The branch, master has been updated via 201edcb5c61 winbindd: fix listing trusted domains with NT trusts via 000bbede59e selftest: test listing trusted domains that includes an NT4 domain via 53ca19851db s4/rpc_server: return NULL dns_name for NT4 trusts via 3a95e135472 selftest: add a test for NT4 trusts via 645a725603c selftest: create trust between fl2008r2dc and nt4_dc via 9725aa932e2 selftest: rename a variable in setup_fl2008r2dc() via 5420af69423 selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails via d0cdc81aa99 selftest: fix domain name of nt4_dc_smb1 environment via 9d933abd9e5 winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler via 60ac5b03ef1 winbindd: make add_trusted_domains_dc() public via 95bb2acbf06 winbindd: also apply schannel logic as an NT4 DC via 9b2920fd367 net: create creds for other domain via 449a968d3d1 net: support NT4 trusts in "net rpc trust create" via 15c07723765 net: fix credentials in trustdom establish via 340753a2554 net: remove a newline from c82a267b2a1 s3:passdb: smbpasswd reset permissions only if not 0600
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 201edcb5c6138488959e54e7df88007d010f1cfb Author: Ralph Boehme <s...@samba.org> Date: Sat Jan 13 11:40:55 2024 +0100 winbindd: fix listing trusted domains with NT trusts Commit e07f8901ec95aab8c36965000de185d99e642644 broke handling of NT4 domains which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name) returns NULL, which causes _wbint_ListTrustedDomains to return NT_STATUS_NO_MEMORY. To make things worse, at that point the new struct netr_DomainTrust is not yet initialized correctly and the "out->count = n + 1" already increased the array counter at the start of the loop without initializing it. Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can crash when accesssing the ununitialized values: 2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD) 2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames: 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5] 92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045] 2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd] Deferring assignment of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224 commit 000bbede59e4ca78427fa57b56fa251d4d779adb Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 17:42:33 2024 +0100 selftest: test listing trusted domains that includes an NT4 domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 53ca19851dbfc3cab7345424c029a7c90745e24a Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 19:12:34 2024 +0100 s4/rpc_server: return NULL dns_name for NT4 trusts That's what Windows returns for an NT4 trust: array: struct netr_DomainTrust netbios_name : * netbios_name : 'NT4TRUST' dns_name : NULL trust_flags : 0x00000020 (32) 0: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_DOWNLEVEL (1) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION sid : * sid : S-1-5-21-4267984555-3675415144-1682400025 guid : 00000000-0000-0000-0000-000000000000 Even though when creating the trust the DNS name must not be NULL and the trustPartner and name attributes are set to the flatName in the trustedDomain object: dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site objectClass: top objectClass: leaf objectClass: trustedDomain cn: NT4TRUST distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site instanceType: 4 whenCreated: 20240118175040.0Z whenChanged: 20240118175040.0Z uSNCreated: 4939915 uSNChanged: 4939916 showInAdvancedViewOnly: TRUE name: NT4TRUST objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025 trustDirection: 1 trustPartner: NT4TRUST trustPosixOffset: 0 trustType: 1 trustAttributes: 0 flatName: NT4TRUST objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site isCriticalSystemObject: TRUE dSCorePropagationData: 16010101000000.0Z BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3a95e135472a495a90637e5dc0f9e3c8de052ff9 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 10 14:50:05 2024 +0100 selftest: add a test for NT4 trusts BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 645a725603ca03f27c1347b1e2ed9fea94a6319d Author: Ralph Boehme <s...