sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
fffefe72fc
samba-mirror/source3
History
Stefan Metzmacher fffefe72fc s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains. 
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().

This should fix SMB authentication with a user of a domain
behind a transitive trust.

With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.

The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.

is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().

That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.

A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.

We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.

For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2017-02-24 18:40:14 +01:00
..
auth Correct "somthing" typos. 2017-02-22 08:26:23 +01:00
build
client Modify smbspool_krb5_wrapper to just fall through to smbspool if AUTH_INFO_REQUIRED is not set or is not "negotiate". 2017-02-17 04:27:26 +01:00
exports
groupdb Correct "errror" typos. 2017-02-22 08:26:22 +01:00
include Correct "extention" typos. 2017-02-22 08:26:22 +01:00
intl lang_tdb: don't leak lock_path or data_path onto talloc tos 2014-11-03 23:46:05 +01:00
lib s3:lib: Do not segfault if username is NULL 2017-02-23 03:18:10 +01:00
libads Correct "occured" typos. 2017-02-22 08:26:21 +01:00
libgpo libgpo: apply some const. 2017-01-06 12:28:19 +01:00
libnet s3:libnet_join: make use of trust_pw_new_value() 2017-02-21 16:09:22 +01:00
librpc s3:librpc: Fix OM_uint32 comparsion in if-clause 2017-02-23 03:18:11 +01:00
libsmb Correct "existence" typos. 2017-02-22 08:26:22 +01:00
locale Correct "descriptior" typos. 2017-02-22 08:26:22 +01:00
locking s3/locking: Avoid a talloc for nonexisting fetch_share_mode_unlocked 2017-01-22 18:30:11 +01:00
modules s3-vfs: Do not deref a NULL pointer in shadow_copy2_snapshot_to_gmt() 2017-02-23 03:18:10 +01:00
nmbd Correct "errror" typos. 2017-02-22 08:26:22 +01:00
param rpc_server: Allow to configure the port range for RPC services 2017-01-27 08:09:15 +01:00
passdb Correct "somthing" typos. 2017-02-22 08:26:23 +01:00
printing Correct "somthing" typos. 2017-02-22 08:26:23 +01:00
profile s3-profile: reduce dependencies of smbprofile.h 2016-03-28 20:45:16 +02:00
registry Correct "existence" typos. 2017-02-22 08:26:22 +01:00
rpc_client Correct "occured" typos. 2017-02-22 08:26:21 +01:00
rpc_server Correct "Openened" typos. 2017-02-22 08:26:24 +01:00
rpcclient s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading 2016-12-20 01:11:25 +01:00
script Correct "follwing" typos. 2017-02-22 08:26:22 +01:00
selftest s3: torture: Regression test for smbd trying to open an invalid symlink. 2017-02-16 22:06:51 +01:00
services Update smbrun to allow for settings environment variables. 2016-10-13 04:26:26 +02:00
smbd Correct "allready" typos. 2017-02-22 08:26:24 +01:00
torture s3:torture: Fix uint64_t comparsion in if-clause 2017-02-23 03:18:10 +01:00
utils Correct "descriptior" typos. 2017-02-22 08:26:22 +01:00
web
winbindd s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains. 2017-02-24 18:40:14 +01:00
.clang_complete lib: Remove tdb_compat 2015-03-17 11:30:52 +01:00
.dmallocrc
.indent.pro
change-log Correct "existence" typos. 2017-02-22 08:26:22 +01:00
Doxyfile
mainpage.dox
smbadduser.in
wscript build:wafsamba: Remove ambiguous 'if x in conf.env' constructs 2017-02-21 13:47:07 +01:00
wscript_build s3:wscript_build: remove unused bld.RECURSE('lib/pthreadpool') 2017-02-23 23:58:21 +01:00
wscript_configure_system_ncurses Transition to waf 1.8: wrapped conf.check_cfg 2015-03-16 03:00:07 +01:00