[PATCH] Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.

Andrew Bartlett abartlet at samba.org
Wed Feb 27 16:15:24 MST 2013

On Fri, 2013-02-22 at 17:02 -0800, Jeremy Allison wrote:
> This bug was caused as a side effect of commit
> dc3a90cf21813526854c12db126d08ebf32f8ae5
> which explicitly removes our global sam name
> from the list of trusted domains (which was the
> correct thing to do), but caused this undesirable
> side-effect.
> Here's my assessment from the bug report:
> -------------------------------------------
> Absolutely correct! It's a side effect of commit
> dc3a90cf21813526854c12db126d08ebf32f8ae5 for sure.
> The only other place this is used is in:
> source3/rpc_server/netlogon/srv_netlog_nt.c where we have:
> 1666                 /* If we don't know what this domain is, we need to
> 1667                    indicate that we are not authoritative.  This
> 1668                    allows the client to decide if it needs to try
> 1669                    a local user.  Fix by jpjanosi at us.ibm.com, #2976 */
> 1670                 if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
> 1671                      && !strequal(nt_domain, get_global_sam_name())
> 1672                      && !is_trusted_domain(nt_domain) )
> 1673                         *r->out.authoritative = false; /* We are not
> authoritative */
> Your change adds the same check. I'll get this reviewed and in master.
> -------------------------------------------


So, putting aside the point about checking the trusted domains with the
DC, or trying to use our list, it is entirely reasonable that we should
NEVER ask a DC about one of our own names.  

However, both my_sam_name and get_global_sam_name() seems wrong -
shouldn't we be checking the full list of netbios aliases?  Otherwise,
don't we end up back where we were, just on an alias, rather than on the
netbios name?

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list