RFC Reroute samlogon for trusted child domain user if samlogon fails

Noel Power nopower at suse.com
Thu Dec 17 09:49:33 UTC 2015


Hi,

On 27/11/15 11:02, Noel Power wrote:
> On 17/11/15 14:13, Noel Power wrote:
>> On 16/11/15 19:34, Noel Power wrote:
>>> On 16/11/15 18:47, Andrew Bartlett wrote:
[...]
>>>>> But the patch currently only deals with
>>>>> samlogon when falling back from kerberos, the old logic used to deal
>>>>> with samlogon more generically and would reroute even if kerberos was
>>>>> not involved, with that in mind I attach a second patch to handle
>>>>> non-primary domain samlogon requests in general (and return more
>>>>> processing required to the parent for those too, I would like to
>>>>> squash
>>>>> the 2 patches but of course I would like to see if anyone would
>>>>> object
>>>>> to that
>>>> How would we get in this situation if we are not doing krb5?  The only
>>>> other cases I can think of is NTLM in a AD DC trust situation, with non
>>>> -mesh trusts or on an RODC, but it would be better if we routed those
>>>> correctly upfront.
>> [...]
>>
>>>  however I am not really familiar with this stuff
>>> and can easily have missed something (or made a wrong assumption)
>> ok, I missed entirely the role that WBFLAG_PAM_CONTACT_TRUSTDOM plays
>> (despite using it in the patch) sorry for the nois
> patch is more or less the same as the previous (only a slight change in
> a comment) only deals with the krb5 samlogon fallback case, is there
> something else needed ?  (I hope i've addressed the previous review
> comments sufficiently)
Any chance someone can review this, or tell me what else I need to do,
or even say if it isn't worth pursuing (but let me know at least why if
that is the case)

thanks,
Noel



More information about the samba-technical mailing list