diff options
author | Ralph Boehme <slow@samba.org> | 2017-11-29 10:10:38 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-01-13 12:55:08 +0100 |
commit | f4d27f2bf9a32fec02da01351fa5af3867f4b1f7 (patch) | |
tree | e8cf24c235a678bd51f264b49f4a1e6f0865ce2d /source3 | |
parent | b2ea3606a7f7325b0e2f5fae46346f8fbf489177 (diff) | |
download | samba-f4d27f2bf9a32fec02da01351fa5af3867f4b1f7.tar.gz |
winbindd: add add_trusted_domain_from_auth
Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.
Signed-off-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 3 | ||||
-rw-r--r-- | source3/winbindd/winbindd_util.c | 55 |
2 files changed, 58 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 4ab52a42ba5..39cdef54531 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -440,6 +440,9 @@ struct winbindd_domain *domain_list(void); struct winbindd_domain *wb_next_domain(struct winbindd_domain *domain); bool set_routing_domain(struct winbindd_domain *domain, const struct winbindd_domain *routing_domain); +bool add_trusted_domain_from_auth(uint16_t validation_level, + struct info3_text *info3, + struct info6_text *info6); bool domain_is_forest_root(const struct winbindd_domain *domain); void rescan_trusted_domains(struct tevent_context *ev, struct tevent_timer *te, struct timeval now, void *private_data); diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index fb1793d250a..2a975220ad0 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -303,6 +303,61 @@ bool set_routing_domain(struct winbindd_domain *domain, return true; } +bool add_trusted_domain_from_auth(uint16_t validation_level, + struct info3_text *info3, + struct info6_text *info6) +{ + struct winbindd_domain *domain = NULL; + struct dom_sid domain_sid; + const char *dns_domainname = NULL; + NTSTATUS status; + bool ok; + + /* + * We got a successfull auth from a domain that might not yet be in our + * domain list. If we're a member we trust our DC who authenticated the + * user from that domain and add the domain to our list on-the-fly. If + * we're a DC we rely on configured trusts and don't add on-the-fly. + */ + + if (IS_DC) { + return true; + } + + ok = dom_sid_parse(info3->dom_sid, &domain_sid); + if (!ok) { + DBG_NOTICE("dom_sid_parse [%s] failed\n", info3->dom_sid); + return false; + } + + if (validation_level == 6) { + dns_domainname = &info6->dns_domainname[0]; + } + + status = add_trusted_domain(info3->logon_dom, + dns_domainname, + &domain_sid, + 0, + NETR_TRUST_FLAG_OUTBOUND, + 0, + SEC_CHAN_NULL, + &domain); + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) + { + DBG_DEBUG("Adding domain [%s] with sid [%s] failed\n", + info3->logon_dom, info3->dom_sid); + return false; + } + + ok = set_routing_domain(domain, find_default_route_domain()); + if (!ok) { + return false; + } + + return true; +} + bool domain_is_forest_root(const struct winbindd_domain *domain) { const uint32_t fr_flags = |