[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Stefan Metzmacher
metze at samba.org
Sun Jun 11 21:06:40 UTC 2017
Am 10.04.2017 um 09:08 schrieb Stefan Metzmacher via samba-technical:
> Hi Andrew,
>
>> Thanks. For the manpage, try:
>>
>> By default, and with <smbconfoption name="map untrusted to
>> domain">auto</smbconfoption> smbd will defer the mapping decision to
>> the Comain Controller (DC) of the domain it is a member of, if it is
>> not a DC. If the DC indicates that the domain portion is unknown, then
>> a local authentication is performed. Standalone servers always ignore
>> the domain. This is basically the same as the behavior implemented in
>> Windows.
>>
>> With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
>> if a client connects to smbd using an untrusted domain name, such as
>> BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
>> (forcing local authentication) before
>> attempting to authenticate that user. While this appears similar
>> to the default behaviour of <smbconfoption name="map untrusted to
>> domain">auto</smbconfoption>, the difference is that smbd do not
>> contact any DC first in this case, and so must intuit if the domain is
>> trusted or not locally.
>> </para>
>>
>> <para>
>> With <smbconfoption name="map untrusted to
>> domain">yes</smbconfoption>, smbd provides the
>> legacy behavior matching that of versions of Samba pre 3.4: if
>> smbd was acting as a domain
>> member server, the BOGUS domain name would instead be replaced by
>> the
>> primary domain which smbd was a member of. In this case
>> authentication
>> would be deferred off to a DC using the credentials DOMAIN\user.
>> </para>
>>
>> <para>
>> + <smbconfoption name="map untrusted to domain">no</smbconfoption>,
>> + was the default up to Samba 4.6.
>> + </para>
>> +
>> + <para>
>> When smbd is acting as a standalone server, this parameter has no
>> effect.
>> </para>
>>
>>
>> Finally, can you think of a situation that which will change when you
>> change the default in 'docs-xml: change the default for "map untrusted
>> to domain" to "auto"'? Would UPNs behave differently?
>
> It makes a big difference for one-way trusts, see
> https://bugzilla.samba.org/show_bug.cgi?id=8630
>
> If you have the following situation:
>
> childa.foresta.example.com <-> foresta.example.com <- one-way
> forest-trust -> forestb.example.com
>
> forestb trusts foresta and we're a member of the domain forestb (MEMBERB).
>
> When we get a get an authentication for CHILDA\userchilda, it would
> get mapped to MEMBERB\userchilda, because winbindd on MEMBERB doesn't have
> CHILDA in the list of trusted domains, it doesn't have permissions to list
> the domains in foresta.
>
> The key is that we skip is_trusted_domain() and just blindly pass the
> authentication for CHILDA\userchilda to winbindd and winbindd just
> uses it's default route (the primary domain on a member server) to forward
> it to a DC (e.g. DC-A1) of the domain FORESTB. DC-A1 is able to establish
> a netlogon schannel connection to a DC of FORESTA and call
> netr_GetForestTrustInformation(). So DC-A1 know the correct route to CHILDA.
>
> I'll try to add an one-way trust test to autobuild.
After trying to add a test I realized that we can't support such a setup
with our current ADDC capabilities yet:-(
However I have some patches for selftest to add a one-way trust, but
it's not yet used, but it will make it easier to add tests once
I've added support for NTLM trusts.
The two attached patchsets are in private autobuilds currently.
