[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher Wed, 28 Feb 2018 10:46:28 -0800

The branch, master has been updated
       via  31b5328 s4:kdc: disable support for CROSS_ORGANIZATION domains
       via  d0a813a s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in 
samba_kdc_trust_message2entry()
       via  274209f s4:kdc: make use of dsdb_trust_parse_tdo_info() in 
samba_kdc_trust_message2entry()
       via  afd97e7 winbindd: disable support for CROSS_ORGANIZATION domains
      from  cb58e18 ldb: version 1.3.2


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 31b5328c46c5f510ba234f75688886987276ee9e
Author: Stefan Metzmacher <[email protected]>
Date:   Thu Feb 1 11:06:10 2018 +0100

    s4:kdc: disable support for CROSS_ORGANIZATION domains
    
    We don't support selective authentication yet,
    so we shouldn't silently allow domain wide authentication
    for such a trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Ralph Boehme <[email protected]>
    
    Autobuild-User(master): Stefan Metzmacher <[email protected]>
    Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144

commit d0a813a173be630c2def93cc55e4514204d265a2
Author: Stefan Metzmacher <[email protected]>
Date:   Thu Feb 1 11:10:14 2018 +0100

    s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in 
samba_kdc_trust_message2entry()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Ralph Boehme <[email protected]>

commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df
Author: Stefan Metzmacher <[email protected]>
Date:   Thu Feb 1 11:10:14 2018 +0100

    s4:kdc: make use of dsdb_trust_parse_tdo_info() in 
samba_kdc_trust_message2entry()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Ralph Boehme <[email protected]>

commit afd97e72090aaf31b084646b5fcecaeb8cde653d
Author: Stefan Metzmacher <[email protected]>
Date:   Thu Feb 1 11:06:10 2018 +0100

    winbindd: disable support for CROSS_ORGANIZATION domains
    
    We don't support selective authentication yet,
    so we shouldn't silently allow domain wide authentication
    for such a trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Ralph Boehme <[email protected]>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_util.c | 11 +++++++++
 source4/kdc/db-glue.c            | 48 +++++++++++++++++++++++++++++++---------
 2 files changed, 49 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 73e6b76..b19c42f 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void)
                        trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
                }
 
+               if (domains[i]->trust_attributes & 
LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+                       /*
+                        * We don't support selective authentication yet.
+                        */
+                       DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to "
+                                   "domain[%s/%s]\n",
+                                   domains[i]->netbios_name,
+                                   domains[i]->domain_name);
+                       continue;
+               }
+
                status = add_trusted_domain(domains[i]->netbios_name,
                                            domains[i]->domain_name,
                                            &domains[i]->security_identifier,
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 69c54b0..8ccc34c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -57,14 +57,17 @@ enum trust_direction {
 };
 
 static const char *trust_attrs[] = {
+       "securityIdentifier",
+       "flatName",
        "trustPartner",
+       "trustAttributes",
+       "trustDirection",
+       "trustType",
+       "msDS-TrustForestTrustInfo",
        "trustAuthIncoming",
        "trustAuthOutgoing",
        "whenCreated",
        "msDS-SupportedEncryptionTypes",
-       "trustAttributes",
-       "trustDirection",
-       "trustType",
        NULL
 };
 
@@ -1167,7 +1170,6 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
 {
        struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
        const char *our_realm = lpcfg_realm(lp_ctx);
-       const char *dnsdomain = NULL;
        char *partner_realm = NULL;
        const char *realm = NULL;
        const char *krbtgt_realm = NULL;
@@ -1183,7 +1185,7 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
        uint32_t previous_kvno;
        uint32_t num_keys = 0;
        enum ndr_err_code ndr_err;
-       int ret, trust_direction_flags;
+       int ret;
        unsigned int i;
        struct AuthenticationInformationArray *auth_array;
        struct timeval tv;
@@ -1191,6 +1193,8 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
        uint32_t *auth_kvno;
        bool preferr_current = false;
        uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
+       struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+       NTSTATUS status;
 
        if (dsdb_functional_level(kdc_db_ctx->samdb) >= 
DS_DOMAIN_FUNCTION_2008) {
                supported_enctypes = ldb_msg_find_attr_as_uint(msg,
@@ -1198,20 +1202,44 @@ static krb5_error_code 
samba_kdc_trust_message2entry(krb5_context context,
                                        supported_enctypes);
        }
 
-       trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 
0);
-       if (!(trust_direction_flags & direction)) {
+       status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
+       if (!NT_STATUS_IS_OK(status)) {
+               krb5_clear_error_message(context);
+               ret = ENOMEM;
+               goto out;
+       }
+
+       if (!(tdo->trust_direction & direction)) {
+               krb5_clear_error_message(context);
+               ret = SDB_ERR_NOENTRY;
+               goto out;
+       }
+
+       if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
+               /*
+                * Only UPLEVEL domains support kerberos here,
+                * as we don't support LSA_TRUST_TYPE_MIT.
+                */
+               krb5_clear_error_message(context);
+               ret = SDB_ERR_NOENTRY;
+               goto out;
+       }
+
+       if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
+               /*
+                * We don't support selective authentication yet.
+                */
                krb5_clear_error_message(context);
                ret = SDB_ERR_NOENTRY;
                goto out;
        }
 
-       dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
-       if (dnsdomain == NULL) {
+       if (tdo->domain_name.string == NULL) {
                krb5_clear_error_message(context);
                ret = SDB_ERR_NOENTRY;
                goto out;
        }
-       partner_realm = strupper_talloc(mem_ctx, dnsdomain);
+       partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string);
        if (partner_realm == NULL) {
                krb5_clear_error_message(context);
                ret = ENOMEM;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to