[PATCH] ADS changes for joining accounts w/o full Administrator
rights
Andrew Bartlett
abartlet at samba.org
Tue Feb 11 22:16:54 GMT 2003
On Wed, 2003-02-12 at 05:55, Antti Andreimann wrote:
> Ühel kenal päeval (teisipäev, 11. veebruar 2003 13:39) kirjutas Andrew
> Bartlett:
> > > I'm not quite convinced about this. I'm quite willing (but see below)
> > > to apply the rest of this patch, but I'll need a good explanation of
> > > what this patch does.
>
> Well, It's purely because our internal needs but I think this could be useful
> for other people as well.
> Consider the following situation:
> You have a kerberos realm that holds all the user accounts (COMPANY.COM)
> Now You have an ADS server (AD.INTERNAL) that is set up to trust that realm.
> All users are replicated in ADS, but their passwords remain in kerberos. This
> is the standard method of getting kerberos and AD to play nicely with each
> other.
> Now if I configure samba to use ADS It should be configured to be part of the
> realm AD.INTERNAL right? Therefore all users from COMPANY.COM are considered
> as being from foreign realm and their usernames take a form like
> "COMPANY.COM/username". This would be OK, if those users are in fact from
> foreign realm, but in this kind of configuration where You are using kerberos
> for authentication and AD merely acts as a bridge for Windows users, You want
> Your Linux server to be part of the main kerberos realm (COMPANY.COM) and use
> normal usernames (username instead of COMPANY.COM\username).
> You cannot configure samba to be part of COMPANY.COM realm because in this
> case samba tells clients that they should obtain tickets like
> servername$@COMPANY.COM that Your primary kerberos is likely not to grant and
> also Windows clients will actually ignore this and ask the ticket from AD
> kerberos anyway. So the best way in my opinion is to add a configuration
> option that allows one to define additional realms that are considered
> "local", that is when a user from that realm connects, the realm is not added
> to the username. This is what my patch does. In addition to checking if
> incoming user is from primary realm (defined in smb.conf as realm =
> SOMETHING) it also checks if it is from one of the realms mentioned via
> "local realms" configuration option.
> Ok, this could also be achieved by Samba to Unix user mapping table (smbusers)
> but it will be a massive administrative overhead if You have to maintain
> those tables on all samba servers.
I think we need to do a few things here:
- We should record the principal name we joined with, and only ever
send that to our clients.
- We should look into the 'winbind use default domain' thing before 3.0
gets out of alpha, and possibly change it to 'default domain = foo'.
> > > We need patches to be against current CVS - the patch does not apply
> > > cleanly at present.
>
> I am really sorry about this. I do not have direct access to CVS from work. I
> know it's bad in the long run anyway so Im working on resolving that issue
> but until it's not resolved I'm sitting kinda in darkness.
>
> > I've cleaned up the patch (attached, for reference), and removed the
> > session-setup changes for now.
>
> Thanx a lot. I owe You one ;)
>
> > need two copies. Also, you need to be careful to copy the attribution
>
> I gave it some thought and I decided to duplicate the code for two reasons.
> I'm just not that familiar with samba code, maybe those issues can be
> resolved in a snap and in this case the duplication is of course needless.
> 1. The prototype generator does not generate prototypes for functions that
> return krb5_error so I would of had to add the decalration into ads.h or
> wherever manually. This I think breaks the spirit of sambas' header files
> since I hardly saw any function prototypes in headers and I was too much of a
> wuss to change the prototype generation script, since who knows what other
> prototypes will get generated if I add krb5_error to the list ;)
All global functions in Samba should be correctly prototyped. You do
however need to watch out for platforms that don't run kerberos - you
should add a typedef from krb5_error to somthing harmless, or better
still look into our ADS_ERROR stuff (partly created for exactly this
kind of thing). Returning an ADS_ERROR would probably be the best
solution here.
> 2. At least one client program (I do not remember which) was not linked
> against libads. Maybe it should be, but since it was the first one I tried to
> link and it failed, I backed off on trying to make kerberos_prompter global.
Well, I don't think this is sufficient reason not to do this properly.
Duplicated code *will* break as two slightly different versions emerge.
> > with the code. You may also add your personal copyright, if you feel
> > that way inclined.
>
> I'm sorry again. I'ts entirely my fault. I did some cleanups in comments like
> the mentioning of correct internet drafts in kpasswd code and I guess I just
> blindly removed the last two lines of comments before kerberos_prompter,
> without looking at the author's notice. Sorry.
Also make sure you check the copyright at the top of each file.
> As You could see I did not add any copyright lines of my own and I do not plan
> to, since those are only minor improvements and I can give the entire
> copyright up to the samba project.
That is up you you,
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030212/1d97db26/attachment.bin
More information about the samba-technical
mailing list