RFC Reroute samlogon for trusted child domain user if samlogon fails

Fri Oct 30 17:04:45 UTC 2015

Hi Noel,

>> I think what we really need is a way to return to the parent and have
>> the fallback logic there,
>> the parent should then re-route to the correct domain child by clearing
>> WBFLAG_PAM_CONTACT_TRUSTDOM
>> before calling find_auth_domain().
> 
> something like the patch attached ? is this the correct direction/approach ? 

I think the WBFLAG_PAM_FALLBACK_AFTER_KRB5

                if (state->request->flags &
WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
                        DEBUG(3,("falling back to samlogon\n"));
                        goto sam_logon;
                } else {
                        goto cached_logon;
                }

I think the goto sam_logon needs a check if the domain is the primary one
if not we need to explicitly indicate that more processing is required
to the parent. We still need to keep the handling of
LOGON_KRB5_FAIL_CLOCK_SKEW.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151030/274a9b0d/signature.sig>