CVS update: samba/source/auth

Andrew Bartlett abartlet at samba.org
Tue Jul 1 03:02:39 GMT 2003


On Tue, 2003-07-01 at 06:45, jerry at samba.org wrote:
> Date:	Mon Jun 30 20:45:13 2003
> Author:	jerry
> 
> Update of /data/cvs/samba/source/auth
> In directory dp.samba.org:/tmp/cvs-serv29095/auth
> 
> Modified Files:
>       Tag: SAMBA_3_0
> 	auth_domain.c auth_util.c 
> Log Message:

> * Get_Pwnam() should always fall back to the username (minus domain name)
>   even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
>   if 'user' exists in the local list of accounts (on domain members w/o
>   winbind)

Is this secure?  It certainly looks like it matches 2.2 - so it
certainly has to stay like that for the defaults, but this means there
are now 2 different access systems for the same account.  

When we get the rest of this mess sorted out, we might want to look at
some parameter to control this, and what domains to allow to map to
unqualified names.  (This would work well with 'winbind use default
domain' too, where the 'default domain' might not be the domain we
joined).

Anyway, thanks for catching this one - I'm amazed how much 3.0 has
evolved since 2.2, which has certainly changed a few too many 'expected
behaviours'.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030701/df1d3861/attachment.bin


More information about the samba-technical mailing list