diff options
| author | Andreas Schneider <asn@cryptomilk.org> | 2016-06-15 09:37:09 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2016-06-15 09:37:30 +0200 |
| commit | 2b0a560ef1230e1079eb03a35a5b0eac59aac489 (patch) | |
| tree | 9c6d2a9146c00c606779f9c11dafbc24780cd1d4 | |
| parent | 4d1ac173ea694d27da63a8471f8afff5ed984de7 (diff) | |
Fix resolving trusted domain users on domain member
| -rw-r--r-- | samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch | 59 | ||||
| -rw-r--r-- | samba-4.4.5-fix_resolving_trusted_domain_users.patch | 68 | ||||
| -rw-r--r-- | samba.spec | 9 | ||||
| -rw-r--r-- | smb.conf.example | 2 |
4 files changed, 75 insertions, 63 deletions
diff --git a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch deleted file mode 100644 index 06b5a83..0000000 --- a/samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +++ /dev/null @@ -1,59 +0,0 @@ -From afb52fd865448042ddda6b660df159f93f344b93 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy <abokovoy@redhat.com> -Date: Tue, 12 Apr 2016 09:36:12 +0300 -Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted - domains DCs - - Allow cm_connect_netlogon() to talk to trusted domains' DCs when - running in a domain member configuration. - - BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 - -Signed-off-by: Alexander Bokovoy <ab@samba.org> ---- - source3/winbindd/winbindd_cm.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 45e3fad..6f5a042 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2851,9 +2851,10 @@ retry: - anonymous: - - /* Finally fall back to anonymous. */ -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - status = NT_STATUS_DOWNGRADE_DETECTED; -- DEBUG(1, ("Unwilling to make SAMR connection to domain %s" -+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " - "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", -@@ -3150,7 +3151,8 @@ retry: - - anonymous: - -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - result = NT_STATUS_DOWNGRADE_DETECTED; - DEBUG(1, ("Unwilling to make LSA connection to domain %s " - "without connection level security, " -@@ -3324,9 +3326,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, - TALLOC_FREE(netlogon_creds); - - if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - result = NT_STATUS_DOWNGRADE_DETECTED; -- DEBUG(1, ("Unwilling to make connection to domain %s" -+ DEBUG(1, ("Unwilling to make connection to domain %s " - "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", --- -2.5.5 - diff --git a/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/samba-4.4.5-fix_resolving_trusted_domain_users.patch new file mode 100644 index 0000000..68d48a1 --- /dev/null +++ b/samba-4.4.5-fix_resolving_trusted_domain_users.patch @@ -0,0 +1,68 @@ +From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Fri, 10 Jun 2016 16:51:18 +0200 +Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain + DCs + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 + +Pair-Programmed-With: Andreas Schneider <asn@samba.org> +Signed-off-by: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Alexander Bokovoy <ab@samba.org> +(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) +--- + source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 45e3fad..f1f98db 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + struct cli_credentials *creds; + NTSTATUS status; + bool force_machine_account = false; ++ bool ok; + + /* If we are a DC and this is not our own domain */ + +@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + CRED_DONT_USE_KERBEROS); + } + +- if (creds_domain != domain) { ++ /* ++ * When we contact our own domain and get a list of the trusted domain ++ * we have the information if we are able to contact the DC with ++ * with our machine account password. ++ */ ++ ok = winbindd_can_contact_domain(domain); ++ if (!ok) { + /* + * We can only use schannel against a direct trust + */ +@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + + sec_chan_type = cli_credentials_get_secure_channel_type(creds); + if (sec_chan_type == SEC_CHAN_NULL) { ++ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", ++ domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + +@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + conn->netlogon_flags = netlogon_creds->negotiate_flags; + TALLOC_FREE(netlogon_creds); + ++ /* ++ * FIXME: Document in which case we are not able to contact ++ * a DC without schannel. Which information do we try to get ++ * from this DC? ++ */ + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + result = NT_STATUS_DOWNGRADE_DETECTED; +-- +2.8.4 + @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 1 +%define main_release 2 %define samba_version 4.4.4 %define talloc_version 2.1.6 @@ -107,7 +107,7 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +Patch0: samba-4.4.5-fix_resolving_trusted_domain_users.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -685,7 +685,7 @@ and use CTDB instead. %prep %setup -q -n samba-%{version}%{pre_release} -%patch0 -p 1 -b .samba-4.4.2-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +%patch0 -p 1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1992,6 +1992,9 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Wed Jun 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-2 +- Fix resolving trusted domain users on domain member + * Tue Jun 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-1 - Update to Samba 4.4.4 - resolves: #1343529 diff --git a/smb.conf.example b/smb.conf.example index 9c35a51..7cfe647 100644 --- a/smb.conf.example +++ b/smb.conf.example @@ -295,7 +295,7 @@ ; writable = no ; share modes = no -# Un-comment the following to provide a specific roving profile share. +# Un-comment the following to provide a specific roaming profile share. # The default is to use the user's home directory: ; [Profiles] ; path = /var/lib/samba/profiles |