The branch, master has been updated
via 4b17d36 WHATSNEW: document some more new options
via b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid
trust enumeration
via 9fb3637 winbindd: add more trust types to get_trust_type_string
via 95e3307 libwbclient: add more trust types
via 05558dd wbinfo: support for local, workstation and routed trust
types
via ec85579 libwbclient: add trust routing and more trust-types
via f12a43f winbindd: fix trust_is_oubound()
via 09021f9 winbindd: fix trust_is_inbound()
via a39cf19 winbindd: transitive trust logic in trust_is_transitive()
via 939592c winbindd: use add_trusted_domain_from_auth
via f4d27f2 winbindd: add add_trusted_domain_from_auth
via b2ea360 winbindd: add set_routing_domain()
via 2e644af winbindd: add find_default_route_domain()
via 40c9115 winbindd: avoid automatic enumerating trusts on DCs
via 29e6d55 winbindd: load the trusted domains on a DC already in
init_domain_list()
via fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
via f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
via a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
via 3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX
related functions
via 6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
via f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
via 8fde1c6 s3/torture/pdbtest: delete trusted domain at test end
via f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a
valid SID
via 4b0641b winbindd: use find_trust_from_name_noinit when we require a
direct trust
via 2385e71 winbindd: add find_trust_from_{name,sid}_noinit()
via b724e01 winbindd: remember the secure_channel_type in
winbindd_domain
via 5bf2979 winbindd: rework add_trusted_domain(), replacing
add_trusted_domain_from_tdc()
via 8587445 winbindd: initialize some stack pointers to NULL
via 126d6ce winbindd: rename alternative_name to dns_name
via 5ffade7 winbindd: only use NetBIOS name when searching domain list
in add_trusted_domain_from_tdc()
via c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc()
from e43ee33 winbindd: set info6 data in append_info3_as_txt
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4b17d365bc8df7860ee28b5b0e1f53a9acf2b69d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jan 11 12:46:24 2018 +0100
WHATSNEW: document some more new options
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Karolin Seeger <ksee...@samba.org>
Autobuild-User(master): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(master): Sat Jan 13 17:12:38 CET 2018 on sn-devel-144
commit b4e1e3019a1475cb8c1e3ab9314693d6ed130923
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100
winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 9fb36370a57904770e1c9ca96279a1854481d3f3
Author: Ralph Boehme <s...@samba.org>
Date: Wed Dec 13 08:53:16 2017 +0100
winbindd: add more trust types to get_trust_type_string
Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".
Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 95e3307917b5731ab883ee5fce530c5b559b4934
Author: Ralph Boehme <s...@samba.org>
Date: Wed Dec 13 16:01:50 2017 +0100
libwbclient: add more trust types
Prepare libwbclient for additional trust types and trust routing.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 05558ddd7e91643c9b8bca92271252e6f5494b69
Author: Ralph Boehme <s...@samba.org>
Date: Wed Dec 13 16:02:22 2017 +0100
wbinfo: support for local, workstation and routed trust types
Prepare wbinfo for additional trust types and trust routing.
This also modifies the output line for a "None" trust type by skipping
the transitivity and direction -- that just doesn't make sense without a
trust.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit ec85579d87aafba3a78ddd326cf125909007c349
Author: Ralph Boehme <s...@samba.org>
Date: Tue Dec 19 17:26:46 2017 +0100
libwbclient: add trust routing and more trust-types
This adds the struct member and the defines, the implementation comes
later.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit f12a43f4876b4a6bf556ea760ffe8e21f2acacf8
Author: Ralph Boehme <s...@samba.org>
Date: Tue Nov 28 17:46:03 2017 +0100
winbindd: fix trust_is_oubound()
A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags =
0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 09021f920faba4dc4d2b2e1c0d3d4432e1a759d5
Author: Ralph Boehme <s...@samba.org>
Date: Tue Nov 28 17:44:41 2017 +0100
winbindd: fix trust_is_inbound()
A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit a39cf19c2514d8f249951b77078683dd6a53504e
Author: Ralph Boehme <s...@samba.org>
Date: Tue Nov 28 17:32:59 2017 +0100
winbindd: transitive trust logic in trust_is_transitive()
trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.
This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
must
be set.
