[PATCH] Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.
Jeremy Allison
jra at samba.org
Wed Feb 27 15:44:37 MST 2013
On Thu, Feb 28, 2013 at 09:38:10AM +1100, Andrew Bartlett wrote:
> On Fri, 2013-02-22 at 17:02 -0800, Jeremy Allison wrote:
> > This bug was caused as a side effect of commit
> > dc3a90cf21813526854c12db126d08ebf32f8ae5
> > which explicitly removes our global sam name
> > from the list of trusted domains (which was the
> > correct thing to do), but caused this undesirable
> > side-effect.
> >
> > Here's my assessment from the bug report:
> >
> > -------------------------------------------
> > Absolutely correct! It's a side effect of commit
> > dc3a90cf21813526854c12db126d08ebf32f8ae5 for sure.
> >
> > The only other place this is used is in:
> >
> > source3/rpc_server/netlogon/srv_netlog_nt.c where we have:
> >
> > 1666 /* If we don't know what this domain is, we need to
> > 1667 indicate that we are not authoritative. This
> > 1668 allows the client to decide if it needs to try
> > 1669 a local user. Fix by jpjanosi at us.ibm.com, #2976 */
> > 1670 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
> > 1671 && !strequal(nt_domain, get_global_sam_name())
> > 1672 && !is_trusted_domain(nt_domain) )
> > 1673 *r->out.authoritative = false; /* We are not
> > authoritative */
> >
> > Your change adds the same check. I'll get this reviewed and in master.
> > -------------------------------------------
> >
> > Can I get a second reviewer please !
>
> As I've said on IRC, I think this is the wrong layer. The main issue is
> that is_trusted_domain() is the wrong thing to do on the member server.
> We need to honour that flag as returned by the DC.
>
> The issue with is_trusted_domain() is that it has to hit up winbind for
> what it thinks is the list of trusted domains, which can be incomplete,
> as I understand it, whereas the DC knows for sure.
Yeah, but this change isn't modifying the is_trusted_domain() check.
If you want to fix that up generically in the rest of the code I'll
certainly approve and help review, but that isn't this patch.
This one is simply fixing a local check.
Jeremy
More information about the samba-technical
mailing list