metze
-------------- next part --------------
From df5724afd95b7e16b9b7a7c4a75b849d708e9137 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 9 Jun 2017 14:52:59 +0200
Subject: [PATCH 1/8] python/samba/tests: don't use hardcoded names in
*pam_winbind* tests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
python/samba/tests/pam_winbind.py | 15 +++++++++++----
python/samba/tests/test_pam_winbind.sh | 8 ++++++++
selftest/tests.py | 3 ++-
3 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
index 21ea2fb..1054e86 100644
--- a/python/samba/tests/pam_winbind.py
+++ b/python/samba/tests/pam_winbind.py
@@ -18,22 +18,29 @@
import samba.tests
import pypamtest
+import os
class SimplePamTests(samba.tests.TestCase):
def test_authenticate(self):
- alice_password = "Secret007"
+ domain = os.environ["DOMAIN"]
+ username = os.environ["USERNAME"]
+ password = os.environ["PASSWORD"]
+ unix_username = "%s/%s" % (domain, username)
expected_rc = 0 # PAM_SUCCESS
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest("SAMBADOMAIN/alice", "samba", [tc], [alice_password])
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
self.assertTrue(res != None)
def test_authenticate_error(self):
- alice_password = "WrongPassword"
+ domain = os.environ["DOMAIN"]
+ username = os.environ["USERNAME"]
+ password = "WrongPassword"
+ unix_username = "%s/%s" % (domain, username)
expected_rc = 7 # PAM_AUTH_ERR
tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
- res = pypamtest.run_pamtest("SAMBADOMAIN/alice", "samba", [tc], [alice_password])
+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
self.assertTrue(res != None)
diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
index bf59296..fdd2870 100755
--- a/python/samba/tests/test_pam_winbind.sh
+++ b/python/samba/tests/test_pam_winbind.sh
@@ -4,6 +4,14 @@ PYTHON="$1"
PAM_WRAPPER_SO_PATH="$2"
shift 2
+DOMAIN="$1"
+export DOMAIN
+USERNAME="$2"
+export USERNAME
+PASSWORD="$3"
+export PASSWORD
+shift 3
+
PAM_WRAPPER_PATH="$BINDIR/default/lib/pam_wrapper"
pam_winbind="$BINDIR/shared/pam_winbind.so"
diff --git a/selftest/tests.py b/selftest/tests.py
index 5367fe3..9033dd9 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -140,7 +140,8 @@ planpythontestsuite("none", "samba.tests.glue", py3_compatible=True)
if with_pam:
plantestsuite("samba.tests.pam_winbind", "ad_member",
- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), valgrindify(python), pam_wrapper_so_path])
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path, "$DOMAIN", "alice", "Secret007"])
if with_cmocka:
plantestsuite("samba.unittests.krb5samba", "none",
--
1.9.1
From 5db092984865093ee43ddd0fe93151d52e6c9773 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 9 Jun 2017 15:15:15 +0200
Subject: [PATCH 2/8] selftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the
pam_winbind test
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/tests.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 9033dd9..50927ae 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -141,7 +141,8 @@ planpythontestsuite("none", "samba.tests.glue", py3_compatible=True)
if with_pam:
plantestsuite("samba.tests.pam_winbind", "ad_member",
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
- valgrindify(python), pam_wrapper_so_path, "$DOMAIN", "alice", "Secret007"])
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
if with_cmocka:
plantestsuite("samba.unittests.krb5samba", "none",
--
1.9.1
From 8dac65846aac0579176291ee9da3117ca80d2263 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 9 Jun 2017 15:45:25 +0200
Subject: [PATCH 3/8] selftest: test pam_winbind with a local user on ad_member
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/tests.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 50927ae..175b56c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -139,7 +139,11 @@ plantestsuite(
planpythontestsuite("none", "samba.tests.glue", py3_compatible=True)
if with_pam:
- plantestsuite("samba.tests.pam_winbind", "ad_member",
+ plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD"])
+ plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
[os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
--
1.9.1
From 307d128ba65c063022c9f0fc502022349c8185d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 9 Jun 2017 14:53:40 +0200
Subject: [PATCH 4/8] selftest: don't use hardcoded domain names in
Samba3::setup_admember()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba3.pm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 0914aff..32d10b5 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -385,26 +385,26 @@ sub setup_admember($$$$)
my $share_dir="$prefix_abs/share";
push(@dirs, $share_dir);
- my $substitution_path = "$share_dir/D_SAMBADOMAIN";
+ my $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}";
push(@dirs, $substitution_path);
- $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/U_alice";
push(@dirs, $substitution_path);
- $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/U_alice/G_domain users";
push(@dirs, $substitution_path);
