From 90af0150da04ea8b620f4dc3cf0b954a65f35613 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 10 Jan 2024 15:03:49 +0100 Subject: [PATCH 01/15] net: remove a newline BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 340753a2554ce9a842a6c90d684fb0510def81a1) --- source3/utils/net_rpc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index a20d042ad588..977be104a5e0 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6555,7 +6555,6 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, TALLOC_CTX *mem_ctx; NTSTATUS nt_status, result; struct dom_sid *domain_sid; - char* domain_name; char* acct_name; fstring pdc_name; -- 2.43.0 From 61aa425ec1ac52a7c3bcd73c58556934869f1ed5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 10 Jan 2024 15:06:14 +0100 Subject: [PATCH 02/15] net: fix credentials in trustdom establish This was broken by ea071d278a614f17b5417d3ff98e1b8d1fd8970d. I guess the whole opt_user_specified dance should be ripped out, but that's a fix for another day. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 15c07723765c6863a0ada9dfbaaa204604500907) --- source3/utils/net_rpc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 977be104a5e0..308ed10043c6 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6557,6 +6557,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, struct dom_sid *domain_sid; char* domain_name; char* acct_name; + const char *pwd = NULL; fstring pdc_name; union lsa_PolicyInformation *info = NULL; struct dcerpc_binding_handle *b; @@ -6587,6 +6588,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, SAFE_FREE(acct_name); return -1; } + cli_credentials_set_username(c->creds, acct_name, CRED_SPECIFIED); /* * opt_workgroup will be used by connection functions further, @@ -6596,9 +6598,6 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, c->opt_workgroup = smb_xstrdup(domain_name); }; - c->opt_user_name = acct_name; - c->opt_user_specified = true; - /* find the domain controller */ if (!net_find_pdc(&server_ss, pdc_name, domain_name)) { DEBUG(0, ("Couldn't find domain controller for domain %s\n", domain_name)); @@ -6704,7 +6703,9 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, * Store the password in secrets db */ - if (!pdb_set_trusteddom_pw(domain_name, c->opt_password, domain_sid)) { + pwd = cli_credentials_get_password(c->creds); + + if (!pdb_set_trusteddom_pw(domain_name, pwd, domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); cli_shutdown(cli); talloc_destroy(mem_ctx); -- 2.43.0 From 1dafb5936cdf60fbea2908f44f75f18655901a12 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 13 Jan 2024 08:51:48 +0100 Subject: [PATCH 03/15] net: support NT4 trusts in "net rpc trust create" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 449a968d3d18633e05db7d00ab76c7a52b04a54c) --- source3/utils/net_rpc_trust.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 9cfce005e560..1d77c7500403 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -116,6 +116,18 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, struct lsa_CreateTrustedDomainEx2 r; struct lsa_TrustDomainInfoInfoEx trustinfo; struct policy_handle trustdom_handle; + bool is_nt4 = trust_name_dns == NULL; + + if (!is_nt4) { + fprintf(stdout, "Creating AD trust\n"); + trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; + trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; + } else { + fprintf(stdout, "Creating NT4 trust\n"); + trustinfo.trust_type = LSA_TRUST_TYPE_DOWNLEVEL; + trustinfo.trust_attributes = 0; + trust_name_dns = trust_name; + } trustinfo.sid = domsid; trustinfo.netbios_name.string = trust_name; @@ -124,10 +136,6 @@ static NTSTATUS create_trust(TALLOC_CTX *mem_ctx, trustinfo.trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; - trustinfo.trust_type = LSA_TRUST_TYPE_UPLEVEL; - - trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; - r.in.policy_handle = pol_hnd; r.in.info = &trustinfo; r.in.auth_info_internal = authinfo; @@ -404,7 +412,7 @@ static void print_trust_usage(void) "\totheruser=Admin user in other domain\n" "\totherdomainsid=SID of other domain\n" "\tother_netbios_domain=NetBIOS/short name of other domain\n" - "\totherdomain=Full/DNS name of other domain\n" + "\totherdomain=Full/DNS name of other domain (if not used, create an NT4 trust)\n" "\ttrustpw=Trust password\n" "\nExamples:\n" "\tnet rpc trust create otherserver=oname otheruser=ouser -S lname -U luser\n" @@ -484,10 +492,14 @@ static int rpc_trust_common(struct net_context *net_ctx, int argc, dom_data[1].domain_name = other_dom_data->domain_name; dom_data[1].dns_domain_name = other_dom_data->dns_domain_name; + if (dom_data[1].dns_domain_name == NULL) { + fprintf(stdout, "No DNS domain name passed, " + "assuming NT4 trust!\n"); + } + if (dom_data[1].domsid == NULL || (op == TRUST_CREATE && - (dom_data[1].domain_name == NULL || - dom_data[1].dns_domain_name == NULL))) { + (dom_data[1].domain_name == NULL))) { DEBUG(0, ("Missing required argument.\n")); usage(); goto done; -- 2.43.0 From 461b6095d0a1f6c10d3bd356623df29ca986b08c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sun, 14 Jan 2024 08:34:17 +0100 Subject: [PATCH 04/15] net: create creds for other domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 9b2920fd367d26cfbf6f6f442a5c01fae4734abd) --- source3/utils/net_rpc_trust.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 1d77c7500403..2a8e9875df1f 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -484,8 +484,10 @@ static int rpc_trust_common(struct net_context *net_ctx, int argc, } other_net_ctx->opt_host = other_dom_data->host; - other_net_ctx->opt_user_name = other_dom_data->user_name; - other_net_ctx->opt_user_specified = true; + other_net_ctx->creds = cli_credentials_init(other_net_ctx); + cli_credentials_parse_string(other_net_ctx->creds, + other_dom_data->user_name, + CRED_SPECIFIED); } else { dom_data[1].domsid = dom_sid_parse_talloc(mem_ctx, other_dom_data->domain_sid_str); -- 2.43.0 From c555aa9aa5d5a8fce080c5e83100eb2f16d54fe8 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 16 Jan 2024 15:36:01 +0100 Subject: [PATCH 05/15] winbindd: also apply schannel logic as an NT4 DC This applies the same logic we already added in 06601b3a9293db35feda1b033fa864dc1a764164 for AD DCs wrt to IPC authentication when running as an NT4 DC in cm_prepare_connection(). Similarily adjust the check in cm_connect_lsa() added in 3e17a3b7cd4083299037ba9377931bea792b2d18 and in cm_connect_netlogon_transport() added by 532a14dc684e7a6d8c584d5671a4ebbad00aa4fc for cm_connect_netlogon_transport(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 95bb2acbf066049f92c16836a2cdaea3aae829cc) --- source3/winbindd/winbindd_cm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 2ebfb0f6dd85..a290168fe301 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -701,7 +701,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing(); - if (IS_AD_DC) { + if (IS_DC) { if (domain->secure_channel_type == SEC_CHAN_NULL) { /* * Make sure we don't even try to @@ -805,7 +805,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, try_ipc_auth = true; } - if (IS_AD_DC) { + if (IS_DC) { /* * As AD DC we only use netlogon and lsa * using schannel over an anonymous transport @@ -2890,7 +2890,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, TALLOC_FREE(conn->lsa_pipe); - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3016,7 +3016,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, goto done; } - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3030,7 +3030,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, anonymous: - if (IS_AD_DC) { + if (IS_DC) { /* * Make sure we only use schannel as AD DC. */ @@ -3149,7 +3149,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, *cli = NULL; - if (IS_AD_DC) { + if (IS_DC) { if (domain->secure_channel_type == SEC_CHAN_NULL) { /* * Make sure we don't even try to -- 2.43.0 From 37577a219283bf203760667f257a8a82fab8bcf4 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 18 Jan 2024 15:38:10 +0100 Subject: [PATCH 06/15] winbindd: make add_trusted_domains_dc() public BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 60ac5b03ef15de73744e0f86507849fb4b55d96f) --- source3/winbindd/winbindd_proto.h | 1 + source3/winbindd/winbindd_util.c | 4 +--- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 9b10f2c061a5..0e147b30dbdc 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -365,6 +365,7 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself, const char *logfilename); struct winbindd_domain *wb_child_domain(void); +bool add_trusted_domains_dc(void); /* The following definitions come from winbindd/winbindd_group.c */ bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index fe93528787d5..951bca6c5068 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -47,8 +47,6 @@ * Winbind daemon for NT domain authentication nss module. **/ -static bool add_trusted_domains_dc(void); - /* The list of trusted domains. Note that the list can be deleted and recreated using the init_domain_list() function so pointers to individual winbindd_domain structures cannot be made. Keep a copy of @@ -853,7 +851,7 @@ static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain) return true; } -static bool add_trusted_domains_dc(void) +bool add_trusted_domains_dc(void) { struct winbindd_domain *domain = NULL; struct pdb_trusted_domain **domains = NULL; -- 2.43.0 From 9174e0e87d45208f95428924d797422ff859dedf Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 18 Jan 2024 15:38:45 +0100 Subject: [PATCH 07/15] winbindd: call add_trusted_domains_dc() in smbcontrol reload-config handler This allows reloading trust info on an NT4 DC without restarting winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 9d933abd9e578de74bd4c5a8bcfcf6924262a8e2) --- source3/winbindd/winbindd_dual.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 36562ab10b8d..aea0972a7e57 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -944,6 +944,7 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, .msg_type = msg_type, .data = data, }; + bool ok; DBG_DEBUG("Got reload-config message\n"); @@ -959,6 +960,11 @@ void winbindd_msg_reload_services_parent(struct messaging_context *msg, tevent_thread_call_depth_set_callback(NULL, NULL); } + ok = add_trusted_domains_dc(); + if (!ok) { + DBG_ERR("add_trusted_domains_dc() failed\n"); + } + forall_children(winbind_msg_relay_fn, &state); } -- 2.43.0 From e92d664fee62a55e35204adaf1683e1224736e4b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 10 Jan 2024 18:13:46 +0100 Subject: [PATCH 08/15] selftest: fix domain name of nt4_dc_smb1 environment It had the same workgroup as the nt4_dc environment: $ grep workgroup st/nt4_dc/lib/server.conf st/nt4_dc_smb1/lib/server.conf st/nt4_dc/lib/server.conf: workgroup = SAMBA-TEST st/nt4_dc_smb1/lib/server.conf: workgroup = SAMBA-TEST BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit d0cdc81aa99031b0c067c7f8cf2ec0dc99d57da5) --- selftest/target/Samba3.pm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index b9990928f4b2..89b934864937 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -262,7 +262,7 @@ sub check_env($$) sub setup_nt4_dc { - my ($self, $path, $more_conf, $server) = @_; + my ($self, $path, $more_conf, $domain, $server) = @_; print "PROVISIONING NT4 DC..."; @@ -312,12 +312,15 @@ sub setup_nt4_dc if (defined($more_conf)) { $nt4_dc_options = $nt4_dc_options . $more_conf; } + if (!defined($domain)) { + $domain = "SAMBA-TEST"; + } if (!defined($server)) { $server = "LOCALNT4DC2"; } my $vars = $self->provision( prefix => $path, - domain => "SAMBA-TEST", + domain => $domain, server => $server, password => "localntdc2pass", extra_options => $nt4_dc_options); @@ -352,7 +355,7 @@ sub setup_nt4_dc_smb1 client min protocol = CORE server min protocol = LANMAN1 "; - return $self->setup_nt4_dc($path, $conf, "LCLNT4DC2SMB1"); + return $self->setup_nt4_dc($path, $conf, "NT4SMB1", "LCLNT4DC2SMB1"); } sub setup_nt4_dc_smb1_done -- 2.43.0 From ffa0d2b3be8a410c3e86a68c8fb353f62f625edd Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 11 Jan 2024 12:02:43 +0100 Subject: [PATCH 09/15] selftest: do early exit in setup_fl2008r2dc() if provision_fl2008r2dc() fails No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 5420af6942307e045be1317edc323ee3ff9f379b) --- selftest/target/Samba4.pm | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index cbaacce48da1..4a6c805420fe 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2575,22 +2575,22 @@ sub setup_fl2008r2dc my $env = $self->provision_fl2008r2dc($path); - if (defined $env) { - if (not defined($self->check_or_start($env, "standard"))) { - return undef; - } + if (!defined $env) { + return $env; + } - my $upn_array = ["$env->{REALM}.upn"]; - my $spn_array = ["$env->{REALM}.spn"]; + if (not defined($self->check_or_start($env, "standard"))) { + return undef; + } - if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) { - return undef; - } + my $upn_array = ["$env->{REALM}.upn"]; + my $spn_array = ["$env->{REALM}.spn"]; - $env = $self->setup_trust($env, $dc_vars, "forest", ""); + if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) { + return undef; } - return $env; + return $self->setup_trust($env, $dc_vars, "forest", ""); } sub setup_vampire_dc -- 2.43.0 From 0aa6e4ad3aad3ab2ceec242503de2922491de3ab Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 18 Jan 2024 16:04:34 +0100 Subject: [PATCH 10/15] selftest: rename a variable in setup_fl2008r2dc() Prepares for adding another variable with a similar name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 9725aa932e24622566baf208586d1fe03885da9f) --- selftest/target/Samba4.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 4a6c805420fe..cfffc446323b 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2571,7 +2571,7 @@ sub setup_fl2003dc sub setup_fl2008r2dc { - my ($self, $path, $dc_vars) = @_; + my ($self, $path, $ad_dc_vars) = @_; my $env = $self->provision_fl2008r2dc($path); @@ -2590,7 +2590,7 @@ sub setup_fl2008r2dc return undef; } - return $self->setup_trust($env, $dc_vars, "forest", ""); + return $self->setup_trust($env, $ad_dc_vars, "forest", ""); } sub setup_vampire_dc -- 2.43.0 From fcaae8bdc74f58d5d1497f2659f1d17a38dfa310 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 13 Jan 2024 08:48:54 +0100 Subject: [PATCH 11/15] selftest: create trust between fl2008r2dc and nt4_dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 645a725603ca03f27c1347b1e2ed9fea94a6319d) --- selftest/target/Samba.pm | 7 +++++ selftest/target/Samba4.pm | 57 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 61 insertions(+), 3 deletions(-) diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 52fce41f96fc..b61180a246fd 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -919,6 +919,13 @@ my @exported_envvars = ( "TRUST_E_BOTH_DOMAIN", "TRUST_E_BOTH_REALM", + # stuff related to a trusted NT4 domain, + # used for one-way trust fl2008r2dc <- nt4_dc + "NT4_TRUST_SERVER", + "NT4_TRUST_SERVER_IP", + "NT4_TRUST_DOMAIN", + "NT4_TRUST_DOMSID", + # domain controller stuff "DC_SERVER", "DC_SERVER_IP", diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index cfffc446323b..b10052233de9 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -2376,7 +2376,7 @@ sub check_env($$) ad_dc_no_nss => ["dns_hub"], ad_dc_no_ntlm => ["dns_hub"], - fl2008r2dc => ["ad_dc"], + fl2008r2dc => ["ad_dc", "nt4_dc"], fl2003dc => ["ad_dc"], fl2000dc => ["ad_dc"], @@ -2571,7 +2571,7 @@ sub setup_fl2003dc sub setup_fl2008r2dc { - my ($self, $path, $ad_dc_vars) = @_; + my ($self, $path, $ad_dc_vars, $nt4_dc_vars) = @_; my $env = $self->provision_fl2008r2dc($path); @@ -2590,7 +2590,58 @@ sub setup_fl2008r2dc return undef; } - return $self->setup_trust($env, $ad_dc_vars, "forest", ""); + $env = $self->setup_trust($env, $ad_dc_vars, "forest", ""); + if (!defined $env) { + return undef; + } + + my $net = Samba::bindir_path($self, "net"); + my $smbcontrol = Samba::bindir_path($self, "smbcontrol"); + + my $trustpw = "TrUsTpW"; + $trustpw .= "$env->{SOCKET_WRAPPER_DEFAULT_IFACE}"; + $trustpw .= "$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}"; + + my $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$env->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net rpc trust create "; + $cmd .= "otherdomainsid=$nt4_dc_vars->{SAMSID} "; + $cmd .= "otherdomain=$nt4_dc_vars->{DOMAIN} "; + $cmd .= "other_netbios_domain=$nt4_dc_vars->{DOMAIN} "; + $cmd .= "trustpw=$trustpw "; + $cmd .= "$env->{CONFIGURATION} "; + $cmd .= "-U $env->{DOMAIN}/$env->{USERNAME}\%$env->{PASSWORD} "; + + if (system($cmd) != 0) { + warn("net rpc trust create failed\n$cmd"); + return undef; + } + + $cmd = ""; + $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$nt4_dc_vars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" "; + $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$nt4_dc_vars->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; + $cmd .= "$net rpc trustdom establish $env->{DOMAIN} -U/%$trustpw $nt4_dc_vars->{CONFIGURATION}"; + + if (system($cmd) != 0) { + warn("add failed\n$cmd"); + return undef; + } + + # Reload trusts + $cmd = "$smbcontrol winbindd reload-config $nt4_dc_vars->{CONFIGURATION}"; + + if (system($cmd) != 0) { + warn("add failed\n$cmd"); + return undef; + } + + $env->{NT4_TRUST_SERVER} = $nt4_dc_vars->{SERVER}; + $env->{NT4_TRUST_SERVER_IP} = $nt4_dc_vars->{SERVER_IP}; + $env->{NT4_TRUST_DOMAIN} = $nt4_dc_vars->{DOMAIN}; + $env->{NT4_TRUST_DOMSID} = $nt4_dc_vars->{DOMSID}; + + return $env; } sub setup_vampire_dc -- 2.43.0 From 5e1cfa5bd51fd1e149e8cbefa917724ce056c270 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 10 Jan 2024 14:50:05 +0100 Subject: [PATCH 12/15] selftest: add a test for NT4 trusts BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 3a95e135472a495a90637e5dc0f9e3c8de052ff9) --- source3/script/tests/test_nt4_trust.sh | 31 ++++++++++++++++++++++++++ source3/selftest/tests.py | 4 ++++ 2 files changed, 35 insertions(+) create mode 100755 source3/script/tests/test_nt4_trust.sh diff --git a/source3/script/tests/test_nt4_trust.sh b/source3/script/tests/test_nt4_trust.sh new file mode 100755 index 000000000000..b3d6ca60dc75 --- /dev/null +++ b/source3/script/tests/test_nt4_trust.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +wbinfo="$BINDIR/wbinfo" +smbclient="$BINDIR/smbclient" + +test_trust_wbinfo_m() { + i=0 + # Give the server some time to list trusted domains + while [ $i -lt 10 ] ; do + $wbinfo -m | grep SAMBA-TEST && return 0 + sleep 2 + i=$((i + 1)) + done + return 1 +} + +test_trust_smbclient() { + $smbclient //$NT4_TRUST_SERVER_IP/tmp -U "$DOMAIN/$DOMAIN_USER%$DOMAIN_USER_PASSWORD" -c quit || return 1 + return 0 +} + +testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1) +testit "nt4trust_smbclient" test_trust_smbclient || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index a7d0531306e2..85f54fab4b85 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1829,6 +1829,10 @@ plantestsuite("samba3.blackbox.force-user-unlink", [os.path.join(samba3srcdir, "script/tests/test_force_user_unlink.sh")]) +plantestsuite("samba3.blackbox.nt4_trusts", + "fl2008r2dc", + [os.path.join(samba3srcdir, "script/tests/test_nt4_trust.sh")]) + def planclusteredmembertestsuite(tname, prefix): '''Define a clustered test for the clusteredmember environment''' -- 2.43.0 From 64bd90836338a416e95df94e734b97d2c2de3217 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 18 Jan 2024 19:12:34 +0100 Subject: [PATCH 13/15] s4/rpc_server: return NULL dns_name for NT4 trusts That's what Windows returns for an NT4 trust: array: struct netr_DomainTrust netbios_name : * netbios_name : 'NT4TRUST' dns_name : NULL trust_flags : 0x00000020 (32) 0: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x00000000 (0) trust_type : LSA_TRUST_TYPE_DOWNLEVEL (1) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION sid : * sid : S-1-5-21-4267984555-3675415144-1682400025 guid : 00000000-0000-0000-0000-000000000000 Even though when creating the trust the DNS name must not be NULL and the trustPartner and name attributes are set to the flatName in the trustedDomain object: dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site objectClass: top objectClass: leaf objectClass: trustedDomain cn: NT4TRUST distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site instanceType: 4 whenCreated: 20240118175040.0Z whenChanged: 20240118175040.0Z uSNCreated: 4939915 uSNChanged: 