[PATCH 1/2] s3-auth: fix force user for AD user
abartlet at samba.org
Sun Jan 5 15:37:19 MST 2014
On Tue, 2013-12-17 at 21:59 +0100, Andreas Schneider wrote:
> On Wednesday 18 December 2013 09:52:20 Andrew Bartlett wrote:
> > On Tue, 2013-12-17 at 16:20 +0100, Andreas Schneider wrote:
> > > On Saturday 14 December 2013 07:37:52 Andrew Bartlett wrote:
> > > > > Günther and I are working on it. Here is our WIP branch:
> > > > >
> > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/force_u
> > > > > ser
> > > >
> > > > This looks like a much better approach!
> > >
> > > Hi Andrew,
> > >
> > > here is the proposed patchset:
> > >
> > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/force_user
> > >
> > > I will run 'make test' but this should work. Could you please take another
> > > look?
> > The main issue I see is that this new (great!) codepath is called for
> > users from /etc/passwd, not just users from winbind forced in via force
> > user. See the callers in auth_unix.c and user_krb5.c.
> Yes, that's correct. We follwed all codepath and checked what is happening and
> why. In user_krb5.c it is called if the information can't be found in the PAC.
> So it can be a local user or the information could be retrieved from winbind.
> And auth_unix.c is for a unix user. I've tested that and it works if I use a
> local user for 'force user'.
> That's also why me renamed the function cause we just have a passwd struct we
> convert ...
Have you tested with a local user and plaintext passwords? We really
should have a test environment for that, and for krb5 but without
winbind (mapping to local user). I'm not at all convinced the patch is
correct for those cases, but I can be persuaded.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical