Authentication on a DC

Andrew Bartlett abartlet at
Mon Feb 27 18:55:48 UTC 2017

On Mon, 2017-02-27 at 12:05 +0100, Volker Lendecke wrote:
> Hi!
> Right now I'm trying to correctly return NT_STATUS_NO_SUCH_USER with
> authoritative=0 from our DC implementation(s) in the case when our
> netlogon server does not know the domain name. I'm hitting wall after
> wall with autobuild, so I would like to lay out what I think is a
> flaw
> in our authentication approach.
> On a DC, we have two cases which I believe are to be handled
> differently:
> * Acting as a DC
> * Giving access to a local resource
> When giving access to a local resource, we need to fall back to
> essentially sam_ignoredomain when the user comes in with a completely
> unknown domain name. We should not do this as a netlogon server, we
> should return the NO_SUCH_USER/authoritative=0. This case is
> essentially handled through NT_STATUS_NOT_IMPLEMENTED internally.
> The design flaw is I believe that we force all authentication through
> a single set of auth methods, not looking at the use case.
> Forcing everything through this single interface makes things like
> "USER_INFO_LOCAL_SAM_ONLY" necessary in the first place. If
> winbindd_pam had the liberty to just create an auth context with just
> "sam", this flag would not be required.
> Comments?

Thanks for trying to untangle this!  We have left this detail incorrect
for too long, likewise making it harder to keep our Samba clients

I'll look at this for you today.  

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list