From 4bcdf0add8d67530d1794ca6848a2f6d51138d15 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 28 Aug 2018 14:20:43 +0200 Subject: [PATCH 1/3] s3:auth_winbind: remove fallback to optional backend This is not possible anymore. BUG:... Signed-off-by: Stefan Metzmacher --- source3/auth/auth.c | 2 +- source3/auth/auth_winbind.c | 16 ---------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4df74f9f39fc..cdf4f1db4309 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -545,7 +545,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx, switch (lp_server_role()) { case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: - methods = "sam_netlogon3 winbind:trustdomain"; + methods = "sam_netlogon3 winbind"; break; default: diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 6bf2118037dc..10e6c53c1085 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -110,12 +110,6 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - struct auth_methods *auth_method = - (struct auth_methods *)my_private_data; - - if ( auth_method ) - return auth_method->auth(auth_context, auth_method->private_data, - mem_ctx, user_info, server_info); return NT_STATUS_LOGON_FAILURE; } @@ -164,16 +158,6 @@ static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char result->name = "winbind"; result->auth = check_winbind_security; - if (param && *param) { - /* we load the 'fallback' module - if winbind isn't here, call this - module */ - auth_methods *priv; - if (!load_auth_module(auth_context, param, &priv)) { - return NT_STATUS_UNSUCCESSFUL; - } - result->private_data = (void *)priv; - } - *auth_method = result; return NT_STATUS_OK; } -- 2.17.1 From 9900a9e5577712a72871f182b9598b81edad1e10 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 28 Aug 2018 14:23:21 +0200 Subject: [PATCH 2/3] s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not available BUG:... Signed-off-by: Stefan Metzmacher --- source3/auth/auth_winbind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 10e6c53c1085..0f5d684ff18a 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -110,7 +110,7 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NO_LOGON_SERVERS; } if (wbc_status == WBC_ERR_AUTH_ERROR) { -- 2.17.1 From a40d7786293ec61b3b904e8bb16c121326d7c13d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 28 Aug 2018 14:24:40 +0200 Subject: [PATCH 3/3] s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trusts BUG:... Signed-off-by: Stefan Metzmacher --- source3/auth/auth_winbind.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0f5d684ff18a..93b832265cfa 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -22,6 +22,7 @@ #include "includes.h" #include "auth.h" +#include "passdb.h" #include "nsswitch/libwbclient/wbclient.h" #undef DBGC_CLASS @@ -110,7 +111,37 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) { - return NT_STATUS_NO_LOGON_SERVERS; + struct pdb_trusted_domain **domains = NULL; + uint32_t num_domains = 0; + NTSTATUS status; + + if (lp_server_role() == ROLE_DOMAIN_MEMBER) { + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_ERR("winbindd not running - " + "but required as domain member: %s\n", + nt_errstr(status)); + return status; + } + + status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("pdb_enum_trusted_domains() failed - %s\n", + nt_errstr(status)); + return status; + } + TALLOC_FREE(domains); + + if (num_domains == 0) { + DBG_DEBUG("winbindd not running - ignoring without " + "trusted domains\n"); + return NT_STATUS_NOT_IMPLEMENTED; + } + + status = NT_STATUS_NO_LOGON_SERVERS; + DBG_ERR("winbindd not running - " + "but required as DC with trusts: %s\n", + nt_errstr(status)); + return status; } if (wbc_status == WBC_ERR_AUTH_ERROR) { -- 2.17.1