The branch, v4-20-test has been updated
via 36f514f9079 s4:dsdb: fix logic of dsdb_trust_routing_by_name()
via a015ffb3dea s4:scripting: fix gen_hresult.py
from 4d043ea5e51 pam_winbind: Fix Bug 15771
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 36f514f9079dca1765922415cce6fc623fe75466
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 7 14:06:43 2025 +0100
s4:dsdb: fix logic of dsdb_trust_routing_by_name()
We need to use the longest dnsname match as possible.
If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.
I reproduced the problem with the following diff:
> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 15d7692b5d64..6e9595b784c4 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -564,7 +564,7 @@ sub realm_to_ip_mappings
> 'samba2000.example.com' => 'dc5',
> 'samba2003.example.com' => 'dc6',
> 'samba2008r2.example.com' => 'dc7',
> - 'addom.samba.example.com' => 'addc',
> + 'addom.samba2008r2.example.com' => 'addc',
> 'addom2.samba.example.com' => 'addcsmb1',
> 'sub.samba.example.com' => 'localsubdc',
> 'chgdcpassword.samba.example.com' => 'chgdcpass',
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 0e4cf50235c3..6bca0cfd0c89 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -2631,7 +2631,7 @@ sub setup_fl2008r2dc
> return undef;
> }
>
> - $env = $self->setup_trust($env, $ad_dc_vars, "forest", "");
> + $env = $self->setup_trust($env, $ad_dc_vars, "forest",
"--skip-validation");
> if (!defined $env) {
> return undef;
> }
> @@ -2843,7 +2843,7 @@ sub _setup_ad_dc
> $server = "addc";
> }
> if (!defined($dom)) {
> - $dom = "addom.samba.example.com";
> + $dom = "addom.samba2008r2.example.com";
> }
> my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
> $dom,
and running:
make -j testenv SELFTEST_TESTENV="fl2008r2dc:local"
Inside the testenv:
bin/smbclient //addc.addom.samba2008r2.example.com/netlogon \
-U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD \
--use-kerberos=required \
-c 'ls'
It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/[email protected]
instead of
cifs/[email protected]
As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without
msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15778
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Wed Jan 8 04:14:47 UTC 2025 on atb-devel-224
(cherry picked from commit 56947612452c32bd26f30ad6c9767830fe608d67)
Autobuild-User(v4-20-test): Jule Anger <[email protected]>
Autobuild-Date(v4-20-test): Thu Jan 9 09:56:59 UTC 2025 on atb-devel-224
commit a015ffb3dea44bbe4c77f3b626accd5dd7c273d6
Author: Stefan Metzmacher <[email protected]>
Date: Mon Dec 16 14:43:41 2024 +0100
s4:scripting: fix gen_hresult.py
Commit 6877e4849e81ed8f7f355fa4069f13a134e999ce reversed the
return values of hresult_errstr() and hresult_errstr_const().
hresult_errstr() should return "HRES_SEC_E_WRONG_PRINCIPAL",
while hresult_errstr_const() should return
"The target principal name is incorrect.".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15769
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
(cherry picked from commit 6e0e9c4efc86f5ec4566aa0220ed4a74ad5436c1)
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/common/util_trusts.c | 26 +++++++++++++-------------
source4/scripting/bin/gen_hresult.py | 4 ++--
2 files changed, 15 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/common/util_trusts.c
b/source4/dsdb/common/util_trusts.c
index 34a836a6a6f..c1797e3138e 100644
--- a/source4/dsdb/common/util_trusts.c
+++ b/source4/dsdb/common/util_trusts.c
@@ -3038,7 +3038,7 @@ static void dsdb_trust_update_best_tln(
return;
}
- cmp = dns_cmp(*best_tln, tln);
+ cmp = dns_cmp(tln, *best_tln);
if (cmp != DNS_CMP_FIRST_IS_CHILD) {
return;
}
@@ -3127,10 +3127,6 @@ const struct lsa_TrustDomainInfoInfoEx
*dsdb_trust_routing_by_name(
continue;
}
- if (!transitive) {
- continue;
- }
-
dsdb_trust_update_best_tln(&best_d, &best_tln, d,
d->tdo->domain_name.string);
continue;
@@ -3212,15 +3208,19 @@ const struct lsa_TrustDomainInfoInfoEx
*dsdb_trust_routing_by_name(
}
cmp = dns_cmp(name, fti_tln);
- switch (cmp) {
- case DNS_CMP_MATCH:
- case DNS_CMP_FIRST_IS_CHILD:
- dsdb_trust_update_best_tln(&best_d, &best_tln,
- d, fti_tln);
- break;
- default:
- break;
+ if (cmp == DNS_CMP_MATCH) {
+ /*
+ * exact match
+ */
+ return d->tdo;
}
+ if (cmp != DNS_CMP_FIRST_IS_CHILD) {
+ continue;
+ }
+
+ dsdb_trust_update_best_tln(&best_d, &best_tln,
+ d, fti_tln);
+ continue;
}
}
diff --git a/source4/scripting/bin/gen_hresult.py
b/source4/scripting/bin/gen_hresult.py
index 3caca259436..dec0adf11be 100755
--- a/source4/scripting/bin/gen_hresult.py
+++ b/source4/scripting/bin/gen_hresult.py
@@ -101,7 +101,7 @@ def generateSourceFile(out_file, errors):
out_file.write(" switch (HRES_ERROR_V(err_code)) {\n")
for err in errors:
out_file.write(f' case 0x{err.err_code:X}:\n')
- out_file.write(f' result = \"{err.err_define}\";\n')
+ out_file.write(f' result = \"{err.err_string}\";\n')
out_file.write(f' break;\n')
out_file.write(" }\n")
out_file.write("\n")
@@ -120,7 +120,7 @@ def generateSourceFile(out_file, errors):
out_file.write(" switch (HRES_ERROR_V(err_code)) {\n")
for err in errors:
out_file.write(f' case 0x{err.err_code:X}:\n')
- out_file.write(f' return \"{err.err_string}\";\n')
+ out_file.write(f' return \"{err.err_define}\";\n')
out_file.write(f' break;\n')
out_file.write(" }\n")
out_file.write(" snprintf(msg, sizeof(msg), \"HRES code 0x%08x\",
HRES_ERROR_V(err_code));\n")
--
Samba Shared Repository
