mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
parent
32a63e3ea9
commit
18f27b5385
@ -532,6 +532,17 @@ static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
|
||||
struct idmap_ad_context *ctx = NULL;
|
||||
NTSTATUS status;
|
||||
|
||||
if (IS_AD_DC) {
|
||||
/*
|
||||
* Make sure we never try to use LDAP against
|
||||
* a trusted domain as AD_DC.
|
||||
*
|
||||
* This shouldn't be called currently,
|
||||
* but you never know what happens in future.
|
||||
*/
|
||||
return NT_STATUS_REQUEST_NOT_ACCEPTED;
|
||||
}
|
||||
|
||||
if (dom->private_data != NULL) {
|
||||
*pctx = talloc_get_type_abort(dom->private_data,
|
||||
struct idmap_ad_context);
|
||||
|
@ -159,6 +159,14 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
|
||||
struct winbindd_domain *wb_dom;
|
||||
ADS_STATUS status;
|
||||
|
||||
if (IS_AD_DC) {
|
||||
/*
|
||||
* Make sure we never try to use LDAP against
|
||||
* a trusted domain as AD DC.
|
||||
*/
|
||||
return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
|
||||
}
|
||||
|
||||
ads_cached_connection_reuse(adsp);
|
||||
if (*adsp != NULL) {
|
||||
return ADS_SUCCESS;
|
||||
@ -231,6 +239,14 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
|
||||
ADS_STATUS status;
|
||||
char *password, *realm;
|
||||
|
||||
if (IS_AD_DC) {
|
||||
/*
|
||||
* Make sure we never try to use LDAP against
|
||||
* a trusted domain as AD DC.
|
||||
*/
|
||||
return NULL;
|
||||
}
|
||||
|
||||
DEBUG(10,("ads_cached_connection\n"));
|
||||
ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
|
||||
|
||||
@ -1309,6 +1325,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
if (IS_AD_DC) {
|
||||
DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
|
||||
domain->name));
|
||||
*seq = time(NULL);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
*seq = DOM_SEQUENCE_NONE;
|
||||
|
||||
ads = ads_cached_connection(domain);
|
||||
|
Loading…
Reference in New Issue
Block a user