diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-02-24 10:37:32 +0000 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2017-02-24 18:40:14 +0100 |
commit | fffefe72fcc62d9688b45f53a5327667dc0b2fe6 (patch) | |
tree | a7bc779a4e38fc09eed2219a1b0a33952c52a3ed /auth/credentials | |
parent | 0bf1a7492bee2f7678cb37ef9515b8aefd26233b (diff) | |
download | samba-fffefe72fcc62d9688b45f53a5327667dc0b2fe6.tar.gz |
s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains.
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().
This should fix SMB authentication with a user of a domain
behind a transitive trust.
With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.
The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.
is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().
That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.
A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.
We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.
For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'auth/credentials')
0 files changed, 0 insertions, 0 deletions