RFC Reroute samlogon for trusted child domain user if samlogon fails
Noel Power
nopower at suse.com
Fri Oct 30 17:33:15 UTC 2015
On 30/10/15 17:24, Jeremy Allison wrote:
> On Fri, Oct 30, 2015 at 04:55:04PM +0000, Noel Power wrote:
>> On 30/10/15 16:01, Noel Power wrote:
>>> On 30/10/15 10:29, Noel Power wrote:
>>>> Hi,
>>>>
>>>> revisiting the issue turned up in previous 'winbindd crash' thread
>>>>
>>>> On 22/10/15 12:03, Stefan Metzmacher wrote:
>>>>
>>>>> Hi Noel,
>>>>>
>>>> [...]
>>>>
>>>>> I think what we really need is a way to return to the parent and have
>>>>> the fallback logic there,
>>>>> the parent should then re-route to the correct domain child by clearing
>>>>> WBFLAG_PAM_CONTACT_TRUSTDOM
>>>>> before calling find_auth_domain().
>>>> something like the patch attached ? is this the correct direction/approach ?
>>>>
>>> lets forget about this for the moment, I need to rethink some things
>>>
>> ok here we go again, some little changes (to avoid calling kerberos a
>> second time) I think there must be a better way to transfer that the
>> netlogon pipe access failed than the current status check, be interested
>> to hear if anyone has any ideas (but perhaps my approach is bogus anyway??)
>>
>> Interestingly we lose potentially interesting information with this
>> regression, e.g. When a user account is disabled because we never get to
>> successfully fallback to samlogon we miss the nice information it gives
>> like NT_STATUS_ACCOUNT_DISABLED and thus on the command line e.g.
>> ssh/pam just repeatedly prompts for the password and gives up with no
>> info, /var/log/messages just has a cryptic
>> NT_STATUS_CANT_ACCESS_DOMAIN_INFO error. Note: previously logon faliures
>> in this scenario would print "Your account is disabled, contact a
>> sysadmin blah blah" after each password enter
> Missing patch Noel ?
>
missing brain !!
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-If-samlogon-for-trusted-child-domain-user-fails-atte.patch
Type: text/x-diff
Size: 2765 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151030/8e4ed504/0001-If-samlogon-for-trusted-child-domain-user-fails-atte.diff>
More information about the samba-technical
mailing list