From 73d4a2c330644313692fc92b9a14bf0f011b1bbb Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 14 Jan 2021 08:14:46 +0100 Subject: [PATCH 01/12] selftest: use correct DNS domain name for wrapper hosts file For some reason the join fails to register the DNS records when provisioning the member env: Using short domain name -- SAMBA2008R2 Joined 'IDMAPADMEMBER' to dns domain 'samba2008r2.example.com' DNS Update for idmapadmember.samba.example.com failed: ERROR_DNS_UPDATE_FAILED At the same time the hosts file used by the wrappers contains the wrong fqdn. As a result the test that the next commit is going do add fails due do the broken DNS resolution: ... UNEXPECTED(failure): samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_ok_krb5(ad_member_idmap_ad:local) REASON: Exception: Exception: do_connect: Connection to idmapadmember.samba2008r2.example.com failed (Error NT_STATUS_UNSUCCESSFUL) ... Checking DNS in the testenv, first the working record for the main DC: testenv$ dig @10.53.57.64 dc7.samba2008r2.example.com +short 10.53.57.27 testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com dc7 A -U Administrator%locDCpass7 Name=, Records=1, Children=0 A: 10.53.57.27 (flags=f0, serial=1, ttl=900) Now the failing idmapadmember: testenv$ dig @10.53.57.64 idmapadmember.samba2008r2.example.com +short testenv$ bin/samba-tool dns query dc7 samba2008r2.example.com idmapadmember A -U Administrator%locDCpass7 ERROR: Record or zone does not exist. Fixing the hosts file lets the tests work, fixing the broken DNS record registration is a task for another day. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit e1fc84138ca118c4187d87b7be4a7e6dd771dc4f) --- selftest/target/Samba3.pm | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index ee20528a325..b3f0bca0110 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -761,6 +761,7 @@ sub provision_ad_member my $ret = $self->provision( prefix => $prefix, domain => $dcvars->{DOMAIN}, + realm => $dcvars->{REALM}, server => "LOCALADMEMBER", password => "loCalMemberPass", extra_options => $member_options, @@ -911,6 +912,7 @@ sub setup_ad_member_rfc2307 my $ret = $self->provision( prefix => $prefix, domain => $dcvars->{DOMAIN}, + realm => $dcvars->{REALM}, server => "RFC2307MEMBER", password => "loCalMemberPass", extra_options => $member_options, @@ -1008,6 +1010,7 @@ sub setup_ad_member_idmap_rid my $ret = $self->provision( prefix => $prefix, domain => $dcvars->{DOMAIN}, + realm => $dcvars->{REALM}, server => "IDMAPRIDMEMBER", password => "loCalMemberPass", extra_options => $member_options, @@ -1107,6 +1110,7 @@ sub setup_ad_member_idmap_ad my $ret = $self->provision( prefix => $prefix, domain => $dcvars->{DOMAIN}, + realm => $dcvars->{REALM}, server => "IDMAPADMEMBER", password => "loCalMemberPass", extra_options => $member_options, @@ -1965,6 +1969,7 @@ sub provision($$) my $prefix = $args{prefix}; my $domain = $args{domain}; + my $realm = $args{realm}; my $server = $args{server}; my $password = $args{password}; my $extra_options = $args{extra_options}; @@ -1982,6 +1987,12 @@ sub provision($$) my %createuser_env = (); my $server_ip = Samba::get_ipv4_addr($server); my $server_ipv6 = Samba::get_ipv6_addr($server); + my $dns_domain; + if (defined($realm)) { + $dns_domain = lc($realm); + } else { + $dns_domain = "samba.example.com"; + } my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`); chomp $unix_name; @@ -2987,8 +2998,8 @@ userdup:x:$gid_userdup:$unix_name warn("Unable to open $nss_wrapper_hosts"); return undef; } - print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n"; - print HOSTS "${server_ipv6} ${hostname}.samba.example.com ${hostname}\n"; + print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n"; + print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n"; close(HOSTS); $resolv_conf = "$privatedir/no_resolv.conf" unless defined($resolv_conf); -- 2.26.2 From 56c72e8538384a6bd5bc26e46463b6f13c72bf04 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 20 Jan 2021 11:17:22 +0100 Subject: [PATCH 02/12] winbind: move config-reloading code to winbindd_dual.c In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 81edc65e79aba121db800ec53aadd766e61a0001) --- source3/winbindd/winbindd.c | 23 ++++++----------------- source3/winbindd/winbindd_dual.c | 15 +++++++++++++++ source3/winbindd/winbindd_proto.h | 7 +++++++ 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index bff5b9a7282..9ae7912b9ff 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -103,7 +103,7 @@ struct imessaging_context *winbind_imessaging_context(void) /* Reload configuration */ -static bool reload_services_file(const char *lfile) +bool winbindd_reload_services_file(const char *lfile) { const struct loadparm_substitution *lp_sub = loadparm_s3_global_substitution(); @@ -157,7 +157,7 @@ static void winbindd_status(void) /* Flush client cache */ -static void flush_caches(void) +void winbindd_flush_caches(void) { /* We need to invalidate cached user list entries on a SIGHUP otherwise cached access denied errors due to restrict anonymous @@ -364,7 +364,7 @@ static void winbindd_sig_hup_handler(struct tevent_context *ev, DEBUG(1,("Reloading services after SIGHUP\n")); flush_caches_noinit(); - reload_services_file(file); + winbindd_reload_services_file(file); } bool winbindd_setup_sig_hup_handler(const char *lfile) @@ -448,18 +448,6 @@ static bool winbindd_setup_sig_usr2_handler(void) return true; } -/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ -static void msg_reload_services(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - /* Flush various caches */ - flush_caches(); - reload_services_file((const char *) private_data); -} - /* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/ static void msg_shutdown(struct messaging_context *msg, void *private_data, @@ -1421,7 +1409,8 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx, /* React on 'smbcontrol winbindd reload-config' in the same way as to SIGHUP signal */ messaging_register(msg_ctx, NULL, - MSG_SMB_CONF_UPDATED, msg_reload_services); + MSG_SMB_CONF_UPDATED, + winbindd_msg_reload_services_parent); messaging_register(msg_ctx, NULL, MSG_SHUTDOWN, msg_shutdown); @@ -1812,7 +1801,7 @@ int main(int argc, const char **argv) exit(1); } - if (!reload_services_file(NULL)) { + if (!winbindd_reload_services_file(NULL)) { DEBUG(0, ("error opening config file\n")); exit(1); } diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index a93a987df07..2885dd4d005 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -929,6 +929,21 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx, forall_children(winbind_msg_relay_fn, &state); } +/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ +void winbindd_msg_reload_services_parent(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + DBG_DEBUG("Got reload-config message\n"); + + /* Flush various caches */ + winbindd_flush_caches(); + + winbindd_reload_services_file((const char *)private_data); +} + /* Set our domains as offline and forward the offline message to our children. */ struct winbind_msg_on_offline_state { diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 0f5c773e851..8923bb3124f 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -31,6 +31,8 @@ bool winbindd_setup_sig_hup_handler(const char *lfile); bool winbindd_use_idmap_cache(void); bool winbindd_use_cache(void); char *get_winbind_priv_pipe_dir(void); +void winbindd_flush_caches(void); +bool winbindd_reload_services_file(const char *lfile); /* The following definitions come from winbindd/winbindd_ads.c */ @@ -341,6 +343,11 @@ void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx, uint32_t msg_type, struct server_id server_id, DATA_BLOB *data); +void winbindd_msg_reload_services_parent(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data); NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself, const char *logfilename); struct winbindd_domain *wb_child_domain(void); -- 2.26.2 From 0db1534f31354e472f7abed2ed2c93b326a64de1 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 20 Jan 2021 12:27:23 +0100 Subject: [PATCH 03/12] winbind: set logfile after reloading config lp_load_global() will overwrite whatever we've set with lp_set_logfile(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac) --- source3/winbindd/winbindd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 9ae7912b9ff..3049faa3237 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -118,15 +118,15 @@ bool winbindd_reload_services_file(const char *lfile) TALLOC_FREE(fname); } + reopen_logs(); + ret = lp_load_global(get_dyn_CONFIGFILE()); + /* if this is a child, restore the logfile to the special name - , idmap, etc. */ if (lfile && *lfile) { lp_set_logfile(lfile); } - reopen_logs(); - ret = lp_load_global(get_dyn_CONFIGFILE()); - reopen_logs(); load_interfaces(); winbindd_setup_max_fds(); -- 2.26.2 From 2abcbaf95629db245baf1bf6b91bf3d07c516e99 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 20 Jan 2021 12:00:16 +0100 Subject: [PATCH 04/12] winbind: handle MSG_SMB_CONF_UPDATED in the winbinds children BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 072ef48001710ed8326c83295f2d3cc301d27cfe) --- source3/winbindd/winbindd_dual.