Logic taken from dsdb_trust_routing_by_name().
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 939592c660263b6f9969c30e4c6a1903fcc75831
Author: Ralph Boehme <s...@samba.org>
Date: Wed Nov 29 10:55:25 2017 +0100
winbindd: use add_trusted_domain_from_auth
After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit f4d27f2bf9a32fec02da01351fa5af3867f4b1f7
Author: Ralph Boehme <s...@samba.org>
Date: Wed Nov 29 10:10:38 2017 +0100
winbindd: add add_trusted_domain_from_auth
Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit b2ea3606a7f7325b0e2f5fae46346f8fbf489177
Author: Ralph Boehme <s...@samba.org>
Date: Wed Dec 13 17:11:25 2017 +0100
winbindd: add set_routing_domain()
commit 2e644af16428ff6421459020a54cf20c296bc4df
Author: Ralph Boehme <s...@samba.org>
Date: Wed Dec 13 17:08:10 2017 +0100
winbindd: add find_default_route_domain()
On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 40c91150e36e5818d4a4f25429ed600762cfd49b
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 29 16:02:28 2017 +0100
winbindd: avoid automatic enumerating trusts on DCs
We have a static list of trust based on our configuration.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 29e6d55909be1f17ffc140481a90000c1475e92e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 29 15:55:12 2017 +0100
winbindd: load the trusted domains on a DC already in init_domain_list()
We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit fa3b81b21c99093c531181acaac375b99c0816c6
Author: Ralph Boehme <s...@samba.org>
Date: Tue Dec 19 23:44:00 2017 +0100
pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
Signed-off-by: Ralph Boehme <s...@samba.org>
commit f8bcd37058579ed435daebefd47efe374e9084d2
Author: Ralph Boehme <s...@samba.org>
Date: Mon Dec 11 07:57:27 2017 +0100
pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
Signed-off-by: Ralph Boehme <s...@samba.org>
commit a55643701b7d1c8c51ef15484af9bf8bebce065d
Author: Ralph Boehme <s...@samba.org>
Date: Sun Dec 10 20:03:37 2017 +0100
pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 3091ea3b7a4f19f81b9a545ccc64f80e382e04ef
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Dec 1 08:41:29 2017 +0100
pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 6f9232e26c8b4d4595c339d95977c9b1ca94a601
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Dec 1 07:59:59 2017 +0100
pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit f362387352645c2252bd2412b0a25f7b085c8bc7
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Dec 1 08:33:51 2017 +0100
s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 8fde1c641da4ba23342bf36226ab9291a79acbad
Author: Ralph Boehme <s...@samba.org>
Date: Mon Dec 11 07:56:40 2017 +0100
s3/torture/pdbtest: delete trusted domain at test end
Signed-off-by: Ralph Boehme <s...@samba.org>
commit f1bd7c8bb48abc8fabb8374f549b888fbdd3036c
Author: Ralph Boehme <s...@samba.org>
Date: Mon Dec 11 07:56:02 2017 +0100
s3/torture/pdbtest: creating a trusted domain requires a valid SID
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 4b0641bf10f7561771cee2581e1d7fc4e183c826
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 30 13:04:56 2017 +0100
winbindd: use find_trust_from_name_noinit when we require a direct trust
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 2385e719ba4835ca254eedbdfeffdd875912ec27
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 29 15:23:36 2017 +0100
winbindd: add find_trust_from_{name,sid}_noinit()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit b724e01ec767caebbfa3723d8346d640a511ded1
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Nov 29 15:10:38 2017 +0100
winbindd: remember the secure_channel_type in winbindd_domain
This way we have an indication of non direct trusts with
SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 5bf2979bb6e22c6d3f7565c13329aa60fdce4e0f
Author: Ralph Boehme <s...@samba.org>
Date: Sat Dec 16 11:34:23 2017 +0100
winbindd: rework add_trusted_domain(), replacing
add_trusted_domain_from_tdc()
This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.
add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.
