Fix resolving trusted domain users on domain member

This commit is contained in:
Andreas Schneider 2016-06-15 09:37:09 +02:00
parent 4d1ac173ea
commit 2b0a560ef1
4 changed files with 75 additions and 63 deletions

View File

@ -1,59 +0,0 @@
From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 12 Apr 2016 09:36:12 +0300
Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
domains DCs
Allow cm_connect_netlogon() to talk to trusted domains' DCs when
running in a domain member configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/winbindd/winbindd_cm.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 45e3fad..6f5a042 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2851,9 +2851,10 @@ retry:
anonymous:
/* Finally fall back to anonymous. */
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
status = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
@@ -3150,7 +3151,8 @@ retry:
anonymous:
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
"without connection level security, "
@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
TALLOC_FREE(netlogon_creds);
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
+ (IS_DC || domain->primary)) {
result = NT_STATUS_DOWNGRADE_DETECTED;
- DEBUG(1, ("Unwilling to make connection to domain %s"
+ DEBUG(1, ("Unwilling to make connection to domain %s "
"without connection level security, "
"must set 'winbind sealed pipes = false' and "
"'require strong key = false' to proceed: %s\n",
--
2.5.5

View File

@ -0,0 +1,68 @@
From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 10 Jun 2016 16:51:18 +0200
Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
DCs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
---
source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 45e3fad..f1f98db 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
struct cli_credentials *creds;
NTSTATUS status;
bool force_machine_account = false;
+ bool ok;
/* If we are a DC and this is not our own domain */
@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
CRED_DONT_USE_KERBEROS);
}
- if (creds_domain != domain) {
+ /*
+ * When we contact our own domain and get a list of the trusted domain
+ * we have the information if we are able to contact the DC with
+ * with our machine account password.
+ */
+ ok = winbindd_can_contact_domain(domain);
+ if (!ok) {
/*
* We can only use schannel against a direct trust
*/
@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
+ domain->name);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
conn->netlogon_flags = netlogon_creds->negotiate_flags;
TALLOC_FREE(netlogon_creds);
+ /*
+ * FIXME: Document in which case we are not able to contact
+ * a DC without schannel. Which information do we try to get
+ * from this DC?
+ */
if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
result = NT_STATUS_DOWNGRADE_DETECTED;
--
2.8.4

View File

@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering # ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering %bcond_without clustering
%define main_release 1 %define main_release 2
%define samba_version 4.4.4 %define samba_version 4.4.4
%define talloc_version 2.1.6 %define talloc_version 2.1.6
@ -107,7 +107,7 @@ Source6: samba.pamd
Source200: README.dc Source200: README.dc
Source201: README.downgrade Source201: README.downgrade
Patch0: samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch Patch0: samba-4.4.5-fix_resolving_trusted_domain_users.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -685,7 +685,7 @@ and use CTDB instead.
%prep %prep
%setup -q -n samba-%{version}%{pre_release} %setup -q -n samba-%{version}%{pre_release}
%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch %patch0 -p 1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch
%build %build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -1992,6 +1992,9 @@ rm -rf %{buildroot}
%endif # with_clustering_support %endif # with_clustering_support
%changelog %changelog
* Wed Jun 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-2
- Fix resolving trusted domain users on domain member
* Tue Jun 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-1 * Tue Jun 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-1
- Update to Samba 4.4.4 - Update to Samba 4.4.4
- resolves: #1343529 - resolves: #1343529

View File

@ -295,7 +295,7 @@
; writable = no ; writable = no
; share modes = no ; share modes = no
# Un-comment the following to provide a specific roving profile share. # Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory: # The default is to use the user's home directory:
; [Profiles] ; [Profiles]
; path = /var/lib/samba/profiles ; path = /var/lib/samba/profiles