winbind: make sure we don't contact trusted domains via LDAP as AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 315a9444a19ae16f66d1cdf899c567d31504bd99..15304109a2d610864f8ed30526b793e907c63093 100644 (file)
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -532,6 +532,17 @@ static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
        struct idmap_ad_context *ctx = NULL;
        NTSTATUS status;
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we never try to use LDAP against
+                * a trusted domain as AD_DC.
+                *
+                * This shouldn't be called currently,
+                * but you never know what happens in future.
+                */
+               return NT_STATUS_REQUEST_NOT_ACCEPTED;
+       }
+
        if (dom->private_data != NULL) {
                *pctx = talloc_get_type_abort(dom->private_data,
                                              struct idmap_ad_context);

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index c330b9202c887e40bdfd2c3bae0cd1906ab5ea53..725fa4ff97776a5dccb7a6ca3425b65b109f0756 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -159,6 +159,14 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
        struct winbindd_domain *wb_dom;
        ADS_STATUS status;
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we never try to use LDAP against
+                * a trusted domain as AD DC.
+                */
+               return ADS_ERROR_NT(NT_STATUS_REQUEST_NOT_ACCEPTED);
+       }
+
        ads_cached_connection_reuse(adsp);
        if (*adsp != NULL) {
                return ADS_SUCCESS;
@@ -231,6 +239,14 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
        ADS_STATUS status;
        char *password, *realm;
 
+       if (IS_AD_DC) {
+               /*
+                * Make sure we never try to use LDAP against
+                * a trusted domain as AD DC.
+                */
+               return NULL;
+       }
+
        DEBUG(10,("ads_cached_connection\n"));
        ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
 
@@ -1309,6 +1325,13 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32_t *seq)
                return NT_STATUS_OK;
        }
 
+       if (IS_AD_DC) {
+               DEBUG(10,("sequence: Avoid LDAP connection for domain %s\n",
+                         domain->name));
+               *seq = time(NULL);
+               return NT_STATUS_OK;
+       }
+
        *seq = DOM_SEQUENCE_NONE;
 
        ads = ads_cached_connection(domain);