diff options
author | Stefan Metzmacher <metze@samba.org> | 2018-02-02 16:55:01 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2018-02-23 12:47:25 +0100 |
commit | 18f27b5385240852e537cd5010cedb09f0bf233d (patch) | |
tree | 967076abcd15a7838707180e2481e18c46c04843 /source3 | |
parent | 32a63e3ea985c967ca2aadbcd9e0c60ade2d0367 (diff) | |
download | samba-18f27b5385240852e537cd5010cedb09f0bf233d.tar.gz |
winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/winbindd/idmap_ad.c | 11 | ||||
-rw-r--r-- | source3/winbindd/winbindd_ads.c | 23 |
2 files changed, 34 insertions, 0 deletions
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index 315a9444a19..15304109a2d 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -532,6 +532,17 @@ static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom, struct idmap_ad_context *ctx = NULL; NTSTATUS status; + if (IS_AD_DC) { + /* + * Make sure we never try to use LDAP against + * a trusted domain as AD_DC. + * + * This shouldn't be called currently, + * but you never know what happens in future. + */ + return NT_STATUS_REQUEST_NOT_ACCEPTED; + } + if (dom->private_data != NULL) { *pctx = talloc_get_type_abort(dom->private_data, struct idmap_ad_context); diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index c330b9202c8..725fa4ff977 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -159,6 +159,14 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name) struct winbindd_domain *wb_dom; ADS_STATUS status; + if (IS_AD_DC) { + /* + * Make sure we never try to use LDAP against + * a trusted domain as AD DC. + */ + return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED); + } + ads_cached_connection_reuse(adsp); if (*adsp != NULL) { return ADS_SUCCESS; @@ -231,6 +239,14 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) ADS_STATUS status; char *password, *realm; + if (IS_AD_DC) { + /* + * Make sure we never try to use LDAP against + * a trusted domain as AD DC. + */ + return NULL; + } + DEBUG(10,("ads_cached_connection\n")); ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data); @@ -1309,6 +1325,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq) return NT_STATUS_OK; } + if (IS_AD_DC) { + DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n", + domain->name)); + *seq = time(NULL); + return NT_STATUS_OK; + } + *seq = DOM_SEQUENCE_NONE; ads = ads_cached_connection(domain); |