Authentication on a DC
Andrew Bartlett
abartlet at samba.org
Mon Feb 27 18:55:48 UTC 2017
On Mon, 2017-02-27 at 12:05 +0100, Volker Lendecke wrote:
> Hi!
>
> Right now I'm trying to correctly return NT_STATUS_NO_SUCH_USER with
> authoritative=0 from our DC implementation(s) in the case when our
> netlogon server does not know the domain name. I'm hitting wall after
> wall with autobuild, so I would like to lay out what I think is a
> flaw
> in our authentication approach.
>
> On a DC, we have two cases which I believe are to be handled
> differently:
>
> * Acting as a DC
>
> * Giving access to a local resource
>
> When giving access to a local resource, we need to fall back to
> essentially sam_ignoredomain when the user comes in with a completely
> unknown domain name. We should not do this as a netlogon server, we
> should return the NO_SUCH_USER/authoritative=0. This case is
> essentially handled through NT_STATUS_NOT_IMPLEMENTED internally.
>
> The design flaw is I believe that we force all authentication through
> a single set of auth methods, not looking at the use case.
>
> Forcing everything through this single interface makes things like
> "USER_INFO_LOCAL_SAM_ONLY" necessary in the first place. If
> winbindd_pam had the liberty to just create an auth context with just
> "sam", this flag would not be required.
>
> Comments?
Thanks for trying to untangle this! We have left this detail incorrect
for too long, likewise making it harder to keep our Samba clients
correct.
I'll look at this for you today.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list