Another user at realm type issue/bug

Andrew Bartlett abartlet at samba.org
Fri Sep 30 14:07:38 UTC 2016 

On Thu, 2016-09-29 at 23:14 +0200, Andreas Schneider wrote:
> On Thursday, 29 September 2016 12:28:20 CEST Jeremy Allison wrote:
> > 
> > On Thu, Sep 29, 2016 at 07:22:28PM +0100, Noel Power wrote:
> > > 
> > > On 29/09/16 18:54, Jeremy Allison wrote:
> > > > 
> > > > On Thu, Sep 29, 2016 at 06:10:55PM +0100, Noel Power wrote:
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > When looking at the parse_domain_user issue with user at realm
> > > > > credentials
> > > > > I was playing around with smbtorture and noticed that the
> > > > > cli_credentials.username field is not setup when using -Uuser
> > > > > @realm
> > > > > with
> > > > > smbtorture, this seems like a bug to me, please see that
> > > > > attached patch
> > > > 
> > > > Shouldn't this just be removing the "return;" ?
> > > > 
> > > > The 'goto done' and new done: label is redundent here.
> > > 
> > > doh! /me face palms
> > > you are completely correct :-)
> > > 
> > > here's v2
> > 
> > Reviewed-by: Jeremy Allison <jra at samba.org>.
> > 
> > Can I get a second Team reviewer ?
> 
> RB+
> 
> Thanks for catching this!

What was the consumer in this case?

While very strange, this was deliberate, as it was expected that the
callers would try and get the principal if that was set at a more
certain level (eg SPECIFIED compared to GUESS).

The reason is that if I have a UPN of andrew.bartlett at samba.example.com
 I may have a username of abartlet in samAccountName, and so logging in
over NTLM with andrew.bartlett wouldn't match, I would have to use andr
ew.bartlett at samba.example.com without a domain.

Naturally, see bugs around that handling server-side, but that was the
idea, and it was hoped that very few codepaths would be asking for
either directly, hopefully only the gensec modules and the client SMB1
NTLM session setup code. 

This is why the patch to make the s3 session setup code take
cli_credentials (and so pass that down to NTLMSSP and krb5) is so
important. 

I hope this clarifies things, and reminds me that I should write a good
python testsuite to encode these expectations. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list