sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

winbind: don't try to do an authenticated SMB connection as AD DC

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
This commit is contained in:
Stefan Metzmacher 2018-02-22 10:19:58 +01:00
parent 55c3af89f1
commit 06601b3a92
1 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
source3/winbindd/winbindd_cm.c
View File

@ -999,6 +999,31 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
if (IS_AD_DC) {
if (domain->secure_channel_type == SEC_CHAN_NULL) {
/*
* Make sure we don't even try to
* connect to a foreign domain
* without a direct outbound trust.
*/
return NT_STATUS_NO_TRUST_LSA_SECRET;
}
/*
* As AD DC we only use netlogon and lsa
* using schannel over an anonymous transport
* (ncacn_ip_tcp or ncacn_np).
*
* Currently we always establish the SMB connection,
* even if we don't use it, because we later use ncacn_ip_tcp.
*
* As we won't use the SMB connection there's no
* need to try kerberos. And NT4 domains expect
* an anonymous IPC$ connection anyway.
*/
smb_sign_client_connections = SMB_SIGNING_OFF;
}
if (smb_sign_client_connections == SMB_SIGNING_DEFAULT) {
/*
* If we are connecting to our own AD domain, require
@ -1011,8 +1036,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
* AD domain in our forest
* then require smb signing to disrupt MITM attacks
*/
} else if ((lp_security() == SEC_ADS ||
lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
} else if ((lp_security() == SEC_ADS)
&& domain->active_directory
&& (domain->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
@ -1071,6 +1095,22 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
try_ipc_auth = true;
}
if (IS_AD_DC) {
/*
* As AD DC we only use netlogon and lsa
* using schannel over an anonymous transport
* (ncacn_ip_tcp or ncacn_np).
*
* Currently we always establish the SMB connection,
* even if we don't use it, because we later use ncacn_ip_tcp.
*
* As we won't use the SMB connection there's no
* need to try kerberos. And NT4 domains expect
* an anonymous IPC$ connection anyway.
*/
try_ipc_auth = false;
}
if (try_ipc_auth) {
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {