diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-12-11 15:10:39 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2014-10-17 12:57:07 +0200 |
| commit | be994ca579c6c302d9d6487c863699b3e4457210 (patch) | |
| tree | 592891c48889512a78022ecacb4c3fc6d46134ef | |
| parent | 0392ebcd1d48e9f472f2148b85316a77d9cc953b (diff) | |
| download | samba-be994ca579c6c302d9d6487c863699b3e4457210.tar.gz samba-be994ca579c6c302d9d6487c863699b3e4457210.tar.xz samba-be994ca579c6c302d9d6487c863699b3e4457210.zip | |
s3-winbindd: Use own machine account to connect to trusted domains as well
This relies on a two-way trust, which we may not have, but is the only
secure way to do this. To do this correctly we need to split NETLOGON
from normal authentication, as we need to use the machine account for
the SMB level, but the inter-domain trust account for the NETLOGON
level.
Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source3/winbindd/winbindd_cm.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 1604df5d2f..7c1cb2bbd5 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -896,6 +896,7 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, */ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + bool netlogon, struct cli_credentials **_creds) { const struct winbindd_domain *creds_domain = NULL; @@ -904,7 +905,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, /* If we are a DC and this is not our own domain */ - if (IS_DC) { + if (IS_DC && netlogon) { creds_domain = domain; } else { creds_domain = find_our_domain(); @@ -946,6 +947,10 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, return NT_STATUS_OK; ipc_fallback: + if (netlogon) { + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + status = cm_get_ipc_credentials(mem_ctx, &creds); if (!NT_STATUS_IS_OK(status)) { return status; @@ -1055,7 +1060,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } if (try_ipc_auth) { - result = get_trust_credentials(domain, talloc_tos(), &creds); + result = get_trust_credentials(domain, talloc_tos(), false, &creds); if (!NT_STATUS_IS_OK(result)) { DEBUG(1, ("get_trust_credentials(%s) failed: %s\n", domain->name, nt_errstr(result))); @@ -2722,7 +2727,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, * anonymous. */ - result = get_trust_credentials(domain, talloc_tos(), &creds); + result = get_trust_credentials(domain, talloc_tos(), false, &creds); if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("cm_connect_sam: No no user available for " "domain %s, trying schannel\n", conn->cli->domain)); @@ -2980,7 +2985,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, TALLOC_FREE(conn->lsa_pipe); - result = get_trust_credentials(domain, talloc_tos(), &creds); + result = get_trust_credentials(domain, talloc_tos(), false, &creds); if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("cm_connect_sam: No no user available for " "domain %s, trying schannel\n", conn->cli->domain)); @@ -3180,10 +3185,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, conn->netlogon_flags = 0; TALLOC_FREE(conn->netlogon_creds); - result = get_trust_credentials(domain, talloc_tos(), &creds); + result = get_trust_credentials(domain, talloc_tos(), true, &creds); if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("cm_connect_sam: No no user available for " - "domain %s, trying schannel\n", conn->cli->domain)); + "domain %s when trying schannel\n", conn->cli->domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } |