| commit | 8c846741a4514fc01513ddd3f83afc61f186806a | |
| author | Ralph Boehme <slow@samba.org> | |
| Fri, 15 Jan 2021 11:56:25 +0000 (15 12:56 +0100) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Thu, 28 Jan 2021 10:14:02 +0000 (28 10:14 +0000) | ||
| tree | 443447063f40dbb50ae28d3e83f0d4ebb98c3869 | treesnapshot (tar.gz zip) |
| parent | 7362b5b31cd75ab1f8cdd84fb0a800376d097e2c | commitdiff |
s3/auth: implement "winbind:ignore domains"
Under the following conditions a user from an ignored domain might be able to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).
All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Jan 28 10:14:02 UTC 2021 on sn-devel-184
Under the following conditions a user from an ignored domain might be able to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).
All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-12-test): Thu Jan 28 10:14:02 UTC 2021 on sn-devel-184
| source3/auth/auth_util.c | diffblobblamehistory |