RFC/WIP: NTLMSSP passthrough + user at realm credentials
Jeremy Allison
jra at samba.org
Thu Oct 20 19:00:42 UTC 2016
On Thu, Oct 20, 2016 at 03:07:11PM +0300, Uri Simchoni wrote:
> Hi,
>
> The attached patch seems to fix
> https://bugzilla.samba.org/show_bug.cgi?id=12375 - authenticating
> clients by a member server using user at realm credentials.
>
> In essence, the client passes an empty domain and upn at realm as user, and
> those need to be passed untouched to the netlogon server.
>
> The patch seems to make it work, but I feel I don't have the big
> picture, and would like to receive comments on:
> - Whether there are any flags to be looked at instead of the heuristic
> that the domain is empty and user contains '@'
We don't use any flags when dealing with the name, all existing
code uses heuristics on the name string.
> - If heuristic - do we already have functions to parse and classify a
> user name
Nope. All cases currently just do a strchr(name, '@').
The only special case taken care of I can see is checking
if lp_winbind_separator() != '@' (it would obviously
break in this case). Maybe a common utility function doing
the parsing might help.
> - Interaction with user mapping
Why are you avoiding the map_username() in the upn case ?
I think map_username() should just get access to the 'raw'
passed in DOMAIN\username (even if it's a \upn at realm name)
to allow the admin to explicitly map to a local user.
Other than that this looks really good to me. Do we
currently have a test for this ? If not, then I think we
do need tests for this before it goes in.
If you have good ideas on what tests we need I'm happy
to work on them with you.
Jeremy.
> - ... anything else.
>
> I'll also do some more digging into the relevant [MS-xxx] docs.
> Thanks,
> Uri.
> From 1ba8904d2eadaac9ec98c671800929d986d5f041 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <uri at samba.org>
> Date: Thu, 20 Oct 2016 14:54:13 +0300
> Subject: [PATCH] s3-winbindd: allow []\[upn at realm] AUTH_CRAP
>
> Signed-off-by: Uri Simchoni <uri at samba.org>
> ---
> source3/auth/auth_util.c | 19 ++++++++++++++-----
> source3/winbindd/winbindd_pam_auth_crap.c | 15 +++++++++------
> 2 files changed, 23 insertions(+), 11 deletions(-)
>
> diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
> index 5473fa2..25ceb47 100644
> --- a/source3/auth/auth_util.c
> +++ b/source3/auth/auth_util.c
> @@ -105,10 +105,20 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
> {
> const char *domain;
> NTSTATUS result;
> - bool was_mapped;
> + bool was_mapped = false;
> char *internal_username = NULL;
> + bool upn_form = false;
>
> - was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
> + if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
> + upn_form = true;
> + }
> +
> + if (upn_form) {
> + internal_username = talloc_strdup(talloc_tos(), smb_name);
> + } else {
> + was_mapped =
> + map_username(talloc_tos(), smb_name, &internal_username);
> + }
> if (!internal_username) {
> return NT_STATUS_NO_MEMORY;
> }
> @@ -126,10 +136,9 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
> * non-domain member box will also map to WORKSTATION\user.
> * This also deals with the client passing in a "" domain */
>
> - if (!is_trusted_domain(domain) &&
> + if (!upn_form && !is_trusted_domain(domain) &&
> !strequal(domain, my_sam_name()) &&
> - !strequal(domain, get_global_sam_name()))
> - {
> + !strequal(domain, get_global_sam_name())) {
> if (lp_map_untrusted_to_domain())
> domain = my_sam_name();
> else
> diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
> index ffbc322..9bc9424 100644
> --- a/source3/winbindd/winbindd_pam_auth_crap.c
> +++ b/source3/winbindd/winbindd_pam_auth_crap.c
> @@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
> struct tevent_req *req, *subreq;
> struct winbindd_pam_auth_crap_state *state;
> struct winbindd_domain *domain;
> + const char *auth_domain = NULL;
>
> req = tevent_req_create(mem_ctx, &state,
> struct winbindd_pam_auth_crap_state);
> @@ -77,14 +78,16 @@ struct tevent_req *winbindd_pam_auth_crap_send(
> return tevent_req_post(req, ev);
> }
>
> - if ((request->data.auth_crap.domain[0] == '\0')
> - && lp_winbind_use_default_domain()) {
> - fstrcpy(request->data.auth_crap.domain,
> - lp_workgroup());
> + auth_domain = request->data.auth_crap.domain;
> + if (auth_domain[0] == '\0') {
> + if (strchr(request->data.auth_crap.user, '@')) {
> + auth_domain = lp_workgroup();
> + } else if (lp_winbind_use_default_domain()) {
> + fstrcpy(request->data.auth_crap.domain, lp_workgroup());
> + }
> }
>
> - domain = find_auth_domain(
> - request->flags, request->data.auth_crap.domain);
> + domain = find_auth_domain(request->flags, auth_domain);
> if (domain == NULL) {
> tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
> return tevent_req_post(req, ev);
> --
> 2.9.3
>
More information about the samba-technical
mailing list