samba/sme10/samba-4.4.5-fix_resolving_trusted_domain_users.patch

From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 10 Jun 2016 16:51:18 +0200
Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
 DCs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
---
 source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 45e3fad..f1f98db 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
        struct cli_credentials *creds;
        NTSTATUS status;
        bool force_machine_account = false;
+       bool ok;
 
        /* If we are a DC and this is not our own domain */
 
@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
                                                   CRED_DONT_USE_KERBEROS);
        }
 
-       if (creds_domain != domain) {
+       /*
+        * When we contact our own domain and get a list of the trusted domain
+        * we have the information if we are able to contact the DC with
+        * with our machine account password.
+        */
+       ok = winbindd_can_contact_domain(domain);
+       if (!ok) {
                /*
                 * We can only use schannel against a direct trust
                 */
@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
        sec_chan_type = cli_credentials_get_secure_channel_type(creds);
        if (sec_chan_type == SEC_CHAN_NULL) {
+               DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
+                           domain->name);
                return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
        }
 
@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
        conn->netlogon_flags = netlogon_creds->negotiate_flags;
        TALLOC_FREE(netlogon_creds);
 
+       /*
+        * FIXME: Document in which case we are not able to contact
+        * a DC without schannel. Which information do we try to get
+        * from this DC?
+        */
        if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
                if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
                        result = NT_STATUS_DOWNGRADE_DETECTED;
-- 
2.8.4

1	From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3	Date: Fri, 10 Jun 2016 16:51:18 +0200
4	Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
5	DCs
6
7	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
8
9	Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10	Signed-off-by: Guenther Deschner <gd@samba.org>
11	Signed-off-by: Andreas Schneider <asn@samba.org>
12	Reviewed-by: Alexander Bokovoy <ab@samba.org>
13	(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
14	---
15	source3/winbindd/winbindd_cm.c \| 16 +++++++++++++++-
16	1 file changed, 15 insertions(+), 1 deletion(-)
17
18	diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
19	index 45e3fad..f1f98db 100644
20	--- a/source3/winbindd/winbindd_cm.c
21	+++ b/source3/winbindd/winbindd_cm.c
22	@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
23	struct cli_credentials *creds;
24	NTSTATUS status;
25	bool force_machine_account = false;
26	+ bool ok;
27
28	/* If we are a DC and this is not our own domain */
29
30	@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
31	CRED_DONT_USE_KERBEROS);
32	}
33
34	- if (creds_domain != domain) {
35	+ /*
36	+ * When we contact our own domain and get a list of the trusted domain
37	+ * we have the information if we are able to contact the DC with
38	+ * with our machine account password.
39	+ */
40	+ ok = winbindd_can_contact_domain(domain);
41	+ if (!ok) {
42	/*
43	* We can only use schannel against a direct trust
44	*/
45	@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
46
47	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
48	if (sec_chan_type == SEC_CHAN_NULL) {
49	+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
50	+ domain->name);
51	return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
52	}
53
54	@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
55	conn->netlogon_flags = netlogon_creds->negotiate_flags;
56	TALLOC_FREE(netlogon_creds);
57
58	+ /*
59	+ * FIXME: Document in which case we are not able to contact
60	+ * a DC without schannel. Which information do we try to get
61	+ * from this DC?
62	+ */
63	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
64	if (lp_winbind_sealed_pipes() \|\| lp_require_strong_key()) {
65	result = NT_STATUS_DOWNGRADE_DETECTED;
66	--
67	2.8.4
68