RFC Reroute samlogon for trusted child domain user if samlogon fails

Noel Power nopower at suse.com
Fri Nov 27 11:02:17 UTC 2015


On 17/11/15 14:13, Noel Power wrote:
> On 16/11/15 19:34, Noel Power wrote:
>> On 16/11/15 18:47, Andrew Bartlett wrote:
[...]
>>> This is looking better.  Can you please just tweak:
>>>
>>> +	/* Clear previous error flag and associated data*/> 
>>> +	request->flags &= ~WBFLAG_PREVIOUS_KRB5_ERROR;> 
>>> +	request->extra_len = 0;> 
>>> +	request->extra_data.data = NULL;
>>>
>>> This hunk to explain why it is so important to do that.  Otherwise, in
>>> a few years time we will forget this little detail.  It needs to say
>>> that this in an internal flag (and rename the flag to be _INTERNAL_).
>>>
>> ok no problem, I can rework that, will send a new version tomorrow
> please see updated patch
>>>> But the patch currently only deals with
>>>> samlogon when falling back from kerberos, the old logic used to deal
>>>> with samlogon more generically and would reroute even if kerberos was
>>>> not involved, with that in mind I attach a second patch to handle
>>>> non-primary domain samlogon requests in general (and return more
>>>> processing required to the parent for those too, I would like to
>>>> squash
>>>> the 2 patches but of course I would like to see if anyone would
>>>> object
>>>> to that
>>> How would we get in this situation if we are not doing krb5?  The only
>>> other cases I can think of is NTLM in a AD DC trust situation, with non
>>> -mesh trusts or on an RODC, but it would be better if we routed those
>>> correctly upfront.
> [...]
>
>>  however I am not really familiar with this stuff
>> and can easily have missed something (or made a wrong assumption)
> ok, I missed entirely the role that WBFLAG_PAM_CONTACT_TRUSTDOM plays
> (despite using it in the patch) sorry for the nois
patch is more or less the same as the previous (only a slight change in
a comment) only deals with the krb5 samlogon fallback case, is there
something else needed ?  (I hope i've addressed the previous review
comments sufficiently)


thanks again

Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch
Type: text/x-diff
Size: 6604 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151127/1ab16379/0001-If-samlogon-for-trusted-child-domain-user-fails-atte.diff>


More information about the samba-technical mailing list