diff options
| author | Stefan Metzmacher <metze@samba.org> | 2017-11-29 15:10:38 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-01-13 12:55:07 +0100 |
| commit | b724e01ec767caebbfa3723d8346d640a511ded1 (patch) | |
| tree | 894c45c5c5eb81feb4cdd19f64516500049261a7 | |
| parent | 5bf2979bb6e22c6d3f7565c13329aa60fdce4e0f (diff) | |
| download | samba-b724e01ec767caebbfa3723d8346d640a511ded1.tar.gz | |
winbindd: remember the secure_channel_type in winbindd_domain
This way we have an indication of non direct trusts with
SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
| -rw-r--r-- | source3/winbindd/winbindd.h | 1 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_util.c | 24 |
2 files changed, 25 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h index 396f7f7946e..682040fd1a7 100644 --- a/source3/winbindd/winbindd.h +++ b/source3/winbindd/winbindd.h @@ -139,6 +139,7 @@ struct winbindd_domain { char *alt_name; /* alt Domain name, if any (FQDN for ADS) */ char *forest_name; /* Name of the AD forest we're in */ struct dom_sid sid; /* SID for this domain */ + enum netr_SchannelType secure_channel_type; uint32_t domain_flags; /* Domain flags from netlogon.h */ uint32_t domain_type; /* Domain type from netlogon.h */ uint32_t domain_trust_attribs; /* Trust attribs from netlogon.h */ diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index c45d6acb0ad..3b8fae141bb 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -125,6 +125,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, uint32_t trust_type, uint32_t trust_flags, uint32_t trust_attribs, + enum netr_SchannelType secure_channel_type, struct winbindd_domain **_d) { struct winbindd_domain *domain = NULL; @@ -240,6 +241,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, domain->backend = NULL; domain->internal = is_internal_domain(sid); + domain->secure_channel_type = secure_channel_type; domain->sequence_number = DOM_SEQUENCE_NONE; domain->last_seq_check = 0; domain->initialized = false; @@ -249,6 +251,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, domain->domain_flags = trust_flags; domain->domain_type = trust_type; domain->domain_trust_attribs = trust_attribs; + domain->secure_channel_type = secure_channel_type; sid_copy(&domain->sid, sid); /* Is this our primary domain ? */ @@ -464,6 +467,7 @@ static void trustdom_list_done(struct tevent_req *req) trust_type, trust_flags, trust_attribs, + SEC_CHAN_NULL, &domain); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) @@ -546,6 +550,7 @@ static void rescan_forest_root_trusts( void ) dom_list[i].trust_type, dom_list[i].trust_flags, dom_list[i].trust_attribs, + SEC_CHAN_NULL, &d); if (!NT_STATUS_IS_OK(status) && @@ -627,6 +632,7 @@ static void rescan_forest_trusts( void ) type, flags, attribs, + SEC_CHAN_NULL, &d); if (!NT_STATUS_IS_OK(status) && NT_STATUS_EQUAL(status, @@ -736,6 +742,7 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg, DATA_BLOB *data) { TALLOC_CTX *frame = talloc_stackframe(); + enum netr_SchannelType secure_channel_type = SEC_CHAN_DOMAIN; struct lsa_TrustDomainInfoInfoEx info; enum ndr_err_code ndr_err; struct winbindd_domain *d = NULL; @@ -762,6 +769,9 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg, return; } + if (info.trust_type == LSA_TRUST_TYPE_UPLEVEL) { + secure_channel_type = SEC_CHAN_DNS_DOMAIN; + } if (info.trust_direction & LSA_TRUST_DIRECTION_INBOUND) { trust_flags |= NETR_TRUST_FLAG_INBOUND; } @@ -778,6 +788,7 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg, info.trust_type, trust_flags, info.trust_attributes, + secure_channel_type, &d); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) @@ -852,6 +863,7 @@ bool init_domain_list(void) LSA_TRUST_TYPE_DOWNLEVEL, 0, /* trust_flags */ 0, /* trust_attribs */ + SEC_CHAN_LOCAL, &domain); if (!NT_STATUS_IS_OK(status)) { DBG_ERR("add_trusted_domain BUILTIN returned %s\n", @@ -903,6 +915,7 @@ bool init_domain_list(void) LSA_TRUST_TYPE_UPLEVEL, trust_flags, LSA_TRUST_ATTRIBUTE_WITHIN_FOREST, + SEC_CHAN_BDC, &domain); TALLOC_FREE(pdb_domain_info); if (!NT_STATUS_IS_OK(status)) { @@ -946,24 +959,34 @@ bool init_domain_list(void) return false; } } + + domain->secure_channel_type = sec_chan_type; if (sec_chan_type == SEC_CHAN_RODC) { domain->rodc = true; } } else { uint32_t trust_flags; + enum netr_SchannelType secure_channel_type; trust_flags = NETR_TRUST_FLAG_OUTBOUND; if (role != ROLE_DOMAIN_MEMBER) { trust_flags |= NETR_TRUST_FLAG_PRIMARY; } + if (role > ROLE_DOMAIN_MEMBER) { + secure_channel_type = SEC_CHAN_BDC; + } else { + secure_channel_type = SEC_CHAN_LOCAL; + } + status = add_trusted_domain(get_global_sam_name(), NULL, get_global_sam_sid(), LSA_TRUST_TYPE_DOWNLEVEL, trust_flags, 0, /* trust_attribs */ + secure_channel_type, &domain); if (!NT_STATUS_IS_OK(status)) { DBG_ERR("Failed to add local SAM to " @@ -995,6 +1018,7 @@ bool init_domain_list(void) NETR_TRUST_FLAG_PRIMARY| NETR_TRUST_FLAG_OUTBOUND, 0, /* trust_attribs */ + SEC_CHAN_WKSTA, &domain); if (!NT_STATUS_IS_OK(status)) { DBG_ERR("Failed to add local SAM to " |