s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP agai…

…nst trusted domains. We're using only NCACN_NP here as we rely on the smb signing restrictions of cm_prepare_connection(). This should fix SMB authentication with a user of a domain behind a transitive trust. With this change winbindd is able to call dcerpc_netr_DsrEnumerateDomainTrusts against the dc of a trusted domain again. This only works for two-way trusts. The main problem is the usage of is_trusted_domain() which doesn't know about the domain, if winbindd can't enumerate the domains in the other forest. is_trusted_domain() is used in make_user_info_map(), which is called in auth3_check_password() before auth_check_ntlm_password(). That means we're mapping the user of such a domain to our own local sam, before calling our auth modules. A much better fix, which removes the usage of is_trusted_domain() in planed for master, but this should do the job for current releases. We should avoid talking to DCs of other domains and always go via our primary domain. As we should code with one-way trusts also, we need to avoid relying on a complete list of domains in future. For now "wbinfo -m" lists domains behind a two-way transitive trust again, but that is likely to change in future again! BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> (cherry picked from commit fffefe7)
samba-team · e084c4236ed015c92e6fad965bb2ebc4b24d2dbd · metze-samba committed with kseeger Feb 24, 2017 · Feb 24, 2017 · e084c42
1 parent 45abd7b
commit e084c4236ed015c92e6fad965bb2ebc4b24d2dbd
Unified Split

Showing with 22 additions and 1 deletion.

+22 −1 source3/winbindd/winbindd_cm.c
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
@@ -3239,7 +3239,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
 	if (sec_chan_type == SEC_CHAN_NULL) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		if (transport == NCACN_IP_TCP) {
+			DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+				   " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n",
+				   domain->name);
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
+		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+			   "fallback to noauth on NCACN_NP.\n",
+			   domain->name);
+
+		result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+							    transport,
+							    &ndr_table_netlogon,
+							    &conn->netlogon_pipe);
+		if (!NT_STATUS_IS_OK(result)) {
+			invalidate_cm_connection(domain);
+			return result;
+		}
+
+		*cli = conn->netlogon_pipe;
+		return NT_STATUS_OK;
 	}
 
 	result = rpccli_create_netlogon_creds_with_creds(creds,