1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

winbind: make sure we don't contact trusted domains via LDAP as AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Stefan Metzmacher 2018-02-02 16:55:01 +01:00
parent 32a63e3ea9
commit 18f27b5385
2 changed files with 34 additions and 0 deletions

View File

@ -532,6 +532,17 @@ static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
struct idmap_ad_context *ctx = NULL;
NTSTATUS status;
if (IS_AD_DC) {
/*
* Make sure we never try to use LDAP against
* a trusted domain as AD_DC.
*
* This shouldn't be called currently,
* but you never know what happens in future.
*/
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
if (dom->private_data != NULL) {
*pctx = talloc_get_type_abort(dom->private_data,
struct idmap_ad_context);

View File

@ -159,6 +159,14 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
struct winbindd_domain *wb_dom;
ADS_STATUS status;
if (IS_AD_DC) {
/*
* Make sure we never try to use LDAP against
* a trusted domain as AD DC.
*/
return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
}
ads_cached_connection_reuse(adsp);
if (*adsp != NULL) {
return ADS_SUCCESS;
@ -231,6 +239,14 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
ADS_STATUS status;
char *password, *realm;
if (IS_AD_DC) {
/*
* Make sure we never try to use LDAP against
* a trusted domain as AD DC.
*/
return NULL;
}
DEBUG(10,("ads_cached_connection\n"));
ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
@ -1309,6 +1325,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
return NT_STATUS_OK;
}
if (IS_AD_DC) {
DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
domain->name));
*seq = time(NULL);
return NT_STATUS_OK;
}
*seq = DOM_SEQUENCE_NONE;
ads = ads_cached_connection(domain);