trusted domains patch n+3

Simo Sorce simo.sorce at xsec.it
Sat Sep 7 00:11:01 GMT 2002 

Ok, that was clear, what I want to ask, is: why should we try to logon a
user that provides bad information? Shouldn't we simply deny it with an
error? How do NT behaves in such situations?

Simo.

On Sat, 2002-09-07 at 00:42, Andrew Bartlett wrote:
> Rafal Szczesniak wrote:
> > 
> > On Fri, Sep 06, 2002 at 05:01:25PM +0200, Simo Sorce wrote:
> > > On Fri, 2002-09-06 at 16:37, Rafal Szczesniak wrote:
> > > > On Fri, Sep 06, 2002 at 04:42:53PM +0200, Simo Sorce wrote:
> > > > >
> > > > > What are you trying to do there?
> > > > > Why should we replace a domain name with another???
> > > >
> > > > For instance, when lp_allow_trusted_domains() is set to false,
> > > > then user's domain name should is replaced with our domain name.
> > > > Authentication modules will then look for username in our domain's
> > > > SAM instead querying trusted domains.
> > >
> > > Can you explain me why we should not simply fail?
> > 
> > In case of ?
> 
> OK, time for an explaination:
> 
> We can receive all sorts of things in the 'domain' feild from a client. 
> Mostly it's their current domain.  If we are a standalone server, or
> don't trust the domain they supplied, then we replace it with our own
> for authenticaion.  
> 
> Similarly if we are not using truste domains at all - then every login
> gets changed to our local domain.  
> 
> However, some parts of the code (NTLMv2 in particular) need the original
> domain, so we keep that around.
> 
> Does that make a bit more sense?
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20020907/dde29689/attachment.bin

More information about the samba-technical mailing list