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 2885dd4d005..c13bf6e8b2f 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -929,6 +929,16 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx, forall_children(winbind_msg_relay_fn, &state); } +static void winbindd_msg_reload_services_child(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + DBG_DEBUG("Got reload-config message\n"); + winbindd_reload_services_file((const char *)private_data); +} + /* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ void winbindd_msg_reload_services_parent(struct messaging_context *msg, void *private_data, @@ -936,12 +946,20 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, struct server_id server_id, DATA_BLOB *data) { + struct winbind_msg_relay_state state = { + .msg_ctx = msg, + .msg_type = msg_type, + .data = data, + }; + DBG_DEBUG("Got reload-config message\n"); /* Flush various caches */ winbindd_flush_caches(); winbindd_reload_services_file((const char *)private_data); + + forall_children(winbind_msg_relay_fn, &state); } /* Set our domains as offline and forward the offline message to our children. */ @@ -1784,6 +1802,10 @@ static bool fork_domain_child(struct winbindd_child *child) messaging_register(global_messaging_context(), NULL, MSG_WINBIND_DISCONNECT_DC, winbind_msg_disconnect_dc); + messaging_register(global_messaging_context(), + override_logfile ? NULL : child->logfilename, + MSG_SMB_CONF_UPDATED, + winbindd_msg_reload_services_child); primary_domain = find_our_domain(); -- 2.26.2 From 73a1fa37af353fcc01eb58fb87ec1c1660e11eee Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 13 Jan 2021 11:54:40 +0100 Subject: [PATCH 05/12] selftest: add a test for "winbind:ignore domains" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 32197d21dabecaee9bc1d6cd557578892220fe4c) --- .../samba3.blackbox.winbind_ignore_domain | 3 + .../tests/test_winbind_ignore_domains.sh | 104 ++++++++++++++++++ source3/selftest/tests.py | 3 + 3 files changed, 110 insertions(+) create mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain create mode 100755 source3/script/tests/test_winbind_ignore_domains.sh diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain new file mode 100644 index 00000000000..e20ea025655 --- /dev/null +++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain @@ -0,0 +1,3 @@ +^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip\(ad_member_idmap_ad:local\) +^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) +^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) diff --git a/source3/script/tests/test_winbind_ignore_domains.sh b/source3/script/tests/test_winbind_ignore_domains.sh new file mode 100755 index 00000000000..adce8abb09c --- /dev/null +++ b/source3/script/tests/test_winbind_ignore_domains.sh @@ -0,0 +1,104 @@ +#!/bin/sh + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +smbclient="$BINDIR/smbclient" +smbcontrol="$BINDIR/smbcontrol" +ldbmodify="$BINDIR/ldbmodify" +ldbsearch="$BINDIR/ldbsearch" +wbinfo="$BINDIR/wbinfo" +global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf +SERVER_FQDN=$(echo "$SERVER.$REALM" | awk '{print tolower($0)}') + +TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') +if [ $? -ne 0 ] ; then + echo "Could not find trusted base DN" | subunit_fail_test "test_idmap_ad" + exit 1 +fi + +# +# Add POSIX ids to trusted domain +# +add_posix_ids() { +cat < $global_inject_conf +$smbcontrol winbindd reload-config +$wbinfo -p + +test_smbclient "test_winbind_ignore_domains_ok_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` +test_smbclient "test_winbind_ignore_domains_ok_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` +test_smbclient "test_winbind_ignore_domains_ok_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1` + +echo "winbind:ignore domains = $TRUST_DOMAIN" > $global_inject_conf +$smbcontrol winbindd reload-config +$wbinfo -p + +test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_ip" "ls" "//$SERVER_IP/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` +test_smbclient_expect_failure "test_winbind_ignore_domains_fail_ntlm_fqdn" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_DOMAIN/$TRUST_USERNAME%$TRUST_PASSWORD || failed=`expr $failed + 1` +test_smbclient_expect_failure "test_winbind_ignore_domains_fail_krb5" "ls" "//$SERVER_FQDN/tmp" -U $TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD -k || failed=`expr $failed + 1` + +echo "" > $global_inject_conf +$smbcontrol winbindd reload-config +$wbinfo -p +remove_posix_ids + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index c7280c630dc..0250eb11684 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1037,6 +1037,9 @@ plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local", [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"), smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"]) +plantestsuite("samba3.blackbox.winbind_ignore_domain", "ad_member_idmap_ad:local", + [os.path.join(samba3srcdir, "script/tests/test_winbind_ignore_domains.sh")]) + plantestsuite("samba3.blackbox.durable_v2_delay", "simpleserver:local", [os.path.join(samba3srcdir, "script/tests/test_durable_handle_reconnect.sh")]) -- 2.26.2 From ff875901e26ee70c729466d4e747fc7e781ea15f Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 11 Jan 2021 16:15:15 +0100 Subject: [PATCH 06/12] winbind: move "winbind:ignore domain" logic to a seperate function BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 894caca79476d25a0268d89b2ad8a5758b7e31f3) --- source3/include/proto.h | 1 + source3/lib/util_names.c | 20 ++++++++++++++++++++ source3/winbindd/winbindd_util.c | 10 ++-------- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 6c9cf130d04..16cd587ed30 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -304,6 +304,7 @@ struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user); /* The following definitions come from lib/util_names.c */ const char *get_global_sam_name(void); const char *my_sam_name(void); +bool is_allowed_domain(const char *domain_name); /* The following definitions come from lib/util.c */ diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c index 15236c913df..630a25875c7 100644 --- a/source3/lib/util_names.c +++ b/source3/lib/util_names.c @@ -182,3 +182,23 @@ const char *my_sam_name(void) return lp_workgroup(); } + +bool is_allowed_domain(const char *domain_name) +{ + const char **ignored_domains = NULL; + const char **dom = NULL; + + ignored_domains = lp_parm_string_list(-1, + "winbind", + "ignore domains", + NULL); + + for (dom = ignored_domains; dom != NULL && *dom != NULL; dom++) { + if (gen_fnmatch(*dom, domain_name) == 0) { + DBG_NOTICE("Ignoring domain '%s'\n", domain_name); + return false; + } + } + + return true; +} diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index a5f5defcd87..414b770a271 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -126,8 +126,6 @@ static NTSTATUS add_trusted_domain(const char *domain_name, struct winbindd_domain **_d) { struct winbindd_domain *domain = NULL; - const char **ignored_domains = NULL; - const char **dom = NULL; int role = lp_server_role(); struct dom_sid_buf buf; @@ -136,12 +134,8 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); - for (dom=ignored_domains; dom && *dom; dom++) { - if (gen_fnmatch(*dom, domain_name) == 0) { - DEBUG(2,("Ignoring domain '%s'\n", domain_name)); - return NT_STATUS_NO_SUCH_DOMAIN; - } + if (!is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; } /* -- 2.26.2 From e72cba47088e9bb762244237ba524f0a11b76d65 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 11 Jan 2021 16:50:31 +0100 Subject: [PATCH 07/12] winbind: check for allowed domains in winbindd_dual_pam_auth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259) --- source3/winbindd/winbindd_pam.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 10c5ff2a7e2..560a2b992a8 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2405,6 +2405,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, goto done; } + if (!is_allowed_domain(info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info3->base.account_name.string, + info3->base.logon_domain.string); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + result = append_auth_data(state->mem_ctx, state->response, state->request->flags, validation_level, -- 2.26.2 From d9faaff2ae767cb905aa441e4caae39cc6a4bcbe Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 11 Jan 2021 17:10:19 +0100 Subject: [PATCH 08/12] winbind: check for allowed domains in winbindd_dual_pam_auth_crap() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit c17bc9c6115e4e92132f3cb912547eac78227938) --- .../knownfail.d/samba3.blackbox.winbind_ignore_domain | 1 - source3/winbindd/winbindd_pam.c | 10 ++++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain index e20ea025655..e1eedc9aa2a 100644 --- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain +++ b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain @@ -1,3 +1,2 @@ -^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_ip\(ad_member_idmap_ad:local\) ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) ^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 560a2b992a8..25ebd82c638 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2767,6 +2767,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, goto done; } + if (!is_allowed_domain(info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info3->base.account_name.string, + info3->base.logon_domain.string); + state->response->data.auth.authoritative = true; + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + result = append_auth_data(state->mem_ctx, state->response, state->request->flags, validation_level, -- 2.26.2 From c58beb56a63da4e341f4ce66aa84e62c1c868efe Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 11 Jan 2021 17:19:05 +0100 Subject: [PATCH 09/12] winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef) --- source3/winbindd/winbindd_pam.