Pair-programmed-with: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Ralph Boehme <s...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 85874458852697df8f7c45fb9e7f848367d07a07
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100
winbindd: initialize some stack pointers to NULL
This reduces the diff in the following commit.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 126d6ceecfc4371187eec3497a5bae09ec0d159a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 10 12:14:57 2018 +0100
winbindd: rename alternative_name to dns_name
This reduces the diff in the following commit.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 5ffade7b29292c671aca51bd82e25de8723d6852
Author: Ralph Boehme <s...@samba.org>
Date: Fri Dec 15 21:13:52 2017 +0100
winbindd: only use NetBIOS name when searching domain list in
add_trusted_domain_from_tdc()
Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c7c06fd23813a61fdb10745e3ee2838206319bdd
Author: Ralph Boehme <s...@samba.org>
Date: Fri Dec 15 21:09:15 2017 +0100
winbindd: enforce valid SID in add_trusted_domain_from_tdc()
It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 21 +-
.../winbind/winbindscantrusteddomains.xml | 29 +
lib/param/loadparm.c | 1 +
nsswitch/libwbclient/wbc_util.c | 16 +-
nsswitch/libwbclient/wbclient.h | 7 +
nsswitch/wbinfo.c | 21 +-
source3/param/loadparm.c | 1 +
source3/passdb/pdb_samba_dsdb.c | 877 ++++++++++++++++++++-
source3/torture/pdbtest.c | 13 +
source3/winbindd/winbindd.c | 15 +-
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_irpc.c | 2 +-
source3/winbindd/winbindd_misc.c | 211 ++++-
source3/winbindd/winbindd_pam_auth.c | 15 +
source3/winbindd/winbindd_pam_auth_crap.c | 24 +-
source3/winbindd/winbindd_ping_dc.c | 2 +-
source3/winbindd/winbindd_proto.h | 8 +
source3/winbindd/winbindd_util.c | 711 +++++++++++++----
source4/dsdb/common/util_trusts.c | 65 ++
19 files changed, 1853 insertions(+), 188 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94278b3..f1e43f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -95,15 +95,18 @@ smb.conf changes
client schannel Default changed/ yes
Deprecated
gpo update command New
+ ldap ssl ads Deprecated
map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
use spnego Removed
server schannel Default changed/ yes
Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
winbind trusted domains only Removed
@@ -150,6 +153,22 @@ reversed to match the parameter ordering of the UNIX
extensions
'symlink' command. The usage message for this command has also
been improved to remove confusion.
+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
REMOVED FEATURES
================
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/>
option is set to
+ <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to yes (the default), winbindd periodically tries to scan for
new
+ trusted domains and adds them to a global list inside of winbindd.
+ The list can be extracted with <command>wbinfo --trusted-domains
--verbose</command>.
+ This matches the behaviour of Samba 4.7 and older.</para>
+
+ <para>The construction of that global list is not reliable and often
+ incomplete in complex trust setups. In most situations the list is
+ not needed any more for winbindd to operate correctly.
+ E.g. for plain file serving via SMB using a simple idmap setup
+ with <constant>autorid</constant>, <constant>tdb</constant> or
<constant>ad</constant>.
+ However some more complex setups require the list, e.g.
+ if you specify idmap backends for specific domains.
