[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Stefan Metzmacher metze at samba.org
Mon Apr 10 07:08:20 UTC 2017

Hi Andrew,

> Thanks.  For the manpage, try:
> By default, and with <smbconfoption name="map untrusted to
> domain">auto</smbconfoption> smbd will defer the mapping decision to
> the Comain Controller (DC) of the domain it is a member of, if it is
> not a DC.  If the DC indicates that the domain portion is unknown, then
> a local authentication is performed.  Standalone servers always ignore
> the domain.  This is basically the same as the behavior implemented in
> Windows.
> With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
> if a client connects to smbd using an untrusted domain name, such as
>      BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
> (forcing local authentication) before
>      attempting to authenticate that user.  While this appears similar
> to the default behaviour of <smbconfoption name="map untrusted to
> domain">auto</smbconfoption>, the difference is that smbd do not
> contact any DC first in this case, and so must intuit if the domain is
> trusted or not locally. 
>      </para>
>      <para>
> With <smbconfoption name="map untrusted to
> domain">yes</smbconfoption>, smbd provides the
>      legacy behavior matching that of versions of Samba pre 3.4: if
> smbd was acting as a domain
>      member server, the BOGUS domain name would instead be replaced by
> the
>      primary domain which smbd was a member of.  In this case
> authentication
>      would be deferred off to a DC using the credentials DOMAIN\user.  
>      </para>
>      <para>
> +    <smbconfoption name="map untrusted to domain">no</smbconfoption>,
> +    was the default up to Samba 4.6.
> +    </para>
> +
> +    <para>
>      When smbd is acting as a standalone server, this parameter has no
>      effect.
>      </para>
> Finally, can you think of a situation that which will change when you
> change the default in 'docs-xml: change the default for "map untrusted
> to domain" to "auto"'?  Would UPNs behave differently?

It makes a big difference for one-way trusts, see

If you have the following situation:

childa.foresta.example.com <-> foresta.example.com <- one-way
forest-trust -> forestb.example.com

forestb trusts foresta and we're a member of the domain forestb (MEMBERB).

When we get a get an authentication for CHILDA\userchilda, it would
get mapped to MEMBERB\userchilda, because winbindd on MEMBERB doesn't have
CHILDA in the list of trusted domains, it doesn't have permissions to list
the domains in foresta.

The key is that we skip is_trusted_domain() and just blindly pass the
authentication for CHILDA\userchilda to winbindd and winbindd just
uses it's default route (the primary domain on a member server) to forward
it to a DC (e.g. DC-A1) of the domain FORESTB. DC-A1 is able to establish
a netlogon schannel connection to a DC of FORESTA and call
netr_GetForestTrustInformation(). So DC-A1 know the correct route to CHILDA.

I'll try to add an one-way trust test to autobuild.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170410/46221536/signature.sig>

More information about the samba-technical mailing list