RFC Reroute samlogon for trusted child domain user if samlogon fails

Noel Power nopower at suse.com
Fri Nov 13 15:20:29 UTC 2015


On 03/11/15 13:33, Noel Power wrote:
[...]
> I've modified my wip patch with that (and also now indicate further
> processing is needed a little more explicitly as I found a more suitable
> NTSTATUS to use
>>  We still need to keep the handling of
>> LOGON_KRB5_FAIL_CLOCK_SKEW.
> I didn't notice this, <sigh> this makes things difficult and I need some
> advice on how to proceed. The problem now is that  krb5 auth happens in
> the winbindd(trusted domain) child and the samlogon happens in the other
> winbindd(primary) child, the samlogon needs access to the krb5 error
> status from the winbind(trusted domain) child, getting that error to the
> parent is easy enough (assuming my reuse of the reject_reason response
> member is ok) However trying to transfer that error status from the
> parent to the primary domain winbind child doesn't seem easily achieved
> ( I thought of using the extra data field in the request and introducing
> some new flag to indicate to use that ) However... that seems ugly and I
> don't want to waste time on an unacceptable solution, any ideas?
well I didn't have any extra inspiration (and a customer bug associated
with 3.6.x to do with this issue) so I ran with the possibly
unacceptable solution. Please find the attached patch, it seems to work
fine but..., anyway would be really great to get some feedback/advice etc.

thanks alot
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch
Type: text/x-patch
Size: 5702 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151113/db92e21b/0001-If-samlogon-for-trusted-child-domain-user-fails-atte.bin>


More information about the samba-technical mailing list