WBFLAG_PAM_CONTACT_TRUSTDOM ???

Gerald (Jerry) Carter jerry at samba.org
Sun Sep 10 23:08:02 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:
> On Sun, Sep 10, 2006 at 07:30:39AM -0500, Gerald (Jerry) Carter wrote:
>> You didn't answer the problem about the policy settings.
> 
> Do I understand it correctly that this is to enforce bad
> password count lockout in the winbind offline case?

No. This is to enforce things like password policy expiration
times.  The old code would apply the password expiration
policy for our domain to trusted users.

> I could imagine that this is something we can not support
> fully. If I remember correctly then samr_opendomain gives
> access denied if we connect anonymously. Do you have a sniff
> where this works if we log on to the trusted domain using
> our workstation account's kerberos ticket?

I'll go back and check tomorrow.

> Sure, rescan_trusted_domains is something "our" DC has to
> answer, so the winbind child for our domain is the correct
> one to ask.

No.  You're not listening.  The child for our domain
only has BUILTIN, LOCALMACHINE, and DOMAIN in the domain_list.
This is because the child is forked in order to answer the
initial getTrustedDomains request by the parent.  The child
needs to obtain the password policy from the trusted DC
when a user from the trusted domain logs on even if the
authentication is handled by our DC.

Here's my example:

* box is a member of AD
* AD has a two way trust with COLOR
* COLOR\gcarter logs in to the member server via ssh.
* The password policy for AD (no expire) is applied to
  COLOR\gcarter even though the password expire in
  COLOR is set to 30 days.

> If you do the authentication the way it's currently done,
> then the following happens: Trusted and direct logins step
> on each other's netlogon credentials chain, so whenever the
> the domain a user comes from changes, a full
> reqchal/auth2/schannel-bind round has to be done, which is
> not really optimal.

Sure.  I understand.  I'll go back and run the test and
if necessary fix it so that we get the policy from the
correct domain.




cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFBJrSIR7qMdg1EfYRAtolAJ47adA8nEgJ2Z8YzcatLXwOI4cfrwCdGKCg
Nz4/qe+AY6uN8kWRGvpm8Bc=
=7Feg
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list