From: Stefan Metzmacher Date: Mon, 15 Jan 2018 12:02:04 +0000 (+0100) Subject: winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts. X-Git-Tag: tevent-0.9.36~166 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=728fb7c593230abeb681854d924e4619d6f4cf37;p=thirdparty%2Fsamba.git winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index bc27a39c08f..eb400f0ebf3 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -983,6 +983,60 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return status; } +static enum lsa_LookupNamesLevel winbindd_lookup_level( + struct winbindd_domain *domain) +{ + enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_DOMAINS_ONLY; + + if (domain->internal) { + level = LSA_LOOKUP_NAMES_ALL; + } else if (domain->secure_channel_type == SEC_CHAN_DNS_DOMAIN) { + if (domain->domain_flags & NETR_TRUST_FLAG_IN_FOREST) { + /* + * TODO: + * + * Depending on what we want to resolve. We need to use: + * 1. LsapLookupXForestReferral(5)/LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY + * if we want to pass the request into the direction of the forest + * root domain. The forest root domain uses + * LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 + * when passing the request to trusted forests. + * 2. LsapLookupGC(4)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY + * if we're not a GC and want to resolve a name within our own forest. + * + * As we don't support more than one domain in our own forest + * and always try to be a GC for now, we just set + * LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY. + */ + level = LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY; + } else if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) { + /* + * This is LsapLookupXForestResolve(6)/LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 + */ + level = LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2; + } else { + /* + * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY + */ + level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY; + } + } else if (domain->secure_channel_type == SEC_CHAN_DOMAIN) { + /* + * This is LsapLookupTDL(3)/LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY + */ + level = LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY; + } else if (domain->rodc) { + level = LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC; + } else { + /* + * This is LsapLookupPDC(2)/LSA_LOOKUP_NAMES_DOMAINS_ONLY + */ + level = LSA_LOOKUP_NAMES_DOMAINS_ONLY; + } + + return level; +} + NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_sids, @@ -1013,6 +1067,8 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, use_lookupsids3 = true; } + level = winbindd_lookup_level(domain); + /* * This call can take a long time * allow the server to time out. @@ -1076,6 +1132,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, unsigned int orig_timeout = 0; bool use_lookupnames4 = false; bool retried = false; + enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL; connect: status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); @@ -1089,6 +1146,8 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, use_lookupnames4 = true; } + level = winbindd_lookup_level(domain); + /* * This call can take a long time * allow the server to time out. @@ -1102,7 +1161,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, num_names, (const char **) names, domains, - 1, + level, sids, types, use_lookupnames4,