1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
samba-mirror/source3/auth
Ralph Boehme df5fe2d835 s3/auth: implement "winbind:ignore domains"
Under the following conditions a user from an ignored domain might be able to
authenticate:

- using Kerberos

- successfully previous authentication so the idmap and name caches are filled

- winbind not running (fwiw, winbindd is mandatory on a domain member)

- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
  because getpwnam fails)

- lookup_name() function being modified to look into the name cache before
  contacting winbindd. Currently it talks directly to winbindd and that will
  check the cache.

Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).

All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.

To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-21 21:48:30 +00:00
..
auth_builtin.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
auth_generic.c auth_generic: fix empty initializer compile warning 2020-11-10 06:53:42 +00:00
auth_ntlmssp.c s3/auth: use set_current_user_info() in auth3_check_password_send() 2020-02-06 10:17:44 +00:00
auth_sam.c auth_sam: use pdb_get_domain_info to look up DNS forest information 2020-11-12 13:49:34 +00:00
auth_samba4.c lib: give global_contexts.c its own header file 2021-01-08 20:31:33 +00:00
auth_unix.c auth: Remove the "typedef auth_methods" 2020-01-06 01:47:30 +00:00
auth_util.c s3/auth: implement "winbind:ignore domains" 2021-01-21 21:48:30 +00:00
auth_winbind.c auth: Remove the "typedef auth_methods" 2020-01-06 01:47:30 +00:00
auth.c lib: give global_contexts.c its own header file 2021-01-08 20:31:33 +00:00
check_samsec.c auth3: Fix a typo 2020-01-30 12:27:40 +00:00
pampass.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pass_check.c auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c 2014-04-15 12:32:09 +02:00
proto.h auth3: Replace auth3_check_password() by _send and _recv 2020-01-06 22:09:32 +00:00
server_info_sam.c s3-auth: Steal the memory to avoid duplication. 2014-03-13 15:08:26 +01:00
server_info.c s3:auth: fill in info3 domain name in passwd_to_SamInfo3() 2020-05-30 01:17:36 +00:00
token_util.c make some auth functions return an NTSTATUS like other similar functions for better diagnostics. 2019-04-02 02:12:48 +00:00
user_info.c pdb: Reduce code duplication in make_user_info() 2018-10-09 01:22:53 +02:00
user_krb5.c Correct "perfom" typos. 2017-02-22 08:26:22 +01:00
user_util.c smbdotconf: mark "username map script" with substitution="1" 2019-11-27 10:25:36 +00:00
wscript_build auth3: Remove auth_script 2019-12-02 22:47:24 +00:00