samba/sme10/samba-4.4.5-fix_resolving_trusted_domain_users.patch

From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 10 Jun 2016 16:51:18 +0200
Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
 DCs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
---
 source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 45e3fad..f1f98db 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
        struct cli_credentials *creds;
        NTSTATUS status;
        bool force_machine_account = false;
+       bool ok;
 
        /* If we are a DC and this is not our own domain */
 
@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
                                                   CRED_DONT_USE_KERBEROS);
        }
 
-       if (creds_domain != domain) {
+       /*
+        * When we contact our own domain and get a list of the trusted domain
+        * we have the information if we are able to contact the DC with
+        * with our machine account password.
+        */
+       ok = winbindd_can_contact_domain(domain);
+       if (!ok) {
                /*
                 * We can only use schannel against a direct trust
                 */
@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
        sec_chan_type = cli_credentials_get_secure_channel_type(creds);
        if (sec_chan_type == SEC_CHAN_NULL) {
+               DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
+                           domain->name);
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
        conn->netlogon_flags = netlogon_creds->negotiate_flags;
        TALLOC_FREE(netlogon_creds);
 
+       /*
+        * FIXME: Document in which case we are not able to contact
+        * a DC without schannel. Which information do we try to get
+        * from this DC?
+        */
        if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
                if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
                        result = NT_STATUS_DOWNGRADE_DETECTED;
-- 
2.8.4

1	unnilennium	1.1	From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
2			From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3			Date: Fri, 10 Jun 2016 16:51:18 +0200
4			Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
5			DCs
6
7			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
8
9			Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10			Signed-off-by: Guenther Deschner <gd@samba.org>
11			Signed-off-by: Andreas Schneider <asn@samba.org>
12			Reviewed-by: Alexander Bokovoy <ab@samba.org>
13			(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
14			---
15			source3/winbindd/winbindd_cm.c \| 16 +++++++++++++++-
16			1 file changed, 15 insertions(+), 1 deletion(-)
17
18			diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
19			index 45e3fad..f1f98db 100644
20			--- a/source3/winbindd/winbindd_cm.c
21			+++ b/source3/winbindd/winbindd_cm.c
22			@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
23			struct cli_credentials *creds;
24			NTSTATUS status;
25			bool force_machine_account = false;
26			+ bool ok;
27
28			/* If we are a DC and this is not our own domain */
29
30			@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
31			CRED_DONT_USE_KERBEROS);
32			}
33
34			- if (creds_domain != domain) {
35			+ /*
36			+ * When we contact our own domain and get a list of the trusted domain
37			+ * we have the information if we are able to contact the DC with
38			+ * with our machine account password.
39			+ */
40			+ ok = winbindd_can_contact_domain(domain);
41			+ if (!ok) {
42			/*
43			* We can only use schannel against a direct trust
44			*/
45			@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
46
47			sec_chan_type = cli_credentials_get_secure_channel_type(creds);
48			if (sec_chan_type == SEC_CHAN_NULL) {
49			+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
50			+ domain->name);
51			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
52			}
53
54			@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
55			conn->netlogon_flags = netlogon_creds->negotiate_flags;
56			TALLOC_FREE(netlogon_creds);
57
58			+ /*
59			+ * FIXME: Document in which case we are not able to contact
60			+ * a DC without schannel. Which information do we try to get
61			+ * from this DC?
62			+ */
63			if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
64			if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
65			result = NT_STATUS_DOWNGRADE_DETECTED;
66			--
67			2.8.4
68