svn commit: samba r11574 - in trunk/source: auth include nsswitch rpc_client rpc_server rpcclient utils

Andrew Bartlett abartlet at samba.org
Tue Nov 8 10:47:54 GMT 2005


On Tue, 2005-11-08 at 06:19 +0000, jra at samba.org wrote:
> Author: jra
> Date: 2005-11-08 06:19:36 +0000 (Tue, 08 Nov 2005)
> New Revision: 11574
> 
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11574
> 
> Log:
> Adding Andrew Bartlett's patch to make machine account
> logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
> or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
> the auth module interface to 2 (from 1). The effect of this is
> that clients can access resources as a machine account if they
> set these flags. This is the same as Windows (think of a VPN
> where the vpn client authenticates itself to a VPN server
> using machine account credentials - the vpn server checks
> that the machine password was valid by performing a machine
> account check with the PDC in the same was as it would a
> user account check. 

> I may add in a restriction (parameter)
> to allow this behaviour to be turned off (as it was previously).
> That may be on by default.

While I can't oppose adding yet another parameter to the mix, I feel we
should allow these logins, both on a member server (ie set the bit) and
on the PDC (ie honour it) by default.

On the member server, we already allow machines to login if they do so
with kerberos.  I made that change (machines are people too!) before or
shortly after the 3.0 release.  As you mention above, it is also
required to run a VPN server (this is what started this) via Samba to a
windows domain for PEAP MSCHAPv2 authentication.  

On the PDC, this likewise matches Microsoft behaviour in AD domains.
(Win2k3 is what I've been testing against).  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051108/6bc581f5/attachment.bin


More information about the samba-technical mailing list