[PATCHES] smbd: support NTLM pass-through with \user at realm credentials

Andrew Bartlett abartlet at samba.org
Tue Oct 25 10:20:41 UTC 2016 

On Tue, 2016-10-25 at 08:51 +0300, Uri Simchoni wrote:
> On 10/25/2016 12:49 AM, Andrew Bartlett wrote:
> > 
> > On Sun, 2016-10-23 at 10:10 +0300, Uri Simchoni wrote:
> > > 
> > > Hi,
> > > 
> > > Following previous comments, attached pls find a proposed patch
> > > set.
> > > 
> > > - user mapping indeed should not be affected
> > > - the winbindd fix covers a wider set of cases, hopefully it
> > > doesn't
> > > break anything (passes make test)
> > > - although similar fixes to client side are underway, smbtorture
> > > (s4
> > > client lib) already supports generating such credentials, so the
> > > test
> > > is
> > > simple. The bug lists an existing smbtorture command that passes
> > > against
> > > Windows with user at realm credentials.
> > 
> > This looks correct, pushing this out to our primary DC is the right
> > answer.  For extra bonus points, it would be great to see a test
> > for
> > NTLM login against some of the accounts we test in the krb5.kdc
> > test
> > with.  These have a UPN that is not related to the actual
> > realm.  See
> > the testallowed and testdenied user in particular. 
> > 
> Hopefully I'll get around to it soon. It's also interesting to verify
> that after successful auth, smbd treats the user as
> DOMAIN\samaccountname, irrespective of the original credentials (I
> verified this to be true manually)

Indeed.  It is easy to do against LDAP (ask for the tokenGroups on
rootDSE).  Does SMB have a good whoami yet?  Last time I recall us
doing something for this it was a horrible hack via LSA lookups (there
is some smbtorture code somewhere), or else the creation of a file. 

> > 
> > This will be nice and tricky to sort out when we get proper trusted
> > domain support, we will need routing logic like we have in the KDC
> > code. 
> > 
> Do you mean that the member server needs to sort this out? In
> Kerberos
> at least, the DC does this by returning a TGT to the "next" KDC.

No, I mean when Samba is an AD DC (which wasn't clear) gets trusted
domain support, then something will need to do NTLM routing based on
more than just the DOMAIN\ prefix.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list