4939916 showInAdvancedViewOnly: TRUE name: NT4TRUST objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025 trustDirection: 1 trustPartner: NT4TRUST trustPosixOffset: 0 trustType: 1 trustAttributes: 0 flatName: NT4TRUST objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site isCriticalSystemObject: TRUE dSCorePropagationData: 16010101000000.0Z BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 53ca19851dbfc3cab7345424c029a7c90745e24a) --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 0b07641f4093..c5ceaf1fa843 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -3982,8 +3982,6 @@ static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx, ldb_dn_get_linearized(dom_res[i]->dn))); } - trusts->array[n].dns_name = talloc_steal(trusts->array, ldb_msg_find_attr_as_string(dom_res[i], "trustPartner", NULL)); - trusts->array[n].trust_flags = flags; if ((trust_flags & NETR_TRUST_FLAG_IN_FOREST) && !(flags & NETR_TRUST_FLAG_TREEROOT)) { @@ -3998,6 +3996,16 @@ static WERROR fill_trusted_domains_array(TALLOC_CTX *mem_ctx, ldb_msg_find_attr_as_uint(dom_res[i], "trustAttributes", 0); + if (trusts->array[n].trust_type != LSA_TRUST_TYPE_DOWNLEVEL) { + trusts->array[n].dns_name = talloc_steal( + trusts->array, + ldb_msg_find_attr_as_string(dom_res[i], + "trustPartner", + NULL)); + } else { + trusts->array[n].dns_name = NULL; + } + if ((trusts->array[n].trust_type == LSA_TRUST_TYPE_MIT) || (trusts->array[n].trust_type == LSA_TRUST_TYPE_DCE)) { struct dom_sid zero_sid; -- 2.43.0 From 754b1bbc8ec0903abfe42784c4f518bad0ace330 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 18 Jan 2024 17:42:33 +0100 Subject: [PATCH 14/15] selftest: test listing trusted domains that includes an NT4 domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 000bbede59e4ca78427fa57b56fa251d4d779adb) --- .../samba3.blackbox.list_nt4_trusts | 1 + selftest/target/Samba3.pm | 1 + source3/script/tests/test_list_nt4_trust.sh | 25 +++++++++++++++++++ source3/selftest/tests.py | 4 +++ 4 files changed, 31 insertions(+) create mode 100644 selftest/knownfail.d/samba3.blackbox.list_nt4_trusts create mode 100755 source3/script/tests/test_list_nt4_trust.sh diff --git a/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts b/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts new file mode 100644 index 000000000000..546e087b250d --- /dev/null +++ b/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts @@ -0,0 +1 @@ +^samba3.blackbox.list_nt4_trusts.nt4trust_wbinfo_m\(ad_member_idmap_ad\) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 89b934864937..465c8e46a13c 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1415,6 +1415,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{TRUST_DOMAIN} : backend = ad idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 gensec_gssapi:requested_life_time = 5 + winbind scan trusted domains = yes "; my $ret = $self->provision( diff --git a/source3/script/tests/test_list_nt4_trust.sh b/source3/script/tests/test_list_nt4_trust.sh new file mode 100755 index 000000000000..03ee7fc7063a --- /dev/null +++ b/source3/script/tests/test_list_nt4_trust.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +wbinfo="$BINDIR/wbinfo" +smbclient="$BINDIR/smbclient" + +test_trust_wbinfo_m() { + i=0 + # Give the server some time to list trusted domains + while [ $i -lt 10 ] ; do + $wbinfo -m --verbose | grep "SAMBA-TEST" && return 0 + sleep 2 + i=$((i + 1)) + done + return 1 +} + +testit "nt4trust_wbinfo_m" test_trust_wbinfo_m || failed=$(expr $failed + 1) + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 85f54fab4b85..b5acfaccd572 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1833,6 +1833,10 @@ plantestsuite("samba3.blackbox.nt4_trusts", "fl2008r2dc", [os.path.join(samba3srcdir, "script/tests/test_nt4_trust.sh")]) +plantestsuite("samba3.blackbox.list_nt4_trusts", + "ad_member_idmap_ad", + [os.path.join(samba3srcdir, "script/tests/test_list_nt4_trust.sh")]) + def planclusteredmembertestsuite(tname, prefix): '''Define a clustered test for the clusteredmember environment''' -- 2.43.0 From