1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source3/passdb
Alexander Bokovoy 31c703766f lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:

--------------------------------------------------------------------
[2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       lsa_LookupNames3: struct lsa_LookupNames3
          in: struct lsa_LookupNames3
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
              num_names                : 0x00000001 (1)
              names: ARRAY(1)
                  names: struct lsa_String
                      length                   : 0x001e (30)
                      size                     : 0x0020 (32)
                      string                   : *
                          string                   : 'ipa.test\admins'
              sids                     : *
                  sids: struct lsa_TransSidArray3
                      count                    : 0x00000000 (0)
                      sids                     : NULL
              level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
              count                    : *
                  count                    : 0x00000000 (0)
              lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
              client_revision          : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------

If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
2020-11-11 10:59:01 +00:00
..
ABI
account_pol.c lib: relicense smb_strtoul(l) under LGPLv3 2020-08-03 22:21:02 +00:00
login_cache.c
lookup_sid.c lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC 2020-11-11 10:59:01 +00:00
lookup_sid.h
machine_account_secrets.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
machine_sid.c passdb: Use struct allocation 2020-01-30 12:27:40 +00:00
machine_sid.h
passdb.c auth:creds: Rename CRED_USE_KERBEROS values 2020-11-03 15:25:37 +00:00
pdb_compat.c
pdb_get_set.c
pdb_interface.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_ldap_schema.c
pdb_ldap_schema.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap_util.c Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap_util.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_ldap.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_ldap.h
pdb_nds.c Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_nds.h Fix a comment typo copied around 2020-08-17 19:35:38 +00:00
pdb_samba_dsdb.c auth:creds: Rename CRED_USE_KERBEROS values 2020-11-03 15:25:37 +00:00
pdb_secrets.c
pdb_secrets.h
pdb_smbpasswd.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_smbpasswd.h
pdb_tdb.c s3: safe_string: do not include string_wrappers.h 2020-08-28 00:56:34 +00:00
pdb_tdb.h
pdb_util.c
py_passdb.c passdb: Align integer types 2020-11-10 19:49:33 +00:00
secrets_lsa.c
secrets.c smbdotconf: mark "ldap admin dn" with constant="1" 2019-11-27 10:25:36 +00:00
wscript_build smbdes: add des_crypt56_gnutls() using DES-CBC with zeroed IV 2019-12-10 00:30:30 +00:00