Fix resolving trusted domain users on domain member

2016-06-15 09:37:09 +02:00 · 2016-06-15 09:37:09 +02:00 · 2b0a560ef1
commit 2b0a560ef1
parent 4d1ac173ea
4 changed files with 75 additions and 63 deletions
--- a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+++ b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
@ -1,59 +0,0 @@
-From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 12 Apr 2016 09:36:12 +0300
-Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
- domains DCs
-
-  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
-  running in a domain member configuration.
-
-  BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
- source3/winbindd/winbindd_cm.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 45e3fad..6f5a042 100644
--- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2851,9 +2851,10 @@ retry:
-  anonymous:
- 
- 	/* Finally fall back to anonymous. */
-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+	    (IS_DC || domain->primary)) {
- 		status = NT_STATUS_DOWNGRADE_DETECTED;
-		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
-+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
- 			  "without connection level security, "
- 			  "must set 'winbind sealed pipes = false' and "
- 			  "'require strong key = false' to proceed: %s\n",
-@@ -3150,7 +3151,8 @@ retry:
- 
-  anonymous:
- 
-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+	    (IS_DC || domain->primary)) {
- 		result = NT_STATUS_DOWNGRADE_DETECTED;
- 		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
- 			  "without connection level security, "
-@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
- 	TALLOC_FREE(netlogon_creds);
- 
- 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+		    (IS_DC || domain->primary)) {
- 			result = NT_STATUS_DOWNGRADE_DETECTED;
-			DEBUG(1, ("Unwilling to make connection to domain %s"
-+			DEBUG(1, ("Unwilling to make connection to domain %s "
- 				  "without connection level security, "
- 				  "must set 'winbind sealed pipes = false' and "
- 				  "'require strong key = false' to proceed: %s\n",
-- 
-2.5.5
-
--- a/samba-4.4.5-fix_resolving_trusted_domain_users.patch
+++ b/samba-4.4.5-fix_resolving_trusted_domain_users.patch
@ -0,0 +1,68 @@
+From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 10 Jun 2016 16:51:18 +0200
+Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
+ DCs
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
+---
+ source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 45e3fad..f1f98db 100644
+--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
+@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+ 	struct cli_credentials *creds;
+ 	NTSTATUS status;
+ 	bool force_machine_account = false;
+	bool ok;
+ 
+ 	/* If we are a DC and this is not our own domain */
+ 
+@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+ 						   CRED_DONT_USE_KERBEROS);
+ 	}
+ 
+-	if (creds_domain != domain) {
+	/*
+	 * When we contact our own domain and get a list of the trusted domain
+	 * we have the information if we are able to contact the DC with
+	 * with our machine account password.
+	 */
+	ok = winbindd_can_contact_domain(domain);
+	if (!ok) {
+ 		/*
+ 		 * We can only use schannel against a direct trust
+ 		 */
+@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ 
+ 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ 	if (sec_chan_type == SEC_CHAN_NULL) {
+		DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
+			    domain->name);
+ 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ 	}
+ 
+@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ 	conn->netlogon_flags = netlogon_creds->negotiate_flags;
+ 	TALLOC_FREE(netlogon_creds);
+ 
+	/*
+	 * FIXME: Document in which case we are not able to contact
+	 * a DC without schannel. Which information do we try to get
+	 * from this DC?
+	 */
+ 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+ 		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ 			result = NT_STATUS_DOWNGRADE_DETECTED;
+-- 
+2.8.4
+
--- a/samba.spec
+++ b/samba.spec
@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering

-%define main_release 1
+%define main_release 2

 %define samba_version 4.4.4
 %define talloc_version 2.1.6
@ -107,7 +107,7 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade

-Patch0:    samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+Patch0:    samba-4.4.5-fix_resolving_trusted_domain_users.patch

 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

@ -685,7 +685,7 @@ and use CTDB instead.
 %prep
 %setup -q -n samba-%{version}%{pre_release}

-%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+%patch0 -p 1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch

 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -1992,6 +1992,9 @@ rm -rf %{buildroot}
 %endif # with_clustering_support

 %changelog
+* Wed Jun 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-2
+- Fix resolving trusted domain users on domain member
+
 * Tue Jun 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-1
 - Update to Samba 4.4.4
 - resolves: #1343529
--- a/smb.conf.example
+++ b/smb.conf.example
@ -295,7 +295,7 @@
 ;	writable = no
 ;	share modes = no

-# Un-comment the following to provide a specific roving profile share.
+# Un-comment the following to provide a specific roaming profile share.
 # The default is to use the user's home directory:
 ;	[Profiles]
 ;	path = /var/lib/samba/profiles