RFC Reroute samlogon for trusted child domain user if samlogon fails

Noel Power nopower at suse.com
Mon Nov 16 15:27:11 UTC 2015 

On 13/11/15 21:35, Andrew Bartlett wrote:
> On Fri, 2015-11-13 at 15:20 +0000, Noel Power wrote:
>>
[...]
>> t want to waste time on an unacceptable solution, any ideas?
>> well I didn't have any extra inspiration (and a customer bug
>> associated
>> with 3.6.x to do with this issue) so I ran with the possibly
>> unacceptable solution. Please find the attached patch, it seems to
>> work
>> fine but..., anyway would be really great to get some feedback/advice
>> etc.
> Very interesting.  When I read this before I saw the idea of using
> extra_data, but I assumed it was just on the reply, not modifying to
> request.  Now I understand why you were so worried.
>
> The main issue is that this is client-controlled data, the client could
> put the same thing in there.  Assuming no better place to put this,
> please ensure that the extra_data and WBFLAG_PREVIOUS_KRB5_ERROR is
> unconditionally wiped at the entry-point. 
Thanks alot for the comments and advice Andrew, so ok... updated the
patch with above in mind. But the patch currently only deals with
samlogon when falling back from kerberos, the old logic used to deal
with samlogon more generically and would reroute even if kerberos was
not involved, with that in mind I attach a second patch to handle
non-primary domain samlogon requests in general (and return more
processing required to the parent for those too, I would like to squash
the 2 patches but of course I would like to see if anyone would object
to that

thanks,
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch
Type: text/x-patch
Size: 6437 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151116/f4a437c2/0001-If-samlogon-for-trusted-child-domain-user-fails-atte.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-indicate-more-processing-required-for-all-non-primar.patch
Type: text/x-patch
Size: 1964 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151116/f4a437c2/0002-indicate-more-processing-required-for-all-non-primar.bin>

More information about the samba-technical mailing list