'Re: RFC Reroute samlogon for trusted child domain user if samlogon fails'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    Re: RFC Reroute samlogon for trusted child domain user if samlogon fails
From:       Noel Power <nopower () suse ! com>
Date:       2015-10-30 17:38:00
Message-ID: 5633AAF8.9090105 () suse ! com
[Download RAW message or body]

On 30/10/15 17:33, Noel Power wrote:
> On 30/10/15 17:24, Jeremy Allison wrote:
>> On Fri, Oct 30, 2015 at 04:55:04PM +0000, Noel Power wrote:
>>> On 30/10/15 16:01, Noel Power wrote:
>>>> On 30/10/15 10:29, Noel Power wrote:
>>>>> Hi,
>>>>>
>>>>> revisiting the issue turned up in previous 'winbindd crash' thread
>>>>>
>>>>> On 22/10/15 12:03, Stefan Metzmacher wrote:
>>>>>
>>>>>> Hi Noel,
>>>>>>
>>>>> [...]
>>>>>
>>>>>> I think what we really need is a way to return to the parent and have
>>>>>> the fallback logic there,
>>>>>> the parent should then re-route to the correct domain child by clearing
>>>>>> WBFLAG_PAM_CONTACT_TRUSTDOM
>>>>>> before calling find_auth_domain().
>>>>> something like the patch attached ? is this the correct direction/approach ? 
>>>>>
>>>> lets forget about this for the moment, I need to rethink some things
>>>>
>>> ok here we go again, some little changes (to avoid calling kerberos a
>>> second time) I think there must be a better way to transfer that the
>>> netlogon pipe access failed than the current status check, be interested
>>> to hear if anyone has any ideas (but perhaps my approach is bogus anyway??)
>>>
>>> Interestingly we lose potentially interesting information with this
>>> regression, e.g. When a user account is disabled because we never get to
>>> successfully fallback to samlogon we miss the nice information it gives
>>> like NT_STATUS_ACCOUNT_DISABLED and thus on the command line e.g.
>>> ssh/pam just repeatedly  prompts for the password and gives up with no
>>> info, /var/log/messages just has a cryptic
>>> NT_STATUS_CANT_ACCESS_DOMAIN_INFO error. Note: previously logon faliures
>>> in this scenario would print "Your account is disabled, contact a
>>> sysadmin blah blah" after each password enter
>> Missing patch Noel ?
>>
> missing brain !!
<sigh> not my day, attached the previous version, HERE is the new one
attached

Noel

["0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch" (text/x-diff)]

From 6379cc59e058828b5b96d27eb1fcd799d55f3d92 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Thu, 22 Oct 2015 16:48:21 +0100
Subject: [PATCH] If samlogon for trusted child domain user fails attempt to
 reroute request

schannel netlogon connections from a domain child winbindd to the
domain controller when that domain is not 'our' domain are dissallowed
and thus the credentials are not available. The samlogon request when this
happens cannot be serviced. This patch attempts to detect this scenario
(pam_auth returns a status of NT_STATUS_CANT_ACCESS_DOMAIN_INFO) and
retries the authentication by chosing and sending the request to a domain
child that should be able it.

Signed-off-by: Noel Power <noel.power@suse.com>
---
 source3/winbindd/winbindd_pam_auth.c | 54 ++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 4f963a3..babbea6 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -23,6 +23,7 @@
 struct winbindd_pam_auth_state {
 	struct winbindd_request *request;
 	struct winbindd_response *response;
+	bool inhibit_retry;
 };
 
 static void winbindd_pam_auth_done(struct tevent_req *subreq);
@@ -104,6 +105,59 @@ static void winbindd_pam_auth_done(struct tevent_req *subreq)
 		tevent_req_nterror(req, map_nt_error_from_unix(err));
 		return;
 	}
+
+	/*
+	 * if we failed (with Kerberos enabled) check if we got a potential
+	 * netlogon pipe access failure for trusted forest user
+	 */
+	if (state->response->data.auth.nt_status
+	   && !state->inhibit_retry
+	   && (state->flags & WBFLAG_PAM_KRB5)) {
+		NTSTATUS status =
+			NT_STATUS(state->response->data.auth.nt_status);
+
+		/*
+		 * status NT_STATUS_CANT_ACCESS_DOMAIN_INFO can indicate
+		 * a trust domain child couldn't access the NETLOGON pipe.
+		 * Try and reroute request to correct domain child.
+		 */
+		if (NT_STATUS_EQUAL(status,
+				    NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+			struct winbindd_domain *domain = NULL;
+			struct winbindd_request *request = state->request;
+			fstring name_domain, name_user;
+			uint32_t flags = request->flags;
+
+			if (!parse_domain_user(request->data.auth.user,
+					       name_domain, name_user)) {
+				tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+				tevent_req_post(req, winbind_event_context());
+				return;
+			}
+
+			flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
+			domain = find_auth_domain(flags, name_domain);
+
+			/* don't attempt kerberos again, it's already failed */
+			state->request->flags &= ~WBFLAG_PAM_KRB5;
+
+			if (domain) {
+				state->inhibit_retry = true;
+				subreq = wb_domain_request_send(state,
+							winbind_event_context(),
+							domain,
+							state->request);
+				if (!subreq) {
+					tevent_req_nterror(req,
+							   NT_STATUS_NO_MEMORY);
+					return;
+				}
+				tevent_req_set_callback(subreq,
+						winbindd_pam_auth_done, req);
+				return;
+			}
+		}
+	}
 	tevent_req_done(req);
 }
 
-- 
1.7.12.4



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic