From 6128cd4debc646dcf0da77a86ddf8cf669b9341b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Feb 2018 11:06:10 +0100 Subject: [PATCH 1/4] winbindd: disable support for CROSS_ORGANIZATION domains We don't support selective authentication yet, so we shouldn't silently allow domain wide authentication for such a trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit afd97e72090aaf31b084646b5fcecaeb8cde653d) --- source3/winbindd/winbindd_util.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 73e6b76..b19c42f 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -961,6 +961,17 @@ static bool add_trusted_domains_dc(void) trust_flags |= NETR_TRUST_FLAG_IN_FOREST; } + if (domains[i]->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) { + /* + * We don't support selective authentication yet. + */ + DBG_WARNING("Ignoring CROSS_ORGANIZATION trust to " + "domain[%s/%s]\n", + domains[i]->netbios_name, + domains[i]->domain_name); + continue; + } + status = add_trusted_domain(domains[i]->netbios_name, domains[i]->domain_name, &domains[i]->security_identifier, -- 1.9.1 From fb3a95ad2a924e579e49a73f92c173a37e6c9f85 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Feb 2018 11:10:14 +0100 Subject: [PATCH 2/4] s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df) --- source4/kdc/db-glue.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 69c54b0..5ca2c06 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -57,14 +57,17 @@ enum trust_direction { }; static const char *trust_attrs[] = { + "securityIdentifier", + "flatName", "trustPartner", + "trustAttributes", + "trustDirection", + "trustType", + "msDS-TrustForestTrustInfo", "trustAuthIncoming", "trustAuthOutgoing", "whenCreated", "msDS-SupportedEncryptionTypes", - "trustAttributes", - "trustDirection", - "trustType", NULL }; @@ -1167,7 +1170,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; const char *our_realm = lpcfg_realm(lp_ctx); - const char *dnsdomain = NULL; char *partner_realm = NULL; const char *realm = NULL; const char *krbtgt_realm = NULL; @@ -1183,7 +1185,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, uint32_t previous_kvno; uint32_t num_keys = 0; enum ndr_err_code ndr_err; - int ret, trust_direction_flags; + int ret; unsigned int i; struct AuthenticationInformationArray *auth_array; struct timeval tv; @@ -1191,6 +1193,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, uint32_t *auth_kvno; bool preferr_current = false; uint32_t supported_enctypes = ENC_RC4_HMAC_MD5; + struct lsa_TrustDomainInfoInfoEx *tdo = NULL; + NTSTATUS status; if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) { supported_enctypes = ldb_msg_find_attr_as_uint(msg, @@ -1198,20 +1202,25 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, supported_enctypes); } - trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0); - if (!(trust_direction_flags & direction)) { + status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo); + if (!NT_STATUS_IS_OK(status)) { + krb5_clear_error_message(context); + ret = ENOMEM; + goto out; + } + + if (!(tdo->trust_direction & direction)) { krb5_clear_error_message(context); ret = SDB_ERR_NOENTRY; goto out; } - dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); - if (dnsdomain == NULL) { + if (tdo->domain_name.string == NULL) { krb5_clear_error_message(context); ret = SDB_ERR_NOENTRY; goto out; } - partner_realm = strupper_talloc(mem_ctx, dnsdomain); + partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string); if (partner_realm == NULL) { krb5_clear_error_message(context); ret = ENOMEM; -- 1.9.1 From caadf6313e720ff18554a0a7196b6b4b29b12509 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Feb 2018 11:10:14 +0100 Subject: [PATCH 3/4] s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit d0a813a173be630c2def93cc55e4514204d265a2) --- source4/kdc/db-glue.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 5ca2c06..9d633a6 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1215,6 +1215,16 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, goto out; } + if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) { + /* + * Only UPLEVEL domains support kerberos here, + * as we don't support LSA_TRUST_TYPE_MIT. + */ + krb5_clear_error_message(context); + ret = SDB_ERR_NOENTRY; + goto out; + } + if (tdo->domain_name.string == NULL) { krb5_clear_error_message(context); ret = SDB_ERR_NOENTRY; -- 1.9.1 From 863eeaab64d93417264f3b5c99324c6edc2d0005 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Feb 2018 11:06:10 +0100 Subject: [PATCH 4/4] s4:kdc: disable support for CROSS_ORGANIZATION domains We don't support selective authentication yet, so we shouldn't silently allow domain wide authentication for such a trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144 (cherry picked from commit 31b5328c46c5f510ba234f75688886987276ee9e) --- source4/kdc/db-glue.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 9d633a6..8ccc34c 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1225,6 +1225,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, goto out; } + if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) { + /* + * We don't support selective authentication yet. + */ + krb5_clear_error_message(context); + ret = SDB_ERR_NOENTRY; + goto out; + } + if (tdo->domain_name.string == NULL) { krb5_clear_error_message(context); ret = SDB_ERR_NOENTRY; -- 1.9.1