|
 |
5a96cc |
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
|
|
|
5a96cc |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
5a96cc |
Date: Tue, 9 Nov 2021 20:50:20 +0100
|
|
|
5a96cc |
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
|
|
|
5a96cc |
|
|
|
5a96cc |
add_trusted_domain() should only reject domains
|
|
|
5a96cc |
based on is_allowed_domain(), which now also
|
|
|
5a96cc |
checks "allow trusted domains = no", if we don't
|
|
|
5a96cc |
have an explicit trust to the domain (SEC_CHAN_NULL).
|
|
|
5a96cc |
|
|
|
5a96cc |
We use at least SEC_CHAN_LOCAL for local domains like
|
|
|
5a96cc |
BUILTIN.
|
|
|
5a96cc |
|
|
|
5a96cc |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
|
|
|
5a96cc |
|
|
|
5a96cc |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
5a96cc |
|
|
|
5a96cc |
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
|
|
5a96cc |
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
|
|
|
5a96cc |
|
|
|
5a96cc |
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
|
|
|
5a96cc |
---
|
|
|
5a96cc |
source3/winbindd/winbindd_util.c | 2 +-
|
|
|
5a96cc |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
5a96cc |
|
|
|
5a96cc |
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
|
|
|
5a96cc |
index 42ddbfd2f44..9d54e462c42 100644
|
|
|
5a96cc |
--- a/source3/winbindd/winbindd_util.c
|
|
|
5a96cc |
+++ b/source3/winbindd/winbindd_util.c
|
|
|
5a96cc |
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
|
|
|
5a96cc |
return NT_STATUS_INVALID_PARAMETER;
|
|
|
5a96cc |
}
|
|
|
5a96cc |
|
|
|
5a96cc |
- if (!is_allowed_domain(domain_name)) {
|
|
|
5a96cc |
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
|
|
|
5a96cc |
return NT_STATUS_NO_SUCH_DOMAIN;
|
|
|
5a96cc |
}
|
|
|
5a96cc |
|
|
|
5a96cc |
--
|
|
|
5a96cc |
2.33.1
|
|
|
5a96cc |
|