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 25ebd82c638..5dcfeb11b99 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3106,6 +3106,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai fstrcpy(domain,lp_workgroup()); } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + state->request->data.chng_pswd_auth_crap.user, + domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + if(!*user) { fstrcpy(user, state->request->data.chng_pswd_auth_crap.user); } -- 2.26.2 From 487650b54bae7c75693521fabaf8ff1354e48a1f Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 11 Jan 2021 17:59:48 +0100 Subject: [PATCH 10/12] winbind: check for allowed domains in winbindd_dual_pam_chauthtok() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3) --- source3/winbindd/winbindd_pam.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5dcfeb11b99..3375af66821 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2845,6 +2845,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact goto done; } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + user, domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + /* Change password */ oldpass = state->request->data.chauthtok.oldpass; -- 2.26.2 From 862a956823766ae238658cc29746adcb4ec05958 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 14 Jan 2021 10:42:53 +0100 Subject: [PATCH 11/12] winbind: check for allowed domains in winbindd_pam_auth_pac_verify() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003) --- .../knownfail.d/samba3.blackbox.winbind_ignore_domain | 2 -- source3/winbindd/winbindd_pam.c | 8 ++++++++ 2 files changed, 8 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain deleted file mode 100644 index e1eedc9aa2a..00000000000 --- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\) -^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 3375af66821..f27802ee065 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3325,6 +3325,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state, return result; } + if (!is_allowed_domain(info6->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info6->base.account_name.string, + info6->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + result = map_info6_to_validation(state->mem_ctx, info6, &validation_level, -- 2.26.2 From 45343a6487146a6dc3804b0c791ed13c9505d8d8 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 15 Jan 2021 12:56:25 +0100 Subject: [PATCH 12/12] s3/auth: implement "winbind:ignore domains" Under the following conditions a user from an ignored domain might be able to authenticate: - using Kerberos - successfully previous authentication so the idmap and name caches are filled - winbind not running (fwiw, winbindd is mandatory on a domain member) - nscd running with a cached getpwnam for the ignored user (otherwise auth fails because getpwnam fails) - lookup_name() function being modified to look into the name cache before contacting winbindd. Currently it talks directly to winbindd and that will check the cache. Currently, authentication will only fail because creating the local token for the user fails because an LSA lookupname RPC call fails (because winbindd is not running). All of this makes a successfull authentication unlikelly, but that is more by accident then by design. To ensures that if winbindd is not running and as such winbindd itself can not enforce the restriction, also implement the ignored domains check in the auth system as a last line of defense. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 RN: "winbind:ignore domains" doesn't prevent user login from trusted domain Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6) --- source3/auth/auth_util.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9427c05f573..4686b29111e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -485,6 +485,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + server_info->info3->base.account_name.string, + server_info->info3->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + if (server_info->cached_session_info != NULL) { session_info = copy_session_info(mem_ctx, server_info->cached_session_info); -- 2.26.2