RFC Reroute samlogon for trusted child domain user if samlogon fails

Noel Power nopower at suse.com
Tue Nov 3 13:33:39 UTC 2015 

Hi Metz
On 30/10/15 17:04, Stefan Metzmacher wrote:
> Hi Noel,
>
>>> I think what we really need is a way to return to the parent and have
>>> the fallback logic there,
>>> the parent should then re-route to the correct domain child by clearing
>>> WBFLAG_PAM_CONTACT_TRUSTDOM
>>> before calling find_auth_domain().
>> something like the patch attached ? is this the correct direction/approach ? 
> I think the WBFLAG_PAM_FALLBACK_AFTER_KRB5
>
>                 if (state->request->flags &
> WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
>                         DEBUG(3,("falling back to samlogon\n"));
>                         goto sam_logon;
>                 } else {
>                         goto cached_logon;
>                 }
>
> I think the goto sam_logon needs a check if the domain is the primary one
> if not we need to explicitly indicate that more processing is required
> to the parent.
I've modified my wip patch with that (and also now indicate further
processing is needed a little more explicitly as I found a more suitable
NTSTATUS to use
>  We still need to keep the handling of
> LOGON_KRB5_FAIL_CLOCK_SKEW.
I didn't notice this, <sigh> this makes things difficult and I need some
advice on how to proceed. The problem now is that  krb5 auth happens in
the winbindd(trusted domain) child and the samlogon happens in the other
winbindd(primary) child, the samlogon needs access to the krb5 error
status from the winbind(trusted domain) child, getting that error to the
parent is easy enough (assuming my reuse of the reject_reason response
member is ok) However trying to transfer that error status from the
parent to the primary domain winbind child doesn't seem easily achieved
( I thought of using the extra data field in the request and introducing
some new flag to indicate to use that ) However... that seems ugly and I
don't want to waste time on an unacceptable solution, any ideas?

thanks
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch
Type: application/mbox
Size: 3778 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151103/f31ca582/0001-If-samlogon-for-trusted-child-domain-user-fails-atte.mbox>

More information about the samba-technical mailing list