[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Andrew Bartlett abartlet at samba.org
Sat Apr 8 20:21:41 UTC 2017

On Fri, 2017-04-07 at 17:08 +0200, Stefan Metzmacher wrote:
> Am 23.03.2017 um 17:51 schrieb Stefan Metzmacher via samba-technical:
> > Hi,
> > 
> > > > To make progress, could we skip this part until we get a test
> > > > to cover
> > > > the different values, and keep this patch set to just the "no
> > > > behaviour
> > > > change"?
> > > 
> > > Ok, here's part one for https://bugzilla.samba.org/show_bug.cgi?i
> > > d=2976
> > 
> > Here's part 2 that also fixes
> > https://bugzilla.samba.org/show_bug.cgi?id=12709
> > https://bugzilla.samba.org/show_bug.cgi?id=12710
> Version 3 of the patches is attached and can be found in
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master3-auth-1
> I've added some tests to show the key problem, the silent mapping
> from
> users of trusted domain to local users for NTLM authentication.
> Please review and push.

These looks good.  Garming has been working to add more tests for the
RODC case (you have no doubt seen the patches he has been working on),
and I'll confirm with him on Monday that they don't show up any issues
there and give you a formal review and push.

It would be nice if we had trusted domains also tested (even in
knownfail) with the samlogon test, or that python thing I never got

Regardless, this has been a massive and tedious effort, and so I say
thanks you very much for your hard work!

> > And the fixes for (with the manpage change still TODO)
> > https://bugzilla.samba.org/show_bug.cgi?id=8630
> Version 3 of the patches is attached (but still WIP) and can be found
> in
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master3-auth-2

Thanks.  For the manpage, try:

By default, and with <smbconfoption name="map untrusted to
domain">auto</smbconfoption> smbd will defer the mapping decision to
the Comain Controller (DC) of the domain it is a member of, if it is
not a DC.  If the DC indicates that the domain portion is unknown, then
a local authentication is performed.  Standalone servers always ignore
the domain.  This is basically the same as the behavior implemented in

With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
if a client connects to smbd using an untrusted domain name, such as
     BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
(forcing local authentication) before
     attempting to authenticate that user.  While this appears similar
to the default behaviour of <smbconfoption name="map untrusted to
domain">auto</smbconfoption>, the difference is that smbd do not
contact any DC first in this case, and so must intuit if the domain is
trusted or not locally. 
With <smbconfoption name="map untrusted to
domain">yes</smbconfoption>, smbd provides the
     legacy behavior matching that of versions of Samba pre 3.4: if
smbd was acting as a domain
     member server, the BOGUS domain name would instead be replaced by
     primary domain which smbd was a member of.  In this case
     would be deferred off to a DC using the credentials DOMAIN\user.  
+    <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    was the default up to Samba 4.6.
+    </para>
+    <para>
     When smbd is acting as a standalone server, this parameter has no

Finally, can you think of a situation that which will change when you
change the default in 'docs-xml: change the default for "map untrusted
to domain" to "auto"'?  Would UPNs behave differently?


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list