Another user at realm type issue/bug

Andreas Schneider asn at samba.org
Mon Oct 3 12:31:39 UTC 2016 

On Friday, 30 September 2016 07:07:38 CEST Andrew Bartlett wrote:
> On Thu, 2016-09-29 at 23:14 +0200, Andreas Schneider wrote:
> > On Thursday, 29 September 2016 12:28:20 CEST Jeremy Allison wrote:
> > > On Thu, Sep 29, 2016 at 07:22:28PM +0100, Noel Power wrote:
> > > > On 29/09/16 18:54, Jeremy Allison wrote:
> > > > > On Thu, Sep 29, 2016 at 06:10:55PM +0100, Noel Power wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > When looking at the parse_domain_user issue with user at realm
> > > > > > credentials
> > > > > > I was playing around with smbtorture and noticed that the
> > > > > > cli_credentials.username field is not setup when using -Uuser
> > > > > > @realm
> > > > > > with
> > > > > > smbtorture, this seems like a bug to me, please see that
> > > > > > attached patch
> > > > > 
> > > > > Shouldn't this just be removing the "return;" ?
> > > > > 
> > > > > The 'goto done' and new done: label is redundent here.
> > > > 
> > > > doh! /me face palms
> > > > you are completely correct :-)
> > > > 
> > > > here's v2
> > > 
> > > Reviewed-by: Jeremy Allison <jra at samba.org>.
> > > 
> > > Can I get a second Team reviewer ?
> > 
> > RB+
> > 
> > Thanks for catching this!
> 
> What was the consumer in this case?
> 
> While very strange, this was deliberate, as it was expected that the
> callers would try and get the principal if that was set at a more
> certain level (eg SPECIFIED compared to GUESS).
> 
> The reason is that if I have a UPN of andrew.bartlett at samba.example.com
>  I may have a username of abartlet in samAccountName, and so logging in
> over NTLM with andrew.bartlett wouldn't match, I would have to use andr
> ew.bartlett at samba.example.com without a domain.
> 
> Naturally, see bugs around that handling server-side, but that was the
> idea, and it was hoped that very few codepaths would be asking for
> either directly, hopefully only the gensec modules and the client SMB1
> NTLM session setup code. 
> 
> This is why the patch to make the s3 session setup code take
> cli_credentials (and so pass that down to NTLMSSP and krb5) is so
> important. 
> 
> I hope this clarifies things, and reminds me that I should write a good
> python testsuite to encode these expectations. 

As this parses a string obtained from the commanline with -U we should set 
username here! If you do not want to do that you should not use that function 
and call the function to set username directly! On the commandline there is 
only one option to set the username/principal and that is -U!


Best regards,


	-- andreas

More information about the samba-technical mailing list