+ Some pam_winbind setups may also require the global list.</para>
+
+ <para>If you have a setup that doesn't require the global list, you should
set
+ <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d..f265459 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains",
"True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory",
dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory",
dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index 3dab0a2..ecfcaa0 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -455,8 +455,22 @@ static wbcErr process_domain_info_string(struct
wbcDomainInfo *info,
*s = '\0';
s++;
- if (strcmp(r, "None") == 0) {
+ if (strcmp(r, "Local") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ } else if (strncmp(r, "Routed", strlen("Routed")) == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_NONE;
+ info->trust_routing = strdup(r);
+ BAIL_ON_PTR_ERROR(info->trust_routing, wbc_status);
+ } else if (strcmp(r, "Local") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_LOCAL;
+ } else if (strcmp(r, "Workstation") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_WKSTA;
+ } else if (strcmp(r, "RWDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RWDC;
+ } else if (strcmp(r, "RODC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_RODC;
+ } else if (strcmp(r, "PDC") == 0) {
+ info->trust_type = WBC_DOMINFO_TRUSTTYPE_PDC;
} else if (strcmp(r, "External") == 0) {
info->trust_type = WBC_DOMINFO_TRUSTTYPE_EXTERNAL;
} else if (strcmp(r, "Forest") == 0) {
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index ed97a67..81a6a6a 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -187,6 +187,7 @@ struct wbcDomainInfo {
uint32_t domain_flags;
uint32_t trust_flags;
uint32_t trust_type;
+ char *trust_routing;
};
/* wbcDomainInfo->domain_flags */
@@ -209,6 +210,12 @@ struct wbcDomainInfo {
#define WBC_DOMINFO_TRUSTTYPE_FOREST 0x00000001
#define WBC_DOMINFO_TRUSTTYPE_IN_FOREST 0x00000002
#define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003
+#define WBC_DOMINFO_TRUSTTYPE_LOCAL 0x00000004
+#define WBC_DOMINFO_TRUSTTYPE_WKSTA 0x00000005
+#define WBC_DOMINFO_TRUSTTYPE_RWDC 0x00000006
+#define WBC_DOMINFO_TRUSTTYPE_RODC 0x00000007
+#define WBC_DOMINFO_TRUSTTYPE_PDC 0x00000008
+
/**
* @brief Generic Blob
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9cd299a..54d5758 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -536,7 +536,26 @@ static bool wbinfo_list_domains(bool list_all_domains,
bool verbose)
switch(domain_list[i].trust_type) {
case WBC_DOMINFO_TRUSTTYPE_NONE:
- d_printf("None ");
+ if (domain_list[i].trust_routing != NULL) {
+ d_printf("%s\n", domain_list[i].trust_routing);
+ } else {
+ d_printf("None\n");
+ }
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_LOCAL:
+ d_printf("Local\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RWDC:
+ d_printf("RWDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_RODC:
+ d_printf("RODC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_PDC:
+ d_printf("PDC\n");
+ continue;
+ case WBC_DOMINFO_TRUSTTYPE_WKSTA:
+ d_printf("Workstation ");
break;
case WBC_DOMINFO_TRUSTTYPE_FOREST:
d_printf("Forest ");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 582c875..f1f453e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template",
NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
+ Globals.winbind_scan_trusted_domains = true;
Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 58168d8..16a7a85 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -40,6 +40,8 @@
#include "source4/auth/auth_sam.h"
#include "auth/credentials/credentials.h"
#include "lib/util/base64.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "lib/util/util_ldb.h"
struct pdb_samba_dsdb_state {
struct tevent_context *ev;
@@ -2132,7 +2134,7 @@ static bool pdb_samba_dsdb_sid_to_id(struct pdb_methods
*m, const struct dom_sid
static uint32_t pdb_samba_dsdb_capabilities(struct pdb_methods *m)
{
- return PDB_CAP_STORE_RIDS | PDB_CAP_ADS;
+ return PDB_CAP_STORE_RIDS | PDB_CAP_ADS | PDB_CAP_TRUSTED_DOMAINS_EX;
}
static bool pdb_samba_dsdb_new_rid(struct pdb_methods *m, uint32_t *rid)
@@ -2878,11 +2880,871 @@ static bool pdb_samba_dsdb_del_trusteddom_pw(struct
pdb_methods *m,
static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m,
TALLOC_CTX *mem_ctx,
- uint32_t *num_domains,
- struct trustdom_info ***domains)
+ uint32_t *_num_domains,
+ struct trustdom_info ***_domains)
{
- *num_domains = 0;
- *domains = NULL;
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustDirection",
+ NULL
+ };
+ struct ldb_result *res = NULL;
+ unsigned int i;
+ struct trustdom_info **domains = NULL;
+ NTSTATUS status;
+ uint32_t di = 0;
+
+ *_num_domains = 0;
+ *_domains = NULL;
+
+ status = dsdb_trust_search_tdos(state->ldb, NULL,
