winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644 (file)
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    This option only takes effect when the <smbconfoption name="security"/> option is set to
+    <constant>domain</constant> or <constant>ads</constant>.
+    If it is set to yes (the default), winbindd periodically tries to scan for new
+    trusted domains and adds them to a global list inside of winbindd.
+    The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+    This matches the behaviour of Samba 4.7 and older.</para>
+
+    <para>The construction of that global list is not reliable and often
+    incomplete in complex trust setups. In most situations the list is
+    not needed any more for winbindd to operate correctly.
+    E.g. for plain file serving via SMB using a simple idmap setup
+    with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+    However some more complex setups require the list, e.g.
+    if you specify idmap backends for specific domains.
+    Some pam_winbind setups may also require the global list.</para>
+
+    <para>If you have a setup that doesn't require the global list, you should set
+    <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+    </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d9c071b3513f8e2d04c2e9da1a3d1f8e3b..f26545963d664c9b7b316f1e379d2cbf9529a5a4 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
        lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+       lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
        lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
        lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
        lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 582c8756ffa874d807745e83eb32371b0a3bf478..f1f453e7ef15b5cd55cd068970421122c2af345b 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -822,6 +822,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
        Globals.winbind_refresh_tickets = false;
        Globals.winbind_offline_logon = false;
+       Globals.winbind_scan_trusted_domains = true;
 
        Globals.idmap_cache_time = 86400 * 7; /* a week by default */
        Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index d97007017412c4c37a8f79e857fa879800974cac..53267374be044ed1b0e70c838de8f730ccc6fd45 100644 (file)
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1363,6 +1363,10 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx,
        smb_nscd_flush_user_cache();
        smb_nscd_flush_group_cache();
 
+       if (!lp_winbind_scan_trusted_domains()) {
+               scan_trusts = false;
+       }
+
        if (!lp_allow_trusted_domains()) {
                scan_trusts = false;
        }