[PATCH] Can't authenticate user from child-domain of trusted forest

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
Hi!

Attached is a fix for a regression introduced by
d7e31d9f4d9ce7395e458ac341dd83ac06255a20.

This results in the inability of winbind to enumerate trusts of trusted forests,
so we can't authenticate users from any child-domain (or additional tree-roots)
of the trusted forest.

I had filed a bugreport although the regression in only in master so we won't
need backports. I'm not sure about having the bug URLs in the commit messages in
this case.

Please review&push if ok. As usual, the funky stuff doesn't have tests. :)

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

bug13167-master.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> Hi!
>
> Attached is a fix for a regression introduced by
> d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
>
> This results in the inability of winbind to enumerate trusts of trusted forests,
> so we can't authenticate users from any child-domain (or additional tree-roots)
> of the trusted forest.

Can you explain to me why we need the trusted domain cache filled
correctly to just log in? Where in the code path does that fail?

With best regards,

Volker Lendecke

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

When to file bugs and tag BUG:

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, 2017-11-27 at 20:50 +0100, Ralph Böhme via samba-technical
wrote:
> I had filed a bugreport although the regression in only in master so we won't
> need backports. I'm not sure about having the bug URLs in the commit messages in
> this case.

In general, provided you remember to close the bugs with a message
indicating the commit it landed in, extra bugs are quite OK.  Sometimes
we only find it did actually fail in a release until after it lands in
master, so be liberal with the BUG tags.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:

> On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > Attached is a fix for a regression introduced by
> > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> >
> > This results in the inability of winbind to enumerate trusts of trusted forests,
> > so we can't authenticate users from any child-domain (or additional tree-roots)
> > of the trusted forest.
>
> Can you explain to me why we need the trusted domain cache filled
> correctly to just log in? Where in the code path does that fail?
find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
bunch of other places that depend on the domain list as well, but with the
attached WIP patch I could get a smbclient login working with a user from a
trusted domain while trust enumeration in winbindd is completely disabled, so
the domain list contains only BUILTIN, the local SAM and the primary domain:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain           Trust Type  Transitive  In   Out
BUILTIN                              None        Yes         Yes  Yes
TITAN                                None        Yes         Yes  Yes
SUBDOM21        SUBDOM21.WDOM2.SITE  None        Yes         Yes  Yes

With idmap_autorid basic stuff works nicely:

$ bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
$ bin/wbinfo -i "SUBDOM31\administrator"
SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false

$ bin/smbclient -U "wdom3\administrator%Passw1rd" //localhost/share -c quit
$ bin/wbinfo -i "wdom3\administrator"
WDOM3\administrator:*:2080500:2080513::/home/WDOM3/administrator:/bin/false

Now there are a bunch of places where we rely on the domain list, but we're not
that far away from being able to disable trust enumeration for the certain
setups.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
Reply | Threaded
Open this post in threaded view
|

Re: When to file bugs and tag BUG:

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 09:31:20AM +1300, Andrew Bartlett wrote:

> On Mon, 2017-11-27 at 20:50 +0100, Ralph Böhme via samba-technical
> wrote:
> > I had filed a bugreport although the regression in only in master so we won't
> > need backports. I'm not sure about having the bug URLs in the commit messages in
> > this case.
>
> In general, provided you remember to close the bugs with a message
> indicating the commit it landed in, extra bugs are quite OK.  Sometimes
> we only find it did actually fail in a release until after it lands in
> master, so be liberal with the BUG tags.

thanks, I'll try to remember to close the bugreport. ;)

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:

> On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > Attached is a fix for a regression introduced by
> > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > >
> > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > of the trusted forest.
> >
> > Can you explain to me why we need the trusted domain cache filled
> > correctly to just log in? Where in the code path does that fail?
>
> find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> bunch of other places that depend on the domain list as well, but with the
> attached WIP patch I could get a smbclient login working with a user from a
> trusted domain while trust enumeration in winbindd is completely disabled, so
> the domain list contains only BUILTIN, the local SAM and the primary domain:
Would the attached patch also work? No signed-off yes, because if this
works for you we need to do the same for the pac case too. I just
wanted a quick cross-check if this approach would be fine too.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

patch.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 10:16:01AM +0100, Volker Lendecke wrote:

> On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> > On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > > Attached is a fix for a regression introduced by
> > > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > > >
> > > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > > of the trusted forest.
> > >
> > > Can you explain to me why we need the trusted domain cache filled
> > > correctly to just log in? Where in the code path does that fail?
> >
> > find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> > bunch of other places that depend on the domain list as well, but with the
> > attached WIP patch I could get a smbclient login working with a user from a
> > trusted domain while trust enumeration in winbindd is completely disabled, so
> > the domain list contains only BUILTIN, the local SAM and the primary domain:
>
> Would the attached patch also work? No signed-off yes, because if this
> works for you we need to do the same for the pac case too. I just
> wanted a quick cross-check if this approach would be fine too.

at first glance this looks like a brilliant idea. I'll give it a whirl...

