From: Stefan Metzmacher Date: Wed, 29 Nov 2017 15:02:28 +0000 (+0100) Subject: winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration X-Git-Tag: samba-4.8.0rc1~37 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=b4e1e3019a1475cb8c1e3ab9314693d6ed130923;p=samba.git winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml new file mode 100644 index 00000000000..31afdc92b53 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml @@ -0,0 +1,29 @@ + + + + This option only takes effect when the option is set to + domain or ads. + If it is set to yes (the default), winbindd periodically tries to scan for new + trusted domains and adds them to a global list inside of winbindd. + The list can be extracted with wbinfo --trusted-domains --verbose. + This matches the behaviour of Samba 4.7 and older. + + The construction of that global list is not reliable and often + incomplete in complex trust setups. In most situations the list is + not needed any more for winbindd to operate correctly. + E.g. for plain file serving via SMB using a simple idmap setup + with autorid, tdb or ad. + However some more complex setups require the list, e.g. + if you specify idmap backends for specific domains. + Some pam_winbind setups may also require the global list. + + If you have a setup that doesn't require the global list, you should set + no. + + + +yes + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index a18407d9c07..f26545963d6 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\"); lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True"); lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 582c8756ffa..f1f453e7ef1 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL); Globals.winbind_refresh_tickets = false; Globals.winbind_offline_logon = false; + Globals.winbind_scan_trusted_domains = true; Globals.idmap_cache_time = 86400 * 7; /* a week by default */ Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */ diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index d9700701741..53267374be0 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -1363,6 +1363,10 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx, smb_nscd_flush_user_cache(); smb_nscd_flush_group_cache(); + if (!lp_winbind_scan_trusted_domains()) { + scan_trusts = false; + } + if (!lp_allow_trusted_domains()) { scan_trusts = false; }