s3:winbindd: fix endless forest trust scan

Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
disabled the enumeration of trusts in other forests.

The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.

Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
ability to enumerate trusts of other forests again, in order to
fix https://bugzilla.samba.org/show_bug.cgi?id=11830

Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar  2 17:53:14 CET 2017 on sn-devel-144

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 05ef2ecd0c6c79674c02be8b9c42e01a3e97c3d6..cde9099b14d0f89fc35bf50c2531cd69fc22269a 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1133,6 +1133,14 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                        }
                        TALLOC_FREE(parent);
 
+                       /*
+                        * We need to pass the modified properties
+                        * to the caller.
+                        */
+                       trust->trust_flags = d.domain_flags;
+                       trust->trust_type = d.domain_type;
+                       trust->trust_attributes = d.domain_trust_attribs;
+
                        wcache_tdc_add_domain( &d );
                        ret_count++;
                }

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index ffcb09d66f79bfc907b204c7a3329882b2fbd150..ab6862dc973786ef5f3127e075e0c9c6be124ea6 100644 (file)
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -342,6 +342,20 @@ static void trustdom_list_done(struct tevent_req *req)
        char *p;
        struct winbindd_tdc_domain trust_params = {0};
        ptrdiff_t extra_len;
+       bool within_forest = false;
+
+       /*
+        * Only when we enumerate our primary domain
+        * or our forest root domain, we should keep
+        * the NETR_TRUST_FLAG_IN_FOREST flag, in
+        * all other cases we need to clear it as the domain
+        * is not part of our forest.
+        */
+       if (state->domain->primary) {
+               within_forest = true;
+       } else if (domain_is_forest_root(state->domain)) {
+               within_forest = true;
+       }
 
        res = wb_domain_request_recv(req, state, &response, &err);
        if ((res == -1) || (response->result != WINBINDD_OK)) {
@@ -427,6 +441,14 @@ static void trustdom_list_done(struct tevent_req *req)
 
                trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
 
+               if (!within_forest) {
+                       trust_params.trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST;
+               }
+
+               if (!state->domain->primary) {
+                       trust_params.trust_flags &= ~NETR_TRUST_FLAG_PRIMARY;
+               }
+
                /*
                 * We always call add_trusted_domain() cause on an existing
                 * domain structure, it will update the SID if necessary.