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 10:30:24AM +0100, Ralph Böhme wrote:

> On Tue, Nov 28, 2017 at 10:16:01AM +0100, Volker Lendecke wrote:
> > On Mon, Nov 27, 2017 at 10:37:28PM +0100, Ralph Böhme via samba-technical wrote:
> > > On Mon, Nov 27, 2017 at 09:21:47PM +0100, Volker Lendecke wrote:
> > > > On Mon, Nov 27, 2017 at 08:50:15PM +0100, Ralph Böhme via samba-technical wrote:
> > > > > Attached is a fix for a regression introduced by
> > > > > d7e31d9f4d9ce7395e458ac341dd83ac06255a20.
> > > > >
> > > > > This results in the inability of winbind to enumerate trusts of trusted forests,
> > > > > so we can't authenticate users from any child-domain (or additional tree-roots)
> > > > > of the trusted forest.
> > > >
> > > > Can you explain to me why we need the trusted domain cache filled
> > > > correctly to just log in? Where in the code path does that fail?
> > >
> > > find_domain_from_name_noinit() in wb_getpwsid_queryuser_done(). There are a
> > > bunch of other places that depend on the domain list as well, but with the
> > > attached WIP patch I could get a smbclient login working with a user from a
> > > trusted domain while trust enumeration in winbindd is completely disabled, so
> > > the domain list contains only BUILTIN, the local SAM and the primary domain:
> >
> > Would the attached patch also work? No signed-off yes, because if this
> > works for you we need to do the same for the pac case too. I just
> > wanted a quick cross-check if this approach would be fine too.
>
> at first glance this looks like a brilliant idea. I'll give it a whirl...

auth still fails because add_trusted_domain() will only be called in the domain
child, but not in the parent where we call find_domain_from_name_noinit().

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> auth still fails because add_trusted_domain() will only be called in the domain
> child, but not in the parent where we call find_domain_from_name_noinit().

Hmm. Ok. Right. We could do either of two things: Always request info3
from the child and pull the information in the parent before sending
it out, and secondly make it a message. Probably the first way is
cleaner, it creates less hidden, secret protocol elements.

I'll take a look.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > auth still fails because add_trusted_domain() will only be called in the domain
> > child, but not in the parent where we call find_domain_from_name_noinit().
>
> Hmm. Ok. Right. We could do either of two things: Always request info3
> from the child and pull the information in the parent before sending
> it out, and secondly make it a message. Probably the first way is
> cleaner, it creates less hidden, secret protocol elements.

I'm not sure the resulting struct winbind_domain is sufficiently initialized as
it lacks the DNS name and trust flags. Ie after an attempt to auth user from
previously unseed trusted domains wbinfo -m looks like this:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain           Trust Type  Transitive  In   Out
BUILTIN                              None        Yes         Yes  Yes
TITAN                                None        Yes         Yes  Yes
WDOM2           wdom2.site           None        Yes         Yes  Yes
WDOM1           wdom1.site           Forest      Yes         Yes  Yes
WDOM3           wdom3.site           Forest      Yes         No   Yes
SUBDOM21        subdom21.wdom2.site  In-Forest   Yes         Yes  Yes
SUBDOM11                             None        Yes         Yes  Yes
SUBDOM31                             None        Yes         Yes  Yes

I'm referring to SUBDOM11 and SUBDOM31 here. The Samba server is a member of
WDOM2. Here's the complete picture:

<https://cpaste.org/?390c7a18671a970e#Eh99bpBOsBAG9YOVHlee7BqZmTgO2vaGR9HhztZbLIY=>

Maybe it's simpler to push my patches, they fix the regression without the risk
of introducing further issues. It basically restores behaviour to before the
netlogon-creds patchset.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:

> On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > auth still fails because add_trusted_domain() will only be called in the domain
> > > child, but not in the parent where we call find_domain_from_name_noinit().
> >
> > Hmm. Ok. Right. We could do either of two things: Always request info3
> > from the child and pull the information in the parent before sending
> > it out, and secondly make it a message. Probably the first way is
> > cleaner, it creates less hidden, secret protocol elements.
>
> I'm not sure the resulting struct winbind_domain is sufficiently initialized as
> it lacks the DNS name and trust flags. Ie after an attempt to auth user from
> previously unseed trusted domains wbinfo -m looks like this:

What do we need those flags for?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:
> Maybe it's simpler to push my patches, they fix the regression without the risk
> of introducing further issues. It basically restores behaviour to before the
> netlogon-creds patchset.

Just push your patches. Sorry for the noise.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> auth still fails because add_trusted_domain() will only be called in the domain
> child, but not in the parent where we call find_domain_from_name_noinit().

What about that one?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

patch.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 01:19:28PM +0100, Volker Lendecke wrote:

> On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:
> > On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> > > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > > auth still fails because add_trusted_domain() will only be called in the domain
> > > > child, but not in the parent where we call find_domain_from_name_noinit().
> > >
> > > Hmm. Ok. Right. We could do either of two things: Always request info3
> > > from the child and pull the information in the parent before sending
> > > it out, and secondly make it a message. Probably the first way is
> > > cleaner, it creates less hidden, secret protocol elements.
> >
> > I'm not sure the resulting struct winbind_domain is sufficiently initialized as
> > it lacks the DNS name and trust flags. Ie after an attempt to auth user from
> > previously unseed trusted domains wbinfo -m looks like this:
>
> What do we need those flags for?

Eg add_trusted_domain_from_tdc() sets domain->active_diretory based on
LSA_TRUST_TYPE_UPLEVEL. That might be relevant for idmap_rfc2307 and idmap_ad,
not sure.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 01:21:35PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:
> > Maybe it's simpler to push my patches, they fix the regression without the risk
> > of introducing further issues. It basically restores behaviour to before the
> > netlogon-creds patchset.
>
> Just push your patches. Sorry for the noise.

no prob.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > auth still fails because add_trusted_domain() will only be called in the domain
> > child, but not in the parent where we call find_domain_from_name_noinit().
>
> What about that one?

hm, is this one supposed to go on-top of the previous one?

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 02:41:12PM +0100, Ralph Böhme wrote:
> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
> > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > auth still fails because add_trusted_domain() will only be called in the domain
> > > child, but not in the parent where we call find_domain_from_name_noinit().
> >
> > What about that one?
>
> hm, is this one supposed to go on-top of the previous one?

applied on-top and it works, even with the subdomain behind the outgoing one-way
trust (subdom31):

$ ./bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
$ ./bin/smbclient -U "subdom11\administrator%Passw0rd" //localhost/share -c quit
$ bin/wbinfo -i "subdom31\administrator"
SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false
$ bin/wbinfo -i "subdom11\administrator"
SUBDOM11\administrator:*:2120500:2120513::/home/SUBDOM11/administrator:/bin/false

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 02:41:12PM +0100, Ralph Böhme wrote:
> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
> > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > auth still fails because add_trusted_domain() will only be called in the domain
> > > child, but not in the parent where we call find_domain_from_name_noinit().
> >
> > What about that one?
>
> hm, is this one supposed to go on-top of the previous one?

No, it should replace the second patch in the previous patchset.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 02:46:37PM +0100, Ralph Böhme wrote:

> On Tue, Nov 28, 2017 at 02:41:12PM +0100, Ralph Böhme wrote:
> > On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
> > > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > > auth still fails because add_trusted_domain() will only be called in the domain
> > > > child, but not in the parent where we call find_domain_from_name_noinit().
> > >
> > > What about that one?
> >
> > hm, is this one supposed to go on-top of the previous one?
>
> applied on-top and it works, even with the subdomain behind the outgoing one-way
> trust (subdom31):
>
> $ ./bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
> $ ./bin/smbclient -U "subdom11\administrator%Passw0rd" //localhost/share -c quit
> $ bin/wbinfo -i "subdom31\administrator"
> SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false
> $ bin/wbinfo -i "subdom11\administrator"
> SUBDOM11\administrator:*:2120500:2120513::/home/SUBDOM11/administrator:/bin/false

With or without your patches applied?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Can't authenticate user from child-domain of trusted forest

Samba - samba-technical mailing list
On Tue, Nov 28, 2017 at 02:47:50PM +0100, Volker Lendecke wrote:

> On Tue, Nov 28, 2017 at 02:46:37PM +0100, Ralph Böhme wrote:
> > On Tue, Nov 28, 2017 at 02:41:12PM +0100, Ralph Böhme wrote:
> > > On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
> > > > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > > > auth still fails because add_trusted_domain() will only be called in the domain
> > > > > child, but not in the parent where we call find_domain_from_name_noinit().
> > > >
> > > > What about that one?
> > >
> > > hm, is this one supposed to go on-top of the previous one?
> >
> > applied on-top and it works, even with the subdomain behind the outgoing one-way
> > trust (subdom31):
> >
> > $ ./bin/smbclient -U "subdom31\administrator%Passw0rd" //localhost/share -c quit
> > $ ./bin/smbclient -U "subdom11\administrator%Passw0rd" //localhost/share -c quit
> > $ bin/wbinfo -i "subdom31\administrator"
> > SUBDOM31\administrator:*:2060500:2060513::/home/SUBDOM31/administrator:/bin/false
> > $ bin/wbinfo -i "subdom11\administrator"
> > SUBDOM11\administrator:*:2120500:2120513::/home/SUBDOM11/administrator:/bin/false
>
> With or without your patches applied?

without, just on-top of master.

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

12