RFC Reroute samlogon for trusted child domain user if samlogon fails
Jeremy Allison
jra at samba.org
Fri Oct 30 17:24:49 UTC 2015
On Fri, Oct 30, 2015 at 04:55:04PM +0000, Noel Power wrote:
> On 30/10/15 16:01, Noel Power wrote:
> > On 30/10/15 10:29, Noel Power wrote:
> >> Hi,
> >>
> >> revisiting the issue turned up in previous 'winbindd crash' thread
> >>
> >> On 22/10/15 12:03, Stefan Metzmacher wrote:
> >>
> >>> Hi Noel,
> >>>
> >> [...]
> >>
> >>> I think what we really need is a way to return to the parent and have
> >>> the fallback logic there,
> >>> the parent should then re-route to the correct domain child by clearing
> >>> WBFLAG_PAM_CONTACT_TRUSTDOM
> >>> before calling find_auth_domain().
> >> something like the patch attached ? is this the correct direction/approach ?
> >>
> > lets forget about this for the moment, I need to rethink some things
> >
> ok here we go again, some little changes (to avoid calling kerberos a
> second time) I think there must be a better way to transfer that the
> netlogon pipe access failed than the current status check, be interested
> to hear if anyone has any ideas (but perhaps my approach is bogus anyway??)
>
> Interestingly we lose potentially interesting information with this
> regression, e.g. When a user account is disabled because we never get to
> successfully fallback to samlogon we miss the nice information it gives
> like NT_STATUS_ACCOUNT_DISABLED and thus on the command line e.g.
> ssh/pam just repeatedly prompts for the password and gives up with no
> info, /var/log/messages just has a cryptic
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO error. Note: previously logon faliures
> in this scenario would print "Your account is disabled, contact a
> sysadmin blah blah" after each password enter
Missing patch Noel ?
More information about the samba-technical
mailing list