From: Ralph Boehme Date: Fri, 15 Jan 2021 11:56:25 +0000 (+0100) Subject: s3/auth: implement "winbind:ignore domains" X-Git-Tag: tevent-0.11.0~2017 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df5fe2d835169161d3930acf1e9c750dd2bc64b6;p=thirdparty%2Fsamba.git s3/auth: implement "winbind:ignore domains" Under the following conditions a user from an ignored domain might be able to authenticate: - using Kerberos - successfully previous authentication so the idmap and name caches are filled - winbind not running (fwiw, winbindd is mandatory on a domain member) - nscd running with a cached getpwnam for the ignored user (otherwise auth fails because getpwnam fails) - lookup_name() function being modified to look into the name cache before contacting winbindd. Currently it talks directly to winbindd and that will check the cache. Currently, authentication will only fail because creating the local token for the user fails because an LSA lookupname RPC call fails (because winbindd is not running). All of this makes a successfull authentication unlikelly, but that is more by accident then by design. To ensures that if winbindd is not running and as such winbindd itself can not enforce the restriction, also implement the ignored domains check in the auth system as a last line of defense. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 RN: "winbind:ignore domains" doesn't prevent user login from trusted domain Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9427c05f573..4686b29111e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -485,6 +485,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + server_info->info3->base.account_name.string, + server_info->info3->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + if (server_info->cached_session_info != NULL) { session_info = copy_session_info(mem_ctx, server_info->cached_session_info);