+ attrs, tmp_ctx, &res);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdos() - %s ", nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ if (res->count == 0) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ domains = talloc_zero_array(tmp_ctx, struct trustdom_info *,
+ res->count);
+ if (domains == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < res->count; i++) {
+ struct ldb_message *msg = res->msgs[i];
+ struct trustdom_info *d = NULL;
+ const char *name = NULL;
+ struct dom_sid *sid = NULL;
+ uint32_t direction;
+
+ d = talloc_zero(domains, struct trustdom_info);
+ if (d == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ name = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ sid = samdb_result_dom_sid(msg, msg, "securityIdentifier");
+ if (sid == NULL) {
+ continue;
+ }
+
+ direction = ldb_msg_find_attr_as_uint(msg, "trustDirection", 0);
+ if (!(direction & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ continue;
+ }
+
+ d->name = talloc_strdup(d, name);
+ if (d->name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ d->sid = *sid;
+
+ domains[di++] = d;
+ }
+
+ talloc_realloc(domains, domains, struct trustdom_info *, di);
+ *_domains = talloc_move(mem_ctx, &domains);
+ *_num_domains = di;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_msg_to_trusted_domain(const struct ldb_message
*msg,
+ TALLOC_CTX *mem_ctx,
+ struct pdb_trusted_domain **_d)
+{
+ struct pdb_trusted_domain *d = NULL;
+ const char *str = NULL;
+ struct dom_sid *sid = NULL;
+ const struct ldb_val *val = NULL;
+ uint64_t val64;
+
+ *_d = NULL;
+
+ d = talloc_zero(mem_ctx, struct pdb_trusted_domain);
+ if (d == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (str == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ d->netbios_name = talloc_strdup(d, str);
+ if (d->netbios_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ str = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+ if (str != NULL) {
+ d->domain_name = talloc_strdup(d, str);
+ if (d->domain_name == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ sid = samdb_result_dom_sid(d, msg, "securityIdentifier");
+ if (sid != NULL) {
+ d->security_identifier = *sid;
+ TALLOC_FREE(sid);
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+ if (val != NULL) {
+ d->trust_auth_outgoing = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_outgoing.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+ if (val != NULL) {
+ d->trust_auth_incoming = data_blob_dup_talloc(d, *val);
+ if (d->trust_auth_incoming.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ d->trust_direction = ldb_msg_find_attr_as_uint(msg, "trustDirection",
0);
+ d->trust_type = ldb_msg_find_attr_as_uint(msg, "trustType", 0);
+ d->trust_attributes = ldb_msg_find_attr_as_uint(msg, "trustAttributes",
0);
+
+ val64 = ldb_msg_find_attr_as_uint64(msg, "trustPosixOffset",
UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->trust_posix_offset = talloc(d, uint32_t);
+ if (d->trust_posix_offset == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->trust_posix_offset = (uint32_t)val64;
+ }
+
+ val64 = ldb_msg_find_attr_as_uint64(msg,
"msDS-SupportedEncryptionTypes", UINT64_MAX);
+ if (val64 != UINT64_MAX) {
+ d->supported_enc_type = talloc(d, uint32_t);
+ if (d->supported_enc_type == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ *d->supported_enc_type = (uint32_t)val64;
+ }
+
+ val = ldb_msg_find_ldb_val(msg, "msDS-TrustForestTrustInfo");
+ if (val != NULL) {
+ d->trust_forest_trust_info = data_blob_dup_talloc(d, *val);
+ if (d->trust_forest_trust_info.data == NULL) {
+ TALLOC_FREE(d);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *_d = d;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ const char *domain,
+ struct pdb_trusted_domain
**td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo(state->ldb, domain, NULL,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ domain, nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS pdb_samba_dsdb_get_trusted_domain_by_sid(struct pdb_methods *m,
+ TALLOC_CTX *mem_ctx,
+ struct dom_sid *sid,
+ struct
pdb_trusted_domain **td)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "trustAuthIncoming",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ "trustPosixOffset",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-TrustForestTrustInfo",
+ NULL
+ };
+ struct ldb_message *msg = NULL;
+ struct pdb_trusted_domain *d = NULL;
+ NTSTATUS status;
+
+ status = dsdb_trust_search_tdo_by_sid(state->ldb, sid,
+ attrs, tmp_ctx, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("dsdb_trust_search_tdo_by_sid(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ status = pdb_samba_dsdb_msg_to_trusted_domain(msg, mem_ctx, &d);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("pdb_samba_dsdb_msg_to_trusted_domain(%s) - %s ",
+ dom_sid_string(tmp_ctx, sid), nt_errstr(status));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ *td = d;
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
--
Samba Shared Repository
