[PATCH] Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.
Andrew Bartlett
abartlet at samba.org
Wed Feb 27 16:15:24 MST 2013
On Fri, 2013-02-22 at 17:02 -0800, Jeremy Allison wrote:
> This bug was caused as a side effect of commit
> dc3a90cf21813526854c12db126d08ebf32f8ae5
> which explicitly removes our global sam name
> from the list of trusted domains (which was the
> correct thing to do), but caused this undesirable
> side-effect.
>
> Here's my assessment from the bug report:
>
> -------------------------------------------
> Absolutely correct! It's a side effect of commit
> dc3a90cf21813526854c12db126d08ebf32f8ae5 for sure.
>
> The only other place this is used is in:
>
> source3/rpc_server/netlogon/srv_netlog_nt.c where we have:
>
> 1666 /* If we don't know what this domain is, we need to
> 1667 indicate that we are not authoritative. This
> 1668 allows the client to decide if it needs to try
> 1669 a local user. Fix by jpjanosi at us.ibm.com, #2976 */
> 1670 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
> 1671 && !strequal(nt_domain, get_global_sam_name())
> 1672 && !is_trusted_domain(nt_domain) )
> 1673 *r->out.authoritative = false; /* We are not
> authoritative */
>
> Your change adds the same check. I'll get this reviewed and in master.
> -------------------------------------------
Jeremy,
So, putting aside the point about checking the trusted domains with the
DC, or trying to use our list, it is entirely reasonable that we should
NEVER ask a DC about one of our own names.
However, both my_sam_name and get_global_sam_name() seems wrong -
shouldn't we be checking the full list of netbios aliases? Otherwise,
don't we end up back where we were, just on an alias, rather than on the
netbios name?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list