1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
samba-mirror/source3/passdb
Alexander Bokovoy 31c703766f lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:

--------------------------------------------------------------------
[2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       lsa_LookupNames3: struct lsa_LookupNames3
          in: struct lsa_LookupNames3
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
              num_names                : 0x00000001 (1)
              names: ARRAY(1)
                  names: struct lsa_String
                      length                   : 0x001e (30)
                      size                     : 0x0020 (32)
                      string                   : *
                          string                   : 'ipa.test\admins'
              sids                     : *
                  sids: struct lsa_TransSidArray3
                      count                    : 0x00000000 (0)
                      sids                     : NULL
              level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
              count                    : *
                  count                    : 0x00000000 (0)
              lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
              client_revision          : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------

If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
2020-11-11 10:59:01 +00:00
..
ABI passdb: Increase ABI version to 0.28.0 2019-03-07 01:30:49 +00:00
account_pol.c lib: relicense smb_strtoul(l) under LGPLv3 2020-08-03 22:21:02 +00:00
login_cache.c lib: Pass mem_ctx to cache_path() 2018-08-17 14:28:51 +02:00
lookup_sid.c lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC 2020-11-11 10:59:01 +00:00
lookup_sid.h passdb: Introduce xid_to_sid 2019-02-28 12:57:24 +00:00
machine_account_secrets.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
machine_sid.c passdb: Use struct allocation 2020-01-30 12:27:40 +00:00
machine_sid.h
passdb.c auth:creds: Rename CRED_USE_KERBEROS values 2020-11-03 15:25:37 +00:00
pdb_compat.c passdb: Use dom_sid_str_buf 2018-12-20 23:40:24 +01:00
pdb_get_set.c passdb: Use dom_sid_str_buf 2018-12-20 23:40:24 +01:00
pdb_interface.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_ldap_schema.c
pdb_ldap_schema.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap_util.c Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap_util.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_ldap.h lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 2017-04-22 01:17:00 +02:00
pdb_nds.c Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_nds.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_samba_dsdb.c auth:creds: Rename CRED_USE_KERBEROS values 2020-11-03 15:25:37 +00:00
pdb_secrets.c passdb: Use dom_sid_str_buf 2018-12-20 23:40:24 +01:00
pdb_secrets.h Convert all uses of uint32/16/8 to _t in source3/passdb. 2015-05-12 01:32:12 +02:00
pdb_smbpasswd.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_smbpasswd.h lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 2017-04-22 01:17:00 +02:00
pdb_tdb.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_tdb.h lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *) 2017-04-22 01:17:00 +02:00
pdb_util.c s3/passdb: clang: Fix 'Value stored during its initialization is never read' 2019-09-26 18:41:26 +00:00
py_passdb.c passdb: Align integer types 2020-11-10 19:49:33 +00:00
secrets_lsa.c s3:secrets: rename secrets_delete() to secrets_delete_entry() 2017-06-27 16:57:45 +02:00
secrets.c smbdotconf: mark "ldap admin dn" with constant="1" 2019-11-27 10:25:36 +00:00
wscript_build smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV 2019-12-10 00:30:30 +00:00