[PATCHES] smbd: support NTLM pass-through with \user at realm credentials
Andrew Bartlett
abartlet at samba.org
Mon Oct 24 21:49:42 UTC 2016
On Sun, 2016-10-23 at 10:10 +0300, Uri Simchoni wrote:
> Hi,
>
> Following previous comments, attached pls find a proposed patch set.
>
> - user mapping indeed should not be affected
> - the winbindd fix covers a wider set of cases, hopefully it doesn't
> break anything (passes make test)
> - although similar fixes to client side are underway, smbtorture (s4
> client lib) already supports generating such credentials, so the test
> is
> simple. The bug lists an existing smbtorture command that passes
> against
> Windows with user at realm credentials.
This looks correct, pushing this out to our primary DC is the right
answer. For extra bonus points, it would be great to see a test for
NTLM login against some of the accounts we test in the krb5.kdc test
with. These have a UPN that is not related to the actual realm. See
the testallowed and testdenied user in particular.
This will be nice and tricky to sort out when we get proper trusted
domain support, we will need routing logic like we have in the KDC
code.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list