@samba.org> Date: Sat Jan 13 08:48:54 2024 +0100 selftest: create trust between fl2008r2dc and nt4_dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9725aa932e24622566baf208586d1fe03885da9f Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 16:04:34 2024 +0100 selftest: rename a variable in setup_fl2008r2dc() Prepares for adding another variable with a similar name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5420af6942307e045be1317edc323ee3ff9f379b Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 11 12:02:43 2024 +0100 selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d0cdc81aa99031b0c067c7f8cf2ec0dc99d57da5 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 10 18:13:46 2024 +0100 selftest: fix domain name of nt4_dc_smb1 environment It had the same workgroup as the nt4_dc environment: $ grep workgroup st/nt4_dc/lib/server.conf st/nt4_dc_smb1/lib/server.conf st/nt4_dc/lib/server.conf: workgroup = SAMBA-TEST st/nt4_dc_smb1/lib/server.conf: workgroup = SAMBA-TEST BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9d933abd9e578de74bd4c5a8bcfcf6924262a8e2 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 15:38:45 2024 +0100 winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler This allows reloading trust info on an NT4 DC without restarting winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 60ac5b03ef15de73744e0f86507849fb4b55d96f Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 15:38:10 2024 +0100 winbindd: make add_trusted_domains_dc() public BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 95bb2acbf066049f92c16836a2cdaea3aae829cc Author: Ralph Boehme <s...@samba.org> Date: Tue Jan 16 15:36:01 2024 +0100 winbindd: also apply schannel logic as an NT4 DC This applies the same logic we already added in 06601b3a9293db35feda1b033fa864dc1a764164 for AD DCs wrt to IPC authentication when running as an NT4 DC in cm_prepare_connection(). Similarily adjust the check in cm_connect_lsa() added in 3e17a3b7cd4083299037ba9377931bea792b2d18 and in cm_connect_netlogon_transport() added by 532a14dc684e7a6d8c584d5671a4ebbad00aa4fc for cm_connect_netlogon_transport(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9b2920fd367d26cfbf6f6f442a5c01fae4734abd Author: Ralph Boehme <s...@samba.org> Date: Sun Jan 14 08:34:17 2024 +0100 net: create creds for other domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 449a968d3d18633e05db7d00ab76c7a52b04a54c Author: Ralph Boehme <s...@samba.org> Date: Sat Jan 13 08:51:48 2024 +0100 net: support NT4 trusts in "net rpc trust create" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 15c07723765c6863a0ada9dfbaaa204604500907 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 10 15:06:14 2024 +0100 net: fix credentials in trustdom establish This was broken by ea071d278a614f17b5417d3ff98e1b8d1fd8970d. I guess the whole opt_user_specified dance should be ripped out, but that's a fix for another day. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 340753a2554ce9a842a6c90d684fb0510def81a1 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 10 15:03:49 2024 +0100 net: remove a newline BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/target/Samba.pm | 7 +++ selftest/target/Samba3.pm | 10 ++-- selftest/target/Samba4.pm | 75 ++++++++++++++++++++++----- source3/script/tests/test_list_nt4_trust.sh | 25 +++++++++ source3/script/tests/test_nt4_trust.sh | 31 +++++++++++ source3/selftest/tests.py | 8 +++ source3/utils/net_rpc.c | 10 ++-- source3/utils/net_rpc_trust.c | 32 ++++++++---- source3/winbindd/winbindd_cm.c | 12 ++--- source3/winbindd/winbindd_dual.c | 6 +++ source3/winbindd/winbindd_dual_srv.c | 58 +++++++++------------ source3/winbindd/winbindd_proto.h | 1 + source3/winbindd/winbindd_util.c | 4 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++- 14 files changed, 218 insertions(+), 73 deletions(-) create mode 100755 source3/script/tests/test_list_nt4_trust.sh create mode 100755 source3/script/tests/test_nt4_trust.sh Changeset truncated at 500 lines: diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 7cf222235af..5a717f94766 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -921,6 +921,13 @@ my @exported_envvars = ( "TRUST_E_BOTH_DOMAIN", "TRUST_E_BOTH_REALM", + # stuff related to a trusted NT4 domain, + # used for one-way trust fl2008r2dc <- nt4_dc + "NT4_TRUST_SERVER", + "NT4_TRUST_SERVER_IP", + "NT4_TRUST_DOMAIN", + "NT4_TRUST_DOMSID", + # domain controller stuff "DC_SERVER", "DC_SERVER_IP", diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 5b3d31ea535..c8489407e01 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -262,7 +262,7 @@ sub check_env($$) sub setup_nt4_dc { - my ($self, $path, $more_conf, $server) = @_; + my ($self, $path, $more_conf, $domain, $server) = @_; print "PROVISIONING NT4 DC..."; @@ -312,12 +312,15 @@ sub setup_nt4_dc if (defined($more_conf)) { $nt4_dc_options = $nt4_dc_options . $more_conf; } + if (!defined($domain)) { + $domain = "SAMBA-TEST"; + } if (!defined($server)) { $server = "LOCALNT4DC2"; } my $vars = $self->provision( prefix => $path, - domain => "SAMBA-TEST", + domain => $domain, server => $server, password => "localntdc2pass", extra_options => $nt4_dc_options); @@ -352,7 +355,7 @@ sub setup_nt4_dc_smb1 client min protocol = CORE server min protocol = LANMAN1 "; - return $self->setup_nt4_dc($path, $conf, "LCLNT4DC2SMB1"); + return $self->setup_nt4_dc($path, $conf, "NT4SMB1", "LCLNT4DC2SMB1"); } sub setup_nt4_dc_smb1_done @@ -1415,6 +1418,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{TRUST_DOMAIN} : backend = ad idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 gensec_gssapi:requested_life_time = 5 + winbind scan trusted domains = yes "; my $ret = $self->provision( diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index dd1400633e8..2d449e4a652 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2376,7 +2376,7 @@ sub check_env($$) ad_dc_no_nss => ["dns_hub"], ad_dc_no_ntlm => ["dns_hub"], - fl2008r2dc => ["ad_dc"], + fl2008r2dc => ["ad_dc", "nt4_dc"], fl2003dc => ["ad_dc"], fl2000dc => ["ad_dc"], @@ -2571,25 +2571,76 @@ sub setup_fl2003dc sub setup_fl2008r2dc { - my ($self, $path, $dc_vars) = @_; + my ($self, $path, $ad_dc_vars, $nt4_dc_vars) = @_; my $env = $self->provision_fl2008r2dc($path); - if (defined $env) { - if (not defined($self->check_or_start($env, "standard"))) { - return undef; - } + if (!defined $env) { + return $env; + } + + if (not defined($self->check_or_start($env, "standard"))) { + return undef; + } - my $upn_array = ["$env->{REALM}.upn"]; - my $spn_array = ["$env->{REALM}.spn"]; + my $upn_array = ["$env->{REALM}.upn"]; + my $spn_array = ["$env->{REALM}.spn"]; - if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) { - return undef; - } + if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) { + return undef; + } - $env = $self->setup_trust($env, $dc_vars, "forest", ""); + $env = $self->setup_trust($env, $ad_dc_vars, "forest", ""); + if (!defined $env) { + return undef; } + my $net = Samba::bindir_path($self, "net"); + my $smbcontrol = Samba::bindir_path($self, "smbcontrol"); + + my $trustpw = "TrUsTpW"; + $trustpw .= "$env->{SOCKET_WRAPPER_DEFAULT_IFACE}"; + $trustpw .= "$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}"; + + my $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$env->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net rpc trust create "; + $cmd .= "otherdomainsid=$nt4_dc_vars->{SAMSID} "; + $cmd .= "otherdomain=$nt4_dc_vars->{DOMAIN} "; + $cmd .= "other_netbios_domain=$nt4_dc_vars->{DOMAIN} "; + $cmd .= "trustpw=$trustpw "; + $cmd .= "$env->{CONFIGURATION} "; + $cmd .= "-U $env->{DOMAIN}/$env->{USERNAME}\%$env->{PASSWORD} "; + + if (system($cmd) != 0) { + warn("net rpc trust create failed\n$cmd"); + return undef; + } + + $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$nt4_dc_vars->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net rpc trustdom establish $env->{DOMAIN} -U/%$trustpw $nt4_dc_vars->{CONFIGURATION}"; + + if (system($cmd) != 0) { + warn("add failed\n$cmd"); + return undef; + } + + # Reload trusts + $cmd = "$smbcontrol winbindd reload-config $nt4_dc_vars->{CONFIGURATION}"; + + if (system($cmd) != 0) { + warn("add failed\n$cmd"); + return undef; + } + + $env->{NT4_TRUST_SERVER} = $nt4_dc_vars->{SERVER}; + $env->{NT4_TRUST_SERVER_IP} = $nt4_dc_vars->{SERVER_IP}; + $env->{NT4_TRUST_DOMAIN} = $nt4_dc_vars->{DOMAIN}; + $env->{NT4_TRUST_DOMSID} = $nt4_dc_vars->{DOMSID}; + return $env; } diff --git a/source3/script/tests/test_list_nt4_trust.sh b/source3/script/tests/test_list_nt4_trust.sh new file mode 100755 index 00000000000..03ee7fc7063 --- /dev/null +++ b/source3/script/tests/test_list_nt4_trust.