Authentication on a DC

Volker Lendecke vl at
Mon Feb 27 11:05:24 UTC 2017


Right now I'm trying to correctly return NT_STATUS_NO_SUCH_USER with
authoritative=0 from our DC implementation(s) in the case when our
netlogon server does not know the domain name. I'm hitting wall after
wall with autobuild, so I would like to lay out what I think is a flaw
in our authentication approach.

On a DC, we have two cases which I believe are to be handled

* Acting as a DC

* Giving access to a local resource

When giving access to a local resource, we need to fall back to
essentially sam_ignoredomain when the user comes in with a completely
unknown domain name. We should not do this as a netlogon server, we
should return the NO_SUCH_USER/authoritative=0. This case is
essentially handled through NT_STATUS_NOT_IMPLEMENTED internally.

The design flaw is I believe that we force all authentication through
a single set of auth methods, not looking at the use case.

Forcing everything through this single interface makes things like
"USER_INFO_LOCAL_SAM_ONLY" necessary in the first place. If
winbindd_pam had the liberty to just create an auth context with just
"sam", this flag would not be required.



More information about the samba-technical mailing list