RFC Reroute samlogon for trusted child domain user if samlogon fails

Andrew Bartlett abartlet at samba.org
Fri Nov 13 21:35:32 UTC 2015 

On Fri, 2015-11-13 at 15:20 +0000, Noel Power wrote:
> On 03/11/15 13:33, Noel Power wrote:
> [...]
> > I've modified my wip patch with that (and also now indicate further
> > processing is needed a little more explicitly as I found a more
> > suitable
> > NTSTATUS to use
> > >  We still need to keep the handling of
> > > LOGON_KRB5_FAIL_CLOCK_SKEW.
> > I didn't notice this, <sigh> this makes things difficult and I need
> > some
> > advice on how to proceed. The problem now is that  krb5 auth
> > happens in
> > the winbindd(trusted domain) child and the samlogon happens in the
> > other
> > winbindd(primary) child, the samlogon needs access to the krb5
> > error
> > status from the winbind(trusted domain) child, getting that error
> > to the
> > parent is easy enough (assuming my reuse of the reject_reason
> > response
> > member is ok) However trying to transfer that error status from the
> > parent to the primary domain winbind child doesn't seem easily
> > achieved
> > ( I thought of using the extra data field in the request and
> > introducing
> > some new flag to indicate to use that ) However... that seems ugly
> > and I
> > don't want to waste time on an unacceptable solution, any ideas?
> well I didn't have any extra inspiration (and a customer bug
> associated
> with 3.6.x to do with this issue) so I ran with the possibly
> unacceptable solution. Please find the attached patch, it seems to
> work
> fine but..., anyway would be really great to get some feedback/advice
> etc.

Very interesting.  When I read this before I saw the idea of using
extra_data, but I assumed it was just on the reply, not modifying to
request.  Now I understand why you were so worried.

The main issue is that this is client-controlled data, the client could
put the same thing in there.  Assuming no better place to put this,
please ensure that the extra_data and WBFLAG_PREVIOUS_KRB5_ERROR is
unconditionally wiped at the entry-point. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list