(sid);

I'm not sure if it fits to other cases.
Thanks.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2006-08-30 14:03:07 UTC
Please attach the patch in diff -u format. Thanks.
Comment 2 Ying Li 2006-08-30 15:38:27 UTC
(In reply to comment #1)
> Please attach the patch in diff -u format. Thanks.

diff -u winbindd_async.c winbindd_async.c_my
--- winbindd_async.c    2006-08-30 13:35:10.000000000 -0700
+++ winbindd_async.c_my 2006-08-30 13:35:39.000000000 -0700
@@ -558,7 +558,7 @@
        struct winbindd_domain *domain;
        struct winbindd_request request;

-       domain = find_lookup_domain_from_sid(sid);
+       domain = find_domain_from_sid(sid);
        if (domain == NULL) {
                DEBUG(5, ("Could not find domain for sid %s\n",
                          sid_string_static(sid)));
@@ -649,7 +649,7 @@
        struct winbindd_request request;
        struct winbindd_domain *domain;

-       domain = find_lookup_domain_from_name(dom_name);
+       domain = find_domain_from_name(dom_name);

        if (domain == NULL) {
                DEBUG(5, ("Could not find domain for name %s\n", dom_name));

diff -u winbindd_util.c winbindd_util.c_my
--- winbindd_util.c     2006-08-30 13:35:47.000000000 -0700
+++ winbindd_util.c_my  2006-08-30 13:35:41.000000000 -0700
@@ -264,7 +264,6 @@

                if (!string_to_sid(&sid, sidstr)) {
                        DEBUG(0, ("Got invalid trustdom response\n"));
-                       break;
                }

                if (find_domain_from_name_noinit(p) == NULL) {
@@ -723,7 +722,7 @@
        BOOL rv = False;
        struct winbindd_domain *domain;

-       domain = find_lookup_domain_from_sid(sid);
+       domain = find_domain_from_sid(sid);

        if (!domain) {
                DEBUG(1,("Can't find domain from sid\n"));

diff -u winbindd_cache.c winbindd_cache.c_my
--- winbindd_cache.c    2006-08-30 13:35:12.000000000 -0700
+++ winbindd_cache.c_my 2006-08-30 13:35:40.000000000 -0700
@@ -1584,7 +1584,7 @@
        struct cache_entry *centry = NULL;
        NTSTATUS status;

-       domain = find_lookup_domain_from_sid(sid);
+       domain = find_domain_from_sid(sid);
        if (domain == NULL) {
                return False;
        }
Comment 3 Jeremy Allison 2008-08-15 16:32:12 UTC
See  bug #4069.
Jeremy.
Comment 4 Jeremy Allison 2008-08-15 16:32:46 UTC
Arg. I meant see bug #5363.
Jeremy.
Comment 5 Björn Jacke 2014-07-23 12:24:02 UTC
i guess this is fixed, right? marking as dup. if you think this is not fixed, please reopen this bug - thanks!

*** This bug has been marked as a duplicate of bug 3661 ***