diff options
Diffstat (limited to 'samba-4.4.5-fix_resolving_trusted_domain_users.patch')
-rw-r--r-- | samba-4.4.5-fix_resolving_trusted_domain_users.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/samba-4.4.5-fix_resolving_trusted_domain_users.patch new file mode 100644 index 0000000..68d48a1 --- /dev/null +++ b/samba-4.4.5-fix_resolving_trusted_domain_users.patch @@ -0,0 +1,68 @@ +From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Fri, 10 Jun 2016 16:51:18 +0200 +Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain + DCs + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 + +Pair-Programmed-With: Andreas Schneider <asn@samba.org> +Signed-off-by: Guenther Deschner <gd@samba.org> +Signed-off-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Alexander Bokovoy <ab@samba.org> +(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) +--- + source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 45e3fad..f1f98db 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + struct cli_credentials *creds; + NTSTATUS status; + bool force_machine_account = false; ++ bool ok; + + /* If we are a DC and this is not our own domain */ + +@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + CRED_DONT_USE_KERBEROS); + } + +- if (creds_domain != domain) { ++ /* ++ * When we contact our own domain and get a list of the trusted domain ++ * we have the information if we are able to contact the DC with ++ * with our machine account password. ++ */ ++ ok = winbindd_can_contact_domain(domain); ++ if (!ok) { + /* + * We can only use schannel against a direct trust + */ +@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + + sec_chan_type = cli_credentials_get_secure_channel_type(creds); + if (sec_chan_type == SEC_CHAN_NULL) { ++ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", ++ domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + +@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + conn->netlogon_flags = netlogon_creds->negotiate_flags; + TALLOC_FREE(netlogon_creds); + ++ /* ++ * FIXME: Document in which case we are not able to contact ++ * a DC without schannel. Which information do we try to get ++ * from this DC? ++ */ + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + result = NT_STATUS_DOWNGRADE_DETECTED; +-- +2.8.4 + |