RFC/WIP: NTLMSSP passthrough + user at realm credentials

Jeremy Allison jra at samba.org
Thu Oct 20 19:00:42 UTC 2016 

On Thu, Oct 20, 2016 at 03:07:11PM +0300, Uri Simchoni wrote:
> Hi,
> 
> The attached patch seems to fix
> https://bugzilla.samba.org/show_bug.cgi?id=12375 - authenticating
> clients by a member server using user at realm credentials.
> 
> In essence, the client passes an empty domain and upn at realm as user, and
> those need to be passed untouched to the netlogon server.
> 
> The patch seems to make it work, but I feel I don't have the big
> picture, and would like to receive comments on:
> - Whether there are any flags to be looked at instead of the heuristic
> that the domain is empty and user contains '@'

We don't use any flags when dealing with the name, all existing
code uses heuristics on the name string.

> - If heuristic - do we already have functions to parse and classify a
> user name

Nope. All cases currently just do a strchr(name, '@').
The only special case taken care of I can see is checking
if lp_winbind_separator() != '@' (it would obviously
break in this case). Maybe a common utility function doing
the parsing might help.

> - Interaction with user mapping

Why are you avoiding the map_username() in the upn case ?

I think map_username() should just get access to the 'raw'
passed in DOMAIN\username (even if it's a \upn at realm name)
to allow the admin to explicitly map to a local user.

Other than that this looks really good to me. Do we
currently have a test for this ? If not, then I think we
do need tests for this before it goes in.

If you have good ideas on what tests we need I'm happy
to work on them with you.

Jeremy.

> - ... anything else.
> 
> I'll also do some more digging into the relevant [MS-xxx] docs.

> Thanks,
> Uri.

> From 1ba8904d2eadaac9ec98c671800929d986d5f041 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 20 Oct 2016 14:54:13 +0300
> Subject: [PATCH] s3-winbindd: allow []\[upn at realm] AUTH_CRAP
> 
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
>  source3/auth/auth_util.c                  | 19 ++++++++++++++-----
>  source3/winbindd/winbindd_pam_auth_crap.c | 15 +++++++++------
>  2 files changed, 23 insertions(+), 11 deletions(-)
> 
> diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> index 5473fa2..25ceb47 100644
> --- a/source3/auth/auth_util.c
> +++ b/source3/auth/auth_util.c
> @@ -105,10 +105,20 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
>  {
>  	const char *domain;
>  	NTSTATUS result;
> -	bool was_mapped;
> +	bool was_mapped = false;
>  	char *internal_username = NULL;
> +	bool upn_form = false;
>  
> -	was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
> +	if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
> +		upn_form = true;
> +	}
> +
> +	if (upn_form) {
> +		internal_username = talloc_strdup(talloc_tos(), smb_name);
> +	} else {
> +		was_mapped =
> +		    map_username(talloc_tos(), smb_name, &internal_username);
> +	}
>  	if (!internal_username) {
>  		return NT_STATUS_NO_MEMORY;
>  	}
> @@ -126,10 +136,9 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
>  	 * non-domain member box will also map to WORKSTATION\user.
>  	 * This also deals with the client passing in a "" domain */
>  
> -	if (!is_trusted_domain(domain) &&
> +	if (!upn_form && !is_trusted_domain(domain) &&
>  	    !strequal(domain, my_sam_name()) &&
> -	    !strequal(domain, get_global_sam_name()))
> -	{
> +	    !strequal(domain, get_global_sam_name())) {
>  		if (lp_map_untrusted_to_domain())
>  			domain = my_sam_name();
>  		else
> diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
> index ffbc322..9bc9424 100644
> --- a/source3/winbindd/winbindd_pam_auth_crap.c
> +++ b/source3/winbindd/winbindd_pam_auth_crap.c
> @@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
>  	struct tevent_req *req, *subreq;
>  	struct winbindd_pam_auth_crap_state *state;
>  	struct winbindd_domain *domain;
> +	const char *auth_domain = NULL;
>  
>  	req = tevent_req_create(mem_ctx, &state,
>  				struct winbindd_pam_auth_crap_state);
> @@ -77,14 +78,16 @@ struct tevent_req *winbindd_pam_auth_crap_send(
>  		return tevent_req_post(req, ev);
>  	}
>  
> -	if ((request->data.auth_crap.domain[0] == '\0')
> -	    && lp_winbind_use_default_domain()) {
> -		fstrcpy(request->data.auth_crap.domain,
> -			lp_workgroup());
> +	auth_domain = request->data.auth_crap.domain;
> +	if (auth_domain[0] == '\0') {
> +		if (strchr(request->data.auth_crap.user, '@')) {
> +			auth_domain = lp_workgroup();
> +		} else if (lp_winbind_use_default_domain()) {
> +			fstrcpy(request->data.auth_crap.domain, lp_workgroup());
> +		}
>  	}
>  
> -	domain = find_auth_domain(
> -		request->flags, request->data.auth_crap.domain);
> +	domain = find_auth_domain(request->flags, auth_domain);
>  	if (domain == NULL) {
>  		tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
>  		return tevent_req_post(req, ev);
> -- 
> 2.9.3
>

More information about the samba-technical mailing list