2.2.0 pass thru validation

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Wed May 9 16:17:11 GMT 2001


Hi Gerald,

I think we're all missing the point a bit here - when samba is in security =
domain
mode, it is emulating a MEMBER server in the NT domain, NOT the PDC.  So for
us to
change the code to do what a PDC would do seems wrong to me.
Indeed, if you login to your NT workstation with your workstation name as
the domain
(or are in another domain than the pdc), if you try to connect to the PDC,
the pdc 
WILL fallback to seeing if the username is in its OWN domain with the
correct password.
BUT - if you try to attach to a (for instance Advanced Server for Unix)
MEMBER server
in a domain other than your own in this fashion, that member server will
behave precisely
as Samba does; it will NOT try it's own domain name after it receives the
rpc replies etc. from the PDC, but instead will come up and require you to
enter a domainname\username password pair that is valid.
So based on this, I would say that Samba in DOMAIN level security is
behaving appropriately.

Note that in SERVER level security, where we are actually trying to logon on
behalf of the
client, that you DO get the behavior that the pdc 'falls back' to trying in
its own domain, if your login request had a different domain in it.  I think
this behavior is basically the difference between using the netlogon
requests as opposed to the rpc sequence that a member server uses in
authenticating a client.

It would be NICE if we added this functionality (fallback) that an NT member
server does not provide, but if we do, I would suggest that we make it
smb.conf configurable, so that 
it doesn't break anything else (ie a client/pdc thinking it's talking to a
member server, but getting 'abberant' behavior - something else may depend
on this....)

I apologize, I had to use HP-UX's AS/U as the member server (AT&T Advanced
server base, like Netlink) because I didnt have a nt server I could put into
the domain as an NT member server.  But its behavior in this senario was
consistent with what Samba does in security=domain mode.

Hope this helps,
Don

-----Original Message-----
From: Gerald Carter [mailto:gcarter at valinux.com]
Sent: Wednesday, May 09, 2001 10:30 AM
To: Mike Black
Cc: samba-technical at samba.org
Subject: Re: 2.2.0 pass thru validation


On Wed, 09 May 2001 05:14:37 Mike Black wrote:
>
> When a user is logged into the domain there's no problem.  
> The user is validated as DOMAIN/USER. However, when they login
> to their local machine the samba server tries
> only to veryify MACH/USER on the domain controller.

This is what the client passes to it.

> Shouldn't it then fall-thru to DOMAIN/USER if MACH/USER fails?
> 
> I changed password.c to use our domain name instead of 
> the passed-in client domain name. I'm sure that it just 
> needs another call after trying MACH/USER to then try 
> DOMAIN/USER but I couldn't quite figure out which variable
> held the domain name.

I don't know.  This kind of sounds like a reasonable change.
Is this what an NT PDC does?  I seem to remember so.
What does everyone else think?






cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )





More information about the samba-technical mailing list