The branch, master has been updated via 92ca4f5 winbindd: Do not overwrite domain list with conflicting info from a trusted domain via 7b4f266 torture: Reorder torture_winbind_struct_domain_info tests from 88b2485 ctdb-build: Fix handling of public headers
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 92ca4f52ae093e14d39b8853a34ffa8be6a3d492 Author: Andrew Bartlett <abart...@samba.org> Date: Sun Oct 5 18:32:09 2014 +1300 winbindd: Do not overwrite domain list with conflicting info from a trusted domain This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> Autobuild-User(master): Michael Adam <ob...@samba.org> Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104 commit 7b4f266ef059fbab5ed1cf50ca347fb9985f02dc Author: Andrew Bartlett <abart...@samba.org> Date: Sun Oct 5 16:00:47 2014 +1300 torture: Reorder torture_winbind_struct_domain_info tests This tries to ensure we get enough information to debug this intermittent failure. I think this may be a real failure, but it is hard to tell without more info. This patch prints out the full details of what the domain returned before doing the assertions. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/winbindd/winbindd_cm.c | 75 ++++++++++++++++++++++++++++++++ source4/torture/winbind/struct_based.c | 37 ++++++++-------- 2 files changed, 94 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 43147cb..fd414b8 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2276,6 +2276,18 @@ no_dssetup: domain->active_directory = True; if (lsa_info->dns.name.string) { + if (!strequal(domain->name, lsa_info->dns.name.string)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s claimed it was a DC " + "for domain %s, refusing to " + "initialize\n", + domain->name, + lsa_info->dns.name.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->name); domain->name = talloc_strdup(domain, lsa_info->dns.name.string); @@ -2285,6 +2297,20 @@ no_dssetup: } if (lsa_info->dns.dns_domain.string) { + if (domain->alt_name != NULL && + !strequal(domain->alt_name, + lsa_info->dns.dns_domain.string)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s (%s) claimed it was " + "a DC for domain %s, refusing to " + "initialize\n", + domain->alt_name, domain->name, + lsa_info->dns.dns_domain.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->alt_name); domain->alt_name = talloc_strdup(domain, @@ -2312,6 +2338,23 @@ no_dssetup: } if (lsa_info->dns.sid) { + if (!is_null_sid(&domain->sid) && + !dom_sid_equal(&domain->sid, + lsa_info->dns.sid)) + { + DEBUG(1, ("set_dc_type_and_flags_connect: DC " + "for domain %s (%s) claimed it was " + "a DC for domain %s, refusing to " + "initialize\n", + dom_sid_string(talloc_tos(), + &domain->sid), + domain->name, + dom_sid_string(talloc_tos(), + lsa_info->dns.sid))); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } sid_copy(&domain->sid, lsa_info->dns.sid); } } else { @@ -2333,6 +2376,20 @@ no_dssetup: if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { if (lsa_info->account_domain.name.string) { + if (!strequal(domain->name, + lsa_info->account_domain.name.string)) + { + DEBUG(1, + ("set_dc_type_and_flags_connect: " + "DC for domain %s claimed it was" + " a DC for domain %s, refusing " + "to initialize\n", domain->name, + lsa_info-> + account_domain.name.string)); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } talloc_free(domain->name); domain->name = talloc_strdup(domain, @@ -2340,6 +2397,24 @@ no_dssetup: } if (lsa_info->account_domain.sid) { + if (!is_null_sid(&domain->sid) && + !dom_sid_equal(&domain->sid, + lsa_info->account_domain.sid)) + { + DEBUG(1, + ("set_dc_type_and_flags_connect: " + "DC for domain %s (%s) claimed " + "it was a DC for domain %s, " + "refusing to initialize\n", + dom_sid_string(talloc_tos(), + &domain->sid), + domain->name, + dom_sid_string(talloc_tos(), + lsa_info->account_domain.sid))); + TALLOC_FREE(cli); + TALLOC_FREE(mem_ctx); + return; + } sid_copy(&domain->sid, lsa_info->account_domain.sid); } } diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c index d47d068..ef27b05 100644 --- a/source4/torture/winbind/struct_based.c +++ b/source4/torture/winbind/struct_based.c @@ -428,22 +428,6 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture) DO_STRUCT_REQ_REP(WINBINDD_DOMAIN_INFO, &req, &rep); - torture_assert_str_equal(torture, - rep.data.domain_info.name, - listd[i].netbios_name, - "Netbios domain name doesn't match"); - - torture_assert_str_equal(torture, - rep.data.domain_info.alt_name, - listd[i].dns_name, - "DNS domain name doesn't match"); - - sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid); - torture_assert(torture, sid, "Failed to parse SID"); - - ok = dom_sid_equal(listd[i].sid, sid); - torture_assert(torture, ok, "SID's doesn't match"); - if (rep.data.domain_info.primary) { flagstr = talloc_strdup_append(flagstr, "PR "); } @@ -462,10 +446,27 @@ static bool torture_winbind_struct_domain_info(struct torture_context *torture) flagstr = talloc_strdup_append(flagstr, "NA "); } - torture_comment(torture, "DOMAIN '%s' => '%s' [%s]\n", + torture_comment(torture, "DOMAIN '%s' => '%s' [%s] [%s]\n", rep.data.domain_info.name, rep.data.domain_info.alt_name, - flagstr); + flagstr, + rep.data.domain_info.sid); + + sid = dom_sid_parse_talloc(torture, rep.data.domain_info.sid); + torture_assert(torture, sid, "Failed to parse SID"); + + ok = dom_sid_equal(listd[i].sid, sid); + torture_assert(torture, ok, "SID's doesn't match"); + + torture_assert_str_equal(torture, + rep.data.domain_info.name, + listd[i].netbios_name, + "Netbios domain name doesn't match"); + + torture_assert_str_equal(torture, + rep.data.domain_info.alt_name, + listd[i].dns_name, + "DNS domain name doesn't match"); } return true; -- Samba Shared Repository