df1237c4cf1597a42851202e98a6f000323a3490 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 13 Jan 2024 11:40:55 +0100 Subject: [PATCH 15/15] winbindd: fix listing trusted domains with NT trusts Commit e07f8901ec95aab8c36965000de185d99e642644 broke handling of NT4 domains which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name) returns NULL, which causes _wbint_ListTrustedDomains to return NT_STATUS_NO_MEMORY. To make things worse, at that point the new struct netr_DomainTrust is not yet initialized correctly and the "out->count = n + 1" already increased the array counter at the start of the loop without initializing it. Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can crash when accesssing the ununitialized values: 2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD) 2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames: 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5] 92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045] 2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd] Deferring assignment of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224 (cherry picked from commit 201edcb5c6138488959e54e7df88007d010f1cfb) --- .../samba3.blackbox.list_nt4_trusts | 1 - source3/winbindd/winbindd_dual_srv.c | 58 ++++++++----------- 2 files changed, 25 insertions(+), 34 deletions(-) delete mode 100644 selftest/knownfail.d/samba3.blackbox.list_nt4_trusts diff --git a/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts b/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts deleted file mode 100644 index 546e087b250d..000000000000 --- a/selftest/knownfail.d/samba3.blackbox.list_nt4_trusts +++ /dev/null @@ -1 +0,0 @@ -^samba3.blackbox.list_nt4_trusts.nt4trust_wbinfo_m\(ad_member_idmap_ad\) diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index f0fd18a8fa65..bbdaf6e58078 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -2055,10 +2055,11 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p, struct wbint_ListTrustedDomains *r) { struct winbindd_domain *domain = wb_child_domain(); - uint32_t i, n; + uint32_t i; NTSTATUS result; struct netr_DomainTrustList trusts; - struct netr_DomainTrustList *out = NULL; + uint32_t count = 0; + struct netr_DomainTrust *array = NULL; pid_t client_pid; if (domain == NULL) { @@ -2082,53 +2083,44 @@ NTSTATUS _wbint_ListTrustedDomains(struct pipes_struct *p, return result; } - out = talloc_zero(p->mem_ctx, struct netr_DomainTrustList); - if (out == NULL) { - return NT_STATUS_NO_MEMORY; - } - - r->out.domains = out; - for (i=0; isid == NULL) { continue; } - if (dom_sid_equal(trusts.array[i].sid, &global_sid_NULL)) { + if (dom_sid_equal(st->sid, &global_sid_NULL)) { continue; } - n = out->count; - out->array = talloc_realloc(out, out->array, - struct netr_DomainTrust, - n + 1); - if (out->array == NULL) { + array = talloc_realloc(r->out.domains, array, + struct netr_DomainTrust, + count + 1); + if (array == NULL) { return NT_STATUS_NO_MEMORY; } - out->count = n + 1; - out->array[n].netbios_name = talloc_steal( - out->array, trusts.array[i].netbios_name); - if (out->array[n].netbios_name == NULL) { - return NT_STATUS_NO_MEMORY; - } + dt = &array[count]; - out->array[n].dns_name = talloc_steal( - out->array, trusts.array[i].dns_name); - if (out->array[n].dns_name == NULL) { - return NT_STATUS_NO_MEMORY; - } + *dt = (struct netr_DomainTrust) { + .trust_flags = st->trust_flags, + .trust_type = st->trust_type, + .trust_attributes = st->trust_attributes, + .netbios_name = talloc_move(array, &st->netbios_name), + .dns_name = talloc_move(array, &st->dns_name), + }; - out->array[n].sid = dom_sid_dup(out->array, - trusts.array[i].sid); - if (out->array[n].sid == NULL) { + dt->sid = dom_sid_dup(array, st->sid); + if (dt->sid == NULL) { return NT_STATUS_NO_MEMORY; } - out->array[n].trust_flags = trusts.array[i].trust_flags; - out->array[n].trust_type = trusts.array[i].trust_type; - out->array[n].trust_attributes = trusts.array[i].trust_attributes; + count++; } + r->out.domains->array = array; + r->out.domains->count = count; return NT_STATUS_OK; } -- 2.43.0