[PATCH] ADS changes for joining accounts w/o full Administrator rights

Andrew Bartlett abartlet at samba.org
Tue Feb 11 22:16:54 GMT 2003

On Wed, 2003-02-12 at 05:55, Antti Andreimann wrote:
> Ühel kenal päeval (teisipäev, 11. veebruar 2003 13:39) kirjutas Andrew 
> Bartlett:
> > > I'm not quite convinced about this.  I'm quite willing (but see below)
> > > to apply the rest of this patch, but I'll need a good explanation of
> > > what this patch does.
> Well, It's purely because our internal needs but I think this could be useful 
> for other people as well.
> Consider the following situation:
> You have a kerberos realm that holds all the user accounts (COMPANY.COM)
> Now You have an ADS server (AD.INTERNAL) that is set up to trust that realm. 
> All users are replicated in ADS, but their passwords remain in kerberos. This 
> is the standard method of getting kerberos and AD to play nicely with each 
> other.
> Now if I configure samba to use ADS It should be configured to be part of the 
> realm AD.INTERNAL right? Therefore all users from COMPANY.COM are considered 
> as being from foreign realm and their usernames take a form like 
> "COMPANY.COM/username". This would be OK, if those users are in fact from 
> foreign realm, but in this kind of configuration where You are using kerberos 
> for authentication and AD merely acts as a bridge for Windows users, You want 
> Your Linux server to be part of the main kerberos realm (COMPANY.COM) and use 
> normal usernames (username instead of COMPANY.COM\username).
> You cannot configure samba to be part of COMPANY.COM realm because in this 
> case samba tells clients that they should obtain tickets like 
> servername$@COMPANY.COM that Your primary kerberos is likely not to grant and 
> also Windows clients will actually ignore this and ask the ticket from AD 
> kerberos anyway. So the best way in my opinion is to add a configuration 
> option that allows one to define additional realms that are considered 
> "local", that is when a user from that realm connects, the realm is not added 
> to the username. This is what my patch does. In addition to checking if 
> incoming user is from primary realm (defined in smb.conf as realm = 
> SOMETHING) it also checks if it is from one of the realms mentioned via 
> "local realms" configuration option.
> Ok, this could also be achieved by Samba to Unix user mapping table (smbusers) 
> but it will be a massive administrative overhead if You have to maintain 
> those tables on all samba servers.

I think we need to do a few things here:  
 - We should record the principal name we joined with, and only ever
send that to our clients.
 - We should look into the 'winbind use default domain' thing before 3.0
gets out of alpha, and possibly change it to 'default domain = foo'.

> > > We need patches to be against current CVS - the patch does not apply
> > > cleanly at present.
> I am really sorry about this. I do not have direct access to CVS from work. I 
> know it's bad in the long run anyway so Im working on resolving that issue 
> but until it's not resolved I'm sitting kinda in darkness.
> > I've cleaned up the patch (attached, for reference), and removed the
> > session-setup changes for now.
> Thanx a lot. I owe You one ;)
> > need two copies.  Also, you need to be careful to copy the attribution
> I gave it some thought and I decided to duplicate the code for two reasons. 
> I'm just not that familiar with samba code, maybe those issues can be 
> resolved in a snap and in this case the duplication is of course needless.
> 1. The prototype generator does not generate prototypes for functions that 
> return krb5_error so I would of had to add the decalration into ads.h or 
> wherever manually. This I think breaks the spirit of sambas' header files 
> since I hardly saw any function prototypes in headers and I was too much of a 
> wuss to change the prototype generation script, since who knows what other 
> prototypes will get generated if I add krb5_error to the list ;)

All global functions in Samba should be correctly prototyped.  You do
however need to watch out for platforms that don't run kerberos - you
should add a typedef from krb5_error to somthing harmless, or better
still look into our ADS_ERROR stuff (partly created for exactly this
kind of thing).  Returning an ADS_ERROR would probably be the best
solution here.

> 2. At least one client program (I do not remember which) was not linked 
> against libads. Maybe it should be, but since it was the first one I tried to 
> link and it failed, I backed off on trying to make kerberos_prompter global.

Well, I don't think this is sufficient reason not to do this properly. 
Duplicated code *will* break as two slightly different versions emerge. 

> > with the code.  You may also add your personal copyright, if you feel
> > that way inclined.
> I'm sorry again. I'ts entirely my fault. I did some cleanups in comments like 
> the mentioning of correct internet drafts in kpasswd code and I guess I just 
> blindly removed the last two lines of comments before kerberos_prompter, 
> without looking at the author's notice. Sorry.

Also make sure you check the copyright at the top of each file.  

> As You could see I did not add any copyright lines of my own and I do not plan 
> to, since those are only minor improvements and I can give the entire 
> copyright up to the samba project.

That is up you you,

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030212/1d97db26/attachment.bin

More information about the samba-technical mailing list