# Using '/' as the winbind separator is a bad idea ...
- $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}";
push(@dirs, $substitution_path);
- $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice";
push(@dirs, $substitution_path);
- $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}";
push(@dirs, $substitution_path);
- $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}/domain users";
push(@dirs, $substitution_path);
my $member_options = "
--
1.9.1
From 98bebee39942e180e8173e4d917126bad23326cf Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Thu, 6 Apr 2017 08:50:06 +0200
Subject: [PATCH 5/8] selftest: Use the ad_dc with smbfs for ad_member env
Signed-off-by: Andreas Schneider <asn at samba.org>
---
selftest/target/Samba4.pm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 316ef83..6d36d3e 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2084,10 +2084,10 @@ sub setup_env($$$)
} elsif ($envname eq "chgdcpass") {
return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
} elsif ($envname eq "ad_member") {
- if (not defined($self->{vars}->{ad_dc_ntvfs})) {
- $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
}
- return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+ return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc}, 29);
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
--
1.9.1
From a5e7f0ae53a8445f5e171040f670d8fa3e772c6c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 10 Jun 2017 12:29:47 +0200
Subject: [PATCH 6/8] selftest: pass the workgroup name to Samba3::provision()
Not all environments should use the samba workgroup name.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba3.pm | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 32d10b5..3fc2c1a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -231,7 +231,7 @@ sub setup_nt4_dc($$)
fss: sequence timeout = 1
";
- my $vars = $self->provision($path,
+ my $vars = $self->provision($path, "SAMBA-TEST",
"LOCALNT4DC2",
"localntdc2pass",
$nt4_dc_options);
@@ -279,7 +279,7 @@ sub setup_nt4_dc_schannel($$)
server schannel = yes
";
- my $vars = $self->provision($path,
+ my $vars = $self->provision($path, "NT4SCHANNEL",
"LOCALNT4DC9",
"localntdc9pass",
$pdc_options);
@@ -318,7 +318,7 @@ sub setup_nt4_member($$$)
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
";
- my $ret = $self->provision($prefix,
+ my $ret = $self->provision($prefix, $nt4_dc_vars->{DOMAIN},
"LOCALNT4MEMBER3",
"localnt4member3pass",
$member_options);
@@ -424,7 +424,7 @@ sub setup_admember($$$$)
";
- my $ret = $self->provision($prefix,
+ my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
"LOCALADMEMBER",
"loCalMemberPass",
$member_options,
@@ -519,7 +519,7 @@ sub setup_admember_rfc2307($$$$)
idmap config $dcvars->{DOMAIN} : bind_path_group = ou=idmap,dc=samba,dc=example,dc=com
";
- my $ret = $self->provision($prefix,
+ my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
"RFC2307MEMBER",
"loCalMemberPass",
$member_options,
@@ -712,7 +712,7 @@ sub setup_simpleserver($$)
smb encrypt = desired
";
- my $vars = $self->provision($path,
+ my $vars = $self->provision($path, "WORKGROUP",
"LOCALSHARE4",
"local4pass",
$simpleserver_options);
@@ -822,7 +822,7 @@ sub setup_fileserver($$)
acl_xattr:ignore system acls = yes
";
- my $vars = $self->provision($path,
+ my $vars = $self->provision($path, "WORKGROUP",
"FILESERVER",
"fileserver",
$fileserver_options,
@@ -909,7 +909,7 @@ sub setup_ktest($$$)
client max protocol = SMB3
";
- my $ret = $self->provision($prefix,
+ my $ret = $self->provision($prefix, "KTEST",
"LOCALKTEST6",
"localktest6pass",
$ktest_options);
@@ -999,7 +999,7 @@ map to guest = bad user
ntlm auth = yes
";
- my $vars = $self->provision($path,
+ my $vars = $self->provision($path, "WORKGROUP",
"maptoguest",
"maptoguestpass",
$options);
@@ -1262,9 +1262,9 @@ sub createuser($$$$)
}
}
-sub provision($$$$$$$$)
+sub provision($$$$$$$$$)
{
- my ($self, $prefix, $server, $password, $extra_options, $dc_server_ip, $dc_server_ipv6, $no_delete_prefix) = @_;
+ my ($self, $prefix, $domain, $server, $password, $extra_options, $dc_server_ip, $dc_server_ipv6, $no_delete_prefix) = @_;
##
## setup the various environment variables we need
@@ -1274,7 +1274,6 @@ sub provision($$$$$$$$)
my %ret = ();
my $server_ip = "127.0.0.$swiface";
my $server_ipv6 = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
- my $domain = "SAMBA-TEST";
my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`);
chomp $unix_name;
--
1.9.1
From 58afb7527965dfc6a720b1d0e008d15b3bf68bf5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 9 Jun 2017 14:23:49 +0200
Subject: [PATCH 7/8] selftest: add a one-way trust between SAMBA2000 and
ADDOMAIN
---
selftest/knownfail | 19 +++++++++++++++++++
selftest/target/Samba4.pm | 17 +++++++++++++----
source4/selftest/tests.py | 4 ++++
3 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index c6047c8..867a19e 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -335,3 +335,22 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
+#
+# There's only a one-way trust between SAMBA2000 and ADDOMAIN,
+# were ADDOMAIN trusts SAMBA2000.
+^samba4.blackbox.kinit_trust.*Test.login.with.user.kerberos.ccache.*\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*Test.login.with.kerberos.ccache\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*check.time.with.kerberos.ccache\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*Test.login.with.user.kerberos.lowercase.realm\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*Test.login.with.user.kerberos.lowercase.realm.2\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*wbinfo.ping.dc\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*wbinfo.change.outgoing.trust.pw\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.*wbinfo.check.outgoing.trust.pw\(fl2000dc:local\)
+^samba4.blackbox.trust_ntlm.Test07.*with.ADDOMAIN.*Administrator%locDCpass1\(fl2000dc:local\)
+^samba4.blackbox.trust_ntlm.Test08.*with.ADDOM.SAMBA.EXAMPLE.COM.*Administrator%locDCpass1\(fl2000dc:local\)
+^samba4.blackbox.trust_ntlm.Test09.*with.Administrator at ADDOMAIN%locDCpass1\(fl2000dc:local\)
+^samba4.blackbox.trust_ntlm.Test10.*with.Administrator at ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2000dc:local\)
+^samba4.blackbox.trust_utils.*validate.trust.default.both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils.*validate.trust.default.local\(fl2000dc:local\)
+^samba4.blackbox.trust_utils.*validate.trust.reverse.both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils.*namespaces.own.default\(fl2000dc:local\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 6d36d3e..54df0cb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1466,6 +1466,7 @@ sub provision_fl2000dc($$)
print "PROVISIONING DC WITH FOREST LEVEL 2000...\n";
my $extra_conf_options = "
spnego:simulate_w2k=yes
+ ntlmssp_client:force_old_spnego=yes
ntlmssp_server:force_old_spnego=yes
";
my $ret = $self->provision($prefix,
@@ -2030,10 +2031,16 @@ sub setup_env($$$)
if ($envname eq "ad_dc_ntvfs") {
return $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
} elsif ($envname eq "fl2000dc") {
- return $self->setup_fl2000dc("$path/fl2000dc");
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
+ return $self->setup_fl2000dc("$path/fl2000dc", $self->{vars}->{ad_dc});
} elsif ($envname eq "vampire_2000_dc") {
+ if (not defined($self->{vars}->{ad_dc})) {
+ $self->setup_ad_dc("$path/ad_dc");
+ }
if (not defined($self->{vars}->{fl2000dc})) {
- $self->setup_fl2000dc("$path/fl2000dc");
+ $self->setup_fl2000dc("$path/fl2000dc", $self->{vars}->{ad_dc});
}
return $self->setup_vampire_dc("$path/vampire_2000_dc", $self->{vars}->{fl2000dc}, "2000");
} elsif ($envname eq "fl2003dc") {
@@ -2193,9 +2200,9 @@ sub setup_chgdcpass($$)
return $env;
}
-sub setup_fl2000dc($$)
+sub setup_fl2000dc($$$)
{
- my ($self, $path) = @_;
+ my ($self, $path, $dc_vars) = @_;
my $env = $self->provision_fl2000dc($path);
if (defined $env) {
@@ -2203,6 +2210,8 @@ sub setup_fl2000dc($$)
return undef;
}
+ $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys --direction=incoming");
+
$self->{vars}->{fl2000dc} = $env;
}
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7c601c3..ce916c6 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -396,6 +396,7 @@ if have_heimdal_support:
plantestsuite("samba4.blackbox.kinit(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient4, configuration])
plantestsuite("samba4.blackbox.kinit_trust(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest", "aes256-cts-hmac-sha1-96"])
plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
+ plantestsuite("samba4.blackbox.kinit_trust(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
else:
@@ -404,16 +405,19 @@ else:
plantestsuite("samba4.blackbox.kinit(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
plantestsuite("samba4.blackbox.kinit_trust(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
+ plantestsuite("samba4.blackbox.kinit_trust(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_trusts_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_NO_TRUST_LSA_SECRET'])
plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_NO_TRUST_LSA_SECRET'])
+plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_NO_TRUST_LSA_SECRET'])
plantestsuite("samba4.blackbox.trust_ntlm", "ad_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_ntlm", "nt4_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$DOMAIN', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
plantestsuite("samba4.blackbox.trust_utils(fl2008r2dc:local)", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "forest"])
plantestsuite("samba4.blackbox.trust_utils(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
