[PATCH] Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.

Andrew Bartlett abartlet at samba.org
Wed Feb 27 16:01:22 MST 2013


On Wed, 2013-02-27 at 23:47 +0100, Michael Adam wrote:
> On 2013-02-28 at 09:38 +1100, Andrew Bartlett wrote:
> > On Fri, 2013-02-22 at 17:02 -0800, Jeremy Allison wrote:
> > > This bug was caused as a side effect of commit
> > > dc3a90cf21813526854c12db126d08ebf32f8ae5
> > > which explicitly removes our global sam name
> > > from the list of trusted domains (which was the
> > > correct thing to do), but caused this undesirable
> > > side-effect.
> > > 
> > > Here's my assessment from the bug report:
> > > 
> > > -------------------------------------------
> > > Absolutely correct! It's a side effect of commit
> > > dc3a90cf21813526854c12db126d08ebf32f8ae5 for sure.
> > > 
> > > The only other place this is used is in:
> > > 
> > > source3/rpc_server/netlogon/srv_netlog_nt.c where we have:
> > > 
> > > 1666                 /* If we don't know what this domain is, we need to
> > > 1667                    indicate that we are not authoritative.  This
> > > 1668                    allows the client to decide if it needs to try
> > > 1669                    a local user.  Fix by jpjanosi at us.ibm.com, #2976 */
> > > 1670                 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
> > > 1671                      && !strequal(nt_domain, get_global_sam_name())
> > > 1672                      && !is_trusted_domain(nt_domain) )
> > > 1673                         *r->out.authoritative = false; /* We are not
> > > authoritative */
> > > 
> > > Your change adds the same check. I'll get this reviewed and in master.
> > > -------------------------------------------
> > > 
> > > Can I get a second reviewer please !
> > 
> > As I've said on IRC, I think this is the wrong layer.  The main issue is
> > that is_trusted_domain() is the wrong thing to do on the member server.
> > We need to honour that flag as returned by the DC.
> > 
> > The issue with is_trusted_domain() is that it has to hit up winbind for
> > what it thinks is the list of trusted domains, which can be incomplete,
> > as I understand it, whereas the DC knows for sure. 
> 
> And there is also the case where winbindd is not even running...
> 
> While I agree that the right fix for a whole set of problems
> is on different layer, I think this patch does not make the
> situation worse: Its only change is that on a member server
> the netbios host name (as domain prefix) is not mapped to the
> domain. This is correct and the change is imho OK at this level.
> A band aid but still OK. Let's fix the bigger picture later on

The other thing this hits is users logging in with a userPrincipalName.
As I understand it, the domain parts of those don't always align with
the list of 'trusted domains'.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list