[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha6-831-g5cd4b7b

Steven Danneman sdanneman at samba.org
Thu Feb 12 21:55:20 GMT 2009


The branch, master has been updated
       via  5cd4b7b7c03df6e896186d985b6858a06aa40b3f (commit)
      from  feec49d5cd07a69991d1bc6dc6325ecda21a19a8 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5cd4b7b7c03df6e896186d985b6858a06aa40b3f
Author: Steven Danneman <steven.danneman at isilon.com>
Date:   Thu Feb 12 13:01:45 2009 -0800

    s3: Added new parameter "map untrusted to domain"
    
    When enabled this reverts smbd to the legacy domain remapping behavior when
    a user provides an untrusted domain
    
    This partially reverts d8c54fdd

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt             |   23 +++++++++++++++++++++--
 source3/auth/auth_util.c |   12 ++++++++----
 source3/include/proto.h  |    2 ++
 source3/param/loadparm.c |   13 +++++++++++++
 source3/passdb/passdb.c  |   18 ++++++++++++++++++
 5 files changed, 62 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 65d226c..066f718 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/.
 
 Major enhancements in Samba 3.4.0 include:
 
-o
-
+Authentication Changes:
+o Changed the way smbd handles untrusted domain names given during user
+  authentication
+
+Authentication Changes
+======================
+
+Previously, when Samba was a domain member and a client was connecting using an
+untrusted domain name, such as BOGUS\user smbd would remap the untrusted
+domain to the primary domain smbd was a member of and attempt authentication
+using that DOMAIN\user name.  This differed from how a Windows member server
+would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
+the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
+where smbd is acting as a domain member server this will be WORKSTATION\user.
+Thus, smbd will never assume that an incoming user name which is not qualified
+with the same primary domain, is part of smbd's primary domain.
+
+While this behavior matches Windows, it may break some workflows which depended
+on smbd to always pass through bogus names to the DC for verification.  A new
+parameter "map untrusted to domain" can be enabled to revert to the legacy
+behavior.
 
 ######################################################################
 Reporting bugs & Development Discussion
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f942b2e..892e5c4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -226,14 +226,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
 	if (!is_trusted_domain(domain) &&
 	    !strequal(domain, get_global_sam_name()) )
 	{
-		domain = get_global_sam_name();
-		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] on "
+		if (lp_map_untrusted_to_domain())
+			domain = my_sam_name();
+		else
+			domain = get_global_sam_name();
+		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
 			  "workstation [%s]\n",
 			  client_domain, domain, smb_name, wksta_name));
 	}
 
-	/* we know that it is a trusted domain (and we are allowing them) or it
-	 * is our domain */
+	/* We know that the given domain is trusted (and we are allowing them),
+	 * it is our global SAM name, or for legacy behavior it is our
+	 * primary domain name */
 
 	result = make_user_info(user_info, smb_name, internal_username,
 			      client_domain, domain, wksta_name,
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 2365015..7ad063e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4067,6 +4067,7 @@ bool lp_nt_status_support(void);
 bool lp_stat_cache(void);
 int lp_max_stat_cache_size(void);
 bool lp_allow_trusted_domains(void);
+bool lp_map_untrusted_to_domain(void);
 int lp_restrict_anonymous(void);
 bool lp_lanman_auth(void);
 bool lp_ntlm_auth(void);
@@ -4435,6 +4436,7 @@ bool sid_check_is_in_our_domain(const DOM_SID *sid);
 
 /* The following definitions come from passdb/passdb.c  */
 
+const char *my_sam_name(void);
 struct samu *samu_new( TALLOC_CTX *ctx );
 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd);
 NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0dfbb09..a127ec5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -345,6 +345,7 @@ struct global {
 	struct param_opt_struct *param_opt;
 	int cups_connection_timeout;
 	char *szSMBPerfcountModule;
+	bool bMapUntrustedToDomain;
 };
 
 static struct global Globals;
@@ -1776,6 +1777,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= enum_kerberos_method,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "map untrusted to domain",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.bMapUntrustedToDomain,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED | FLAG_GLOBAL,
+	},
 
 
 	{N_("Logging Options"), P_SEP, P_SEPARATOR},
@@ -5053,6 +5063,8 @@ static void init_globals(bool first_time_only)
 	Globals.bRegistryShares = False;
 
 	Globals.iminreceivefile = 0;
+
+	Globals.bMapUntrustedToDomain = false;
 }
 
 /*******************************************************************
@@ -5351,6 +5363,7 @@ FN_GLOBAL_BOOL(lp_nt_status_support, &Globals.bNTStatusSupport)
 FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache)
 FN_GLOBAL_INTEGER(lp_max_stat_cache_size, &Globals.iMaxStatCacheSize)
 FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains)
+FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain)
 FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
 FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
 FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index c526a17..95e5deb 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -27,6 +27,24 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_PASSDB
 
+/******************************************************************
+ Get the default domain/netbios name to be used when
+ testing authentication.
+
+ LEGACY: this function provides the legacy domain mapping used with
+	 the lp_map_untrusted_to_domain() parameter
+******************************************************************/
+
+const char *my_sam_name(void)
+{
+       /* Standalone servers can only use the local netbios name */
+       if ( lp_server_role() == ROLE_STANDALONE )
+               return global_myname();
+
+       /* Default to the DOMAIN name when not specified */
+       return lp_workgroup();
+}
+
 /**********************************************************************
 ***********************************************************************/
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list