From 92ca4f52ae093e14d39b8853a34ffa8be6a3d492 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 5 Oct 2014 18:32:09 +1300 Subject: [PATCH] winbindd: Do not overwrite domain list with conflicting info from a trusted domain This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain. Andrew Bartlett Signed-off-by: Andrew Bartlett Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104 --- source3/winbindd/winbindd_cm.c | 75 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 43147cb7d96..fd414b8827e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2276,6 +2276,18 @@ no_dssetup: domain->active_directory = True; if (lsa_info->dns.name.string) { + if (!strequal(domain->name, lsa_info->dns.name.string)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s claimed it was a DC " + "for domain %s, refusing to " + "initialize\n", + domain->name, + lsa_info->dns.name.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->name); domain->name = talloc_strdup(domain, lsa_info->dns.name.string); @@ -2285,6 +2297,20 @@ no_dssetup: } if (lsa_info->dns.dns_domain.string) { + if (domain->alt_name != NULL && + !strequal(domain->alt_name, + lsa_info->dns.dns_domain.string)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s (%s) claimed it was " + "a DC for domain %s, refusing to " + "initialize\n", + domain->alt_name, domain->name, + lsa_info->dns.dns_domain.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->alt_name); domain->alt_name = talloc_strdup(domain, @@ -2312,6 +2338,23 @@ no_dssetup: } if (lsa_info->dns.sid) { + if (!is_null_sid(&domain->sid) && + !dom_sid_equal(&domain->sid, + lsa_info->dns.sid)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s (%s) claimed it was " + "a DC for domain %s, refusing to " + "initialize\n", + dom_sid_string(talloc_tos(), + &domain->sid), + domain->name, + dom_sid_string(talloc_tos(), + lsa_info->dns.sid))); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } sid_copy(&domain->sid, lsa_info->dns.sid); } } else { @@ -2333,6 +2376,20 @@ no_dssetup: if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { if (lsa_info->account_domain.name.string) { + if (!strequal(domain->name, + lsa_info->account_domain.name.string)) + { + DEBUG(1, + ("set_dc_type_and_flags_connect: " + "DC for domain %s claimed it was" + " a DC for domain %s, refusing " + "to initialize\n", domain->name, + lsa_info-> + account_domain.name.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->name); domain->name = talloc_strdup(domain, @@ -2340,6 +2397,24 @@ no_dssetup: } if (lsa_info->account_domain.sid) { + if (!is_null_sid(&domain->sid) && + !dom_sid_equal(&domain->sid, + lsa_info->account_domain.sid)) + { + DEBUG(1, + ("set_dc_type_and_flags_connect: " + "DC for domain %s (%s) claimed " + "it was a DC for domain %s, " + "refusing to initialize\n", + dom_sid_string(talloc_tos(), + &domain->sid), + domain->name, + dom_sid_string(talloc_tos(), + lsa_info->account_domain.sid))); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } sid_copy(&domain->sid, lsa_info->account_domain.sid); } } -- 2.11.4.GIT