mirror of
https://github.com/samba-team/samba.git
synced 2025-08-29 13:49:30 +03:00
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
This commit is contained in:
Alexander Bokovoy
@ -113,17 +113,36 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
|
||||
full_name, domain, name));
|
||||
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
|
||||
|
||||
if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
|
||||
strequal(domain, get_global_sam_name()))
|
||||
{
|
||||
if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
|
||||
bool check_global_sam = false;
|
||||
|
||||
/* It's our own domain, lookup the name in passdb */
|
||||
if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
||||
sid_compose(&sid, get_global_sam_sid(), rid);
|
||||
goto ok;
|
||||
check_global_sam = strequal(domain, get_global_sam_name());
|
||||
|
||||
/* If we are running on a DC that has PASSDB module with domain
|
||||
* information, check if DNS forest name is matching the domain
|
||||
* name. This is the case of FreeIPA domain controller when
|
||||
* trusted AD DC looks up users found in a Global Catalog of
|
||||
* the forest root domain. */
|
||||
if (!check_global_sam && (IS_DC)) {
|
||||
struct pdb_domain_info *dom_info = NULL;
|
||||
dom_info = pdb_get_domain_info(tmp_ctx);
|
||||
|
||||
if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
|
||||
check_global_sam = strequal(domain, dom_info->dns_forest);
|
||||
}
|
||||
|
||||
TALLOC_FREE(dom_info);
|
||||
}
|
||||
|
||||
if (check_global_sam) {
|
||||
/* It's our own domain, lookup the name in passdb */
|
||||
if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
||||
sid_compose(&sid, get_global_sam_sid(), rid);
|
||||
goto ok;
|
||||
}
|
||||
TALLOC_FREE(tmp_ctx);
|
||||
return false;
|
||||
}
|
||||
TALLOC_FREE(tmp_ctx);
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((flags & LOOKUP_NAME_BUILTIN) &&
|
||||
|
||||
Reference in New Issue
Block a user