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +wbinfo="$BINDIR/wbinfo" +smbclient="$BINDIR/smbclient" + +test_trust_wbinfo_m() { + i=0 + # Give the server some time to list trusted domains + while [ $i -lt 10 ] ; do + $wbinfo -m --verbose | grep "SAMBA-TEST" && return 0 + sleep 2 + i=$((i + 1)) + done + return 1 +} + +testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/source3/script/tests/test_nt4_trust.sh b/source3/script/tests/test_nt4_trust.sh new file mode 100755 index 00000000000..b3d6ca60dc7 --- /dev/null +++ b/source3/script/tests/test_nt4_trust.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +wbinfo="$BINDIR/wbinfo" +smbclient="$BINDIR/smbclient" + +test_trust_wbinfo_m() { + i=0 + # Give the server some time to list trusted domains + while [ $i -lt 10 ] ; do + $wbinfo -m | grep SAMBA-TEST && return 0 + sleep 2 + i=$((i + 1)) + done + return 1 +} + +test_trust_smbclient() { + $smbclient //$NT4_TRUST_SERVER_IP/tmp -U "$DOMAIN/$DOMAIN_USER%$DOMAIN_USER_PASSWORD" -c quit || return 1 + return 0 +} + +testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1) +testit "nt4trust_smbclient" test_trust_smbclient || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 08518f57663..0901c2480c8 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1857,6 +1857,14 @@ plansmbtorture4testsuite( "vfs.fruit_validate_afpinfo", "fileserver", '//$SERVER_IP/vfs_fruit_zero_fileid -U$USERNAME%$PASSWORD --option=torture:validate_afpinfo=no') +plantestsuite("samba3.blackbox.nt4_trusts", + "fl2008r2dc", + [os.path.join(samba3srcdir, "script/tests/test_nt4_trust.sh")]) + +plantestsuite("samba3.blackbox.list_nt4_trusts", + "ad_member_idmap_ad", + [os.path.join(samba3srcdir, "script/tests/test_list_nt4_trust.sh")]) + def planclusteredmembertestsuite(tname, prefix): '''Define a clustered test for the clusteredmember environment''' diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 814c34d5ffc..2a12b1a1335 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6542,9 +6542,9 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, TALLOC_CTX *mem_ctx; NTSTATUS nt_status, result; struct dom_sid *domain_sid; - char* domain_name; char* acct_name; + const char *pwd = NULL; fstring pdc_name; union lsa_PolicyInformation *info = NULL; struct dcerpc_binding_handle *b; @@ -6581,6 +6581,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, SAFE_FREE(acct_name); return -1; } + cli_credentials_set_username(c->creds, acct_name, CRED_SPECIFIED); /* * opt_workgroup will be used by connection functions further, @@ -6590,9 +6591,6 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, c->opt_workgroup = smb_xstrdup(domain_name); }; - c->opt_user_name = acct_name; - c->opt_user_specified = true; - /* find the domain controller */ if (!net_find_pdc(&server_ss, pdc_name, domain_name)) { DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name)); @@ -6705,7 +6703,9 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, * Store the password in secrets db */ - if (!pdb_set_trusteddom_pw(domain_name, c->opt_password, domain_sid)) { + pwd = cli_credentials_get_password(c->creds); + + if (!pdb_set_trusteddom_pw(domain_name, pwd, domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); cli_shutdown(cli); talloc_destroy(mem_ctx); diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index a5e397471f0..a3354ad68d4 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -116,6 +116,18 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, struct lsa_CreateTrustedDomainEx2 r; struct lsa_TrustDomainInfoInfoEx trustinfo; struct policy_handle trustdom_handle; + bool is_nt4 = trust_name_dns == NULL; + + if (!is_nt4) { + fprintf(stdout, "Creating AD trust\n"); + trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; + trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; + } else { + fprintf(stdout, "Creating NT4 trust\n"); + trustinfo.trust_type = LSA_TRUST_TYPE_DOWNLEVEL; + trustinfo.trust_attributes = 0; + trust_name_dns = trust_name; + } trustinfo.sid = domsid; trustinfo.netbios_name.string = trust_name; @@ -124,10 +136,6 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; - trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; - - trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; - r.in.policy_handle = pol_hnd; r.in.info = &trustinfo; r.in.auth_info_internal = authinfo; @@ -408,7 +416,7 @@ static void print_trust_usage(void) "\totheruser=Admin