From 2b0a560ef1230e1079eb03a35a5b0eac59aac489 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 15 Jun 2016 09:37:09 +0200
Subject: [PATCH] Fix resolving trusted domain users on domain member

---
 ...sure-domain-member-can-talk-to-trust.patch | 59 ----------------
 ...5-fix_resolving_trusted_domain_users.patch | 68 +++++++++++++++++++
 samba.spec                                    |  9 ++-
 smb.conf.example                              |  2 +-
 4 files changed, 75 insertions(+), 63 deletions(-)
 delete mode 100644 samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
 create mode 100644 samba-4.4.5-fix_resolving_trusted_domain_users.patch

diff --git a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
deleted file mode 100644
index 06b5a83..0000000
--- a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 12 Apr 2016 09:36:12 +0300
-Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
- domains DCs
-
-  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
-  running in a domain member configuration.
-
-  BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
----
- source3/winbindd/winbindd_cm.c | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 45e3fad..6f5a042 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2851,9 +2851,10 @@ retry:
-  anonymous:
- 
- 	/* Finally fall back to anonymous. */
--	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+	    (IS_DC || domain->primary)) {
- 		status = NT_STATUS_DOWNGRADE_DETECTED;
--		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
-+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
- 			  "without connection level security, "
- 			  "must set 'winbind sealed pipes = false' and "
- 			  "'require strong key = false' to proceed: %s\n",
-@@ -3150,7 +3151,8 @@ retry:
- 
-  anonymous:
- 
--	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+	    (IS_DC || domain->primary)) {
- 		result = NT_STATUS_DOWNGRADE_DETECTED;
- 		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
- 			  "without connection level security, "
-@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
- 	TALLOC_FREE(netlogon_creds);
- 
- 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
--		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
-+		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
-+		    (IS_DC || domain->primary)) {
- 			result = NT_STATUS_DOWNGRADE_DETECTED;
--			DEBUG(1, ("Unwilling to make connection to domain %s"
-+			DEBUG(1, ("Unwilling to make connection to domain %s "
- 				  "without connection level security, "
- 				  "must set 'winbind sealed pipes = false' and "
- 				  "'require strong key = false' to proceed: %s\n",
--- 
-2.5.5
-
diff --git a/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/samba-4.4.5-fix_resolving_trusted_domain_users.patch
new file mode 100644
index 0000000..68d48a1
--- /dev/null
+++ b/samba-4.4.5-fix_resolving_trusted_domain_users.patch
@@ -0,0 +1,68 @@
+From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 10 Jun 2016 16:51:18 +0200
+Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
+ DCs
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
+---
+ source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 45e3fad..f1f98db 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+ 	struct cli_credentials *creds;
+ 	NTSTATUS status;
+ 	bool force_machine_account = false;
++	bool ok;
+ 
+ 	/* If we are a DC and this is not our own domain */
+ 
+@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
+ 						   CRED_DONT_USE_KERBEROS);
+ 	}
+ 
+-	if (creds_domain != domain) {
++	/*
++	 * When we contact our own domain and get a list of the trusted domain
++	 * we have the information if we are able to contact the DC with
++	 * with our machine account password.
++	 */
++	ok = winbindd_can_contact_domain(domain);
++	if (!ok) {
+ 		/*
+ 		 * We can only use schannel against a direct trust
+ 		 */
+@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ 
+ 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ 	if (sec_chan_type == SEC_CHAN_NULL) {
++		DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
++			    domain->name);
+ 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ 	}
+ 
+@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
+ 	conn->netlogon_flags = netlogon_creds->negotiate_flags;
+ 	TALLOC_FREE(netlogon_creds);
+ 
++	/*
++	 * FIXME: Document in which case we are not able to contact
++	 * a DC without schannel. Which information do we try to get
++	 * from this DC?
++	 */
+ 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+ 		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ 			result = NT_STATUS_DOWNGRADE_DETECTED;
+-- 
+2.8.4
+
diff --git a/samba.spec b/samba.spec
index 39dd3aa..836eecd 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 1
+%define main_release 2
 
 %define samba_version 4.4.4
 %define talloc_version 2.1.6
@@ -107,7 +107,7 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 
-Patch0:    samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+Patch0:    samba-4.4.5-fix_resolving_trusted_domain_users.patch
 
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -685,7 +685,7 @@ and use CTDB instead.
 %prep
 %setup -q -n samba-%{version}%{pre_release}
 
-%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+%patch0 -p 1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch
 
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1992,6 +1992,9 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Wed Jun 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-2
+- Fix resolving trusted domain users on domain member
+
 * Tue Jun 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-1
 - Update to Samba 4.4.4
 - resolves: #1343529
diff --git a/smb.conf.example b/smb.conf.example
index 9c35a51..7cfe647 100644
--- a/smb.conf.example
+++ b/smb.conf.example
@@ -295,7 +295,7 @@
 ;	writable = no
 ;	share modes = no
 
-# Un-comment the following to provide a specific roving profile share.
+# Un-comment the following to provide a specific roaming profile share.
 # The default is to use the user's home directory:
 ;	[Profiles]
 ;	path = /var/lib/samba/profiles