+plantestsuite("samba4.blackbox.trust_utils(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_trust_utils.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external"])
plantestsuite("samba4.blackbox.ktpass(ad_dc_ntvfs)", "ad_dc_ntvfs", [os.path.join(bbdir, "test_ktpass.sh"), '$PREFIX/ad_dc_ntvfs'])
plantestsuite("samba4.blackbox.password_settings(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_password_settings.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
plantestsuite("samba4.blackbox.cifsdd(ad_dc_ntvfs)", "ad_dc_ntvfs", [os.path.join(samba4srcdir, "client/tests/test_cifsdd.sh"), '$SERVER', '$USERNAME', '$PASSWORD', "$DOMAIN"])
--
1.9.1
From 4acc2bb4abea9e1617c8529380dddd43d5e60782 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Mon, 20 Mar 2017 11:39:41 +0100
Subject: [PATCH 8/8] selftest: Export TRUST information in the ad_member
target environment
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/selftest.pl | 33 +++++++++++++++++++++++++++++++++
selftest/target/Samba3.pm | 34 ++++++++++++++++++++++++++++++++--
selftest/target/Samba4.pm | 16 +++++++++++++++-
3 files changed, 80 insertions(+), 3 deletions(-)
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index f05fc5c..3084b85 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -794,6 +794,39 @@ my @exported_envvars = (
"TRUST_DOMAIN",
"TRUST_REALM",
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind a forest trust (two-way)
+ "TRUST_F_BOTH_SERVER",
+ "TRUST_F_BOTH_SERVER_IP",
+ "TRUST_F_BOTH_SERVER_IPV6",
+ "TRUST_F_BOTH_NETBIOSNAME",
+ "TRUST_F_BOTH_USERNAME",
+ "TRUST_F_BOTH_PASSWORD",
+ "TRUST_F_BOTH_DOMAIN",
+ "TRUST_F_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (two-way)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (one-way outgoing)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
# domain controller stuff
"DC_SERVER",
"DC_SERVER_IP",
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 3fc2c1a..72d212f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -366,9 +366,9 @@ sub setup_nt4_member($$$)
return $ret;
}
-sub setup_admember($$$$)
+sub setup_admember($$$$$$)
{
- my ($self, $prefix, $dcvars) = @_;
+ my ($self, $prefix, $dcvars, $trustvars_f, $trustvars_e, $trustvars_o) = @_;
my $prefix_abs = abs_path($prefix);
my @dirs = ();
@@ -486,6 +486,36 @@ sub setup_admember($$$$)
$ret->{DC_USERNAME} = $dcvars->{USERNAME};
$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+ # forest trust
+ $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
+ $ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP};
+ $ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6};
+ $ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME};
+ $ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME};
+ $ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD};
+ $ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN};
+ $ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM};
+
+ # external trust
+ $ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER};
+ $ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP};
+ $ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6};
+ $ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME};
+ $ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME};
+ $ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD};
+ $ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN};
+ $ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM};
+
+ # external trust, one-way outgoing
+ $ret->{TRUST_E_OUT_SERVER} = $trustvars_o->{SERVER};
+ $ret->{TRUST_E_OUT_SERVER_IP} = $trustvars_o->{SERVER_IP};
+ $ret->{TRUST_E_OUT_SERVER_IPV6} = $trustvars_o->{SERVER_IPV6};
+ $ret->{TRUST_E_OUT_NETBIOSNAME} = $trustvars_o->{NETBIOSNAME};
+ $ret->{TRUST_E_OUT_USERNAME} = $trustvars_o->{USERNAME};
+ $ret->{TRUST_E_OUT_PASSWORD} = $trustvars_o->{PASSWORD};
+ $ret->{TRUST_E_OUT_DOMAIN} = $trustvars_o->{DOMAIN};
+ $ret->{TRUST_E_OUT_REALM} = $trustvars_o->{REALM};
+
# Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
$ret->{target} = $self;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 54df0cb..21d6047 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -2094,7 +2094,21 @@ sub setup_env($$$)
if (not defined($self->{vars}->{ad_dc})) {
$self->setup_ad_dc("$path/ad_dc");
}
- return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc}, 29);
+ if (not defined($self->{vars}->{fl2008r2dc})) {
+ $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{ad_dc});
+ }
+ if (not defined($self->{vars}->{fl2003dc})) {
+ $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{