user in other domain\n" "\totherdomainsid=SID of other domain\n" "\tother_netbios_domain=NetBIOS/short name of other domain\n" - "\totherdomain=Full/DNS name of other domain\n" + "\totherdomain=Full/DNS name of other domain (if not used, create an NT4 trust)\n" "\ttrustpw=Trust password\n" "\nExamples:\n" "\tnet rpc trust create otherserver=oname otheruser=ouser -S lname -U luser\n" @@ -480,18 +488,24 @@ static int rpc_trust_common(struct net_context *net_ctx, int argc, } other_net_ctx->opt_host = other_dom_data->host; - other_net_ctx->opt_user_name = other_dom_data->user_name; - other_net_ctx->opt_user_specified = true; + other_net_ctx->creds = cli_credentials_init(other_net_ctx); + cli_credentials_parse_string(other_net_ctx->creds, + other_dom_data->user_name, + CRED_SPECIFIED); } else { dom_data[1].domsid = dom_sid_parse_talloc(mem_ctx, other_dom_data->domain_sid_str); dom_data[1].domain_name = other_dom_data->domain_name; dom_data[1].dns_domain_name = other_dom_data->dns_domain_name; + if (dom_data[1].dns_domain_name == NULL) { + fprintf(stdout, "No DNS domain name passed, " + "assuming NT4 trust!\n"); + } + if (dom_data[1].domsid == NULL || (op == TRUST_CREATE && - (dom_data[1].domain_name == NULL || - dom_data[1].dns_domain_name == NULL))) { + (dom_data[1].domain_name == NULL))) { DEBUG(0, ("Missing required argument.\n")); usage(); goto done; diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index a89c0bdbca1..1685edbabaa 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -701,7 +701,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing(); - if (IS_AD_DC) { + if (IS_DC) { if (domain->secure_channel_type == SEC_CHAN_NULL) { /* * Make sure we don't even try to @@ -809,7 +809,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, try_ipc_auth = true; } - if (IS_AD_DC) { + if (IS_DC) { /* * As AD DC we only use netlogon and lsa * using schannel over an anonymous transport @@ -2924,7 +2924,7 @@ retry: TALLOC_FREE(conn->lsa_pipe); - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3050,7 +3050,7 @@ retry: goto done; } - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3064,7 +3064,7 @@ retry: anonymous: - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3183,7 +3183,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, *cli = NULL; - if (IS_AD_DC) { + if (IS_DC) { if (domain->secure_channel_type == SEC_CHAN_NULL) { /* * Make sure we don't even try to diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index ff78b844688..e63b4052fd8 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -948,6 +948,7 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, .msg_type = msg_type, .data = data, }; + bool ok; DBG_DEBUG("Got reload-config message\n"); @@ -963,6 +964,11 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, tevent_thread_call_depth_set_callback(NULL, NULL); } + ok = add_trusted_domains_dc(); + if (!ok) { + DBG_ERR("add_trusted_domains_dc() failed\n"); + } + forall_children(winbind_msg_relay_fn, &state); } diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index f0fd18a8fa6..bbdaf6e5807 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -2055,10 +2055,11 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p, struct wbint_ListTrustedDomains *r) { struct winbindd_domain *domain = wb_child_domain(); - uint32_t i, n; + uint32_t i; NTSTATUS result; struct netr_DomainTrustList trusts; - struct netr_DomainTrustList *out = NULL; + uint32_t count = 0; + struct netr_DomainTrust *array = NULL; pid_t client_pid; if (domain == NULL) { @@ -2082,53 +2083,44 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p, return result; } - out = talloc_zero(p->mem_ctx, struct netr_DomainTrustList); - if (out == NULL) { - return NT_STATUS_NO_MEMORY; - } - - r->out.domains = out; - for (i=0; i<trusts.count; i++) { - if (trusts.array[i].sid == NULL) { + struct netr_DomainTrust *st = &trusts.array[i]; + struct netr_DomainTrust *dt = NULL; + + if (st->sid == NULL) { continue; } - if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) { + if (dom_sid_equal(st->sid, &global_sid_NULL)) { continue; } - n = out->count; - out->array = talloc_realloc(out, out->array, - struct netr_DomainTrust, - n + 1); - if (out->array == NULL) { + array = talloc_realloc(r->out.domains, array, + struct netr_DomainTrust, -- Samba Shared Repository