Another user at realm type issue/bug

Stefan Metzmacher metze at samba.org
Wed Oct 5 06:47:18 UTC 2016


Am 03.10.2016 um 19:42 schrieb Jeremy Allison:
> On Mon, Oct 03, 2016 at 10:30:28AM -0700, Jeremy Allison wrote:
>> On Mon, Oct 03, 2016 at 02:31:39PM +0200, Andreas Schneider wrote:
>>> On Friday, 30 September 2016 07:07:38 CEST Andrew Bartlett wrote:
>>>> What was the consumer in this case?
>>>>
>>>> While very strange, this was deliberate, as it was expected that the
>>>> callers would try and get the principal if that was set at a more
>>>> certain level (eg SPECIFIED compared to GUESS).
>>>>
>>>> The reason is that if I have a UPN of andrew.bartlett at samba.example.com
>>>>  I may have a username of abartlet in samAccountName, and so logging in
>>>> over NTLM with andrew.bartlett wouldn't match, I would have to use andr
>>>> ew.bartlett at samba.example.com without a domain.
>>>>
>>>> Naturally, see bugs around that handling server-side, but that was the
>>>> idea, and it was hoped that very few codepaths would be asking for
>>>> either directly, hopefully only the gensec modules and the client SMB1
>>>> NTLM session setup code. 
>>>>
>>>> This is why the patch to make the s3 session setup code take
>>>> cli_credentials (and so pass that down to NTLMSSP and krb5) is so
>>>> important. 
>>>>
>>>> I hope this clarifies things, and reminds me that I should write a good
>>>> python testsuite to encode these expectations. 
>>>
>>> As this parses a string obtained from the commanline with -U we should set 
>>> username here! If you do not want to do that you should not use that function 
>>> and call the function to set username directly! On the commandline there is 
>>> only one option to set the username/principal and that is -U!
>>
>> Yep, I have to agree. This is being called with CRED_SPECIFIED
>> from the command line means "shut up and do as I say here". The
>> patch is correct IMHO to fix the command line handling.
> 
> So if it doesn't break anything in current make test
> I plan to push. If we need a test around differing
> samAccountName and UPN behavior we should add that
> and a separate function to use it IMHO. The pre-patch
> behavior is too strange to remain for general command
> line processing.

Please hold on on this.

I'm also looking at this currently and I think the topic is much
more complex.

metze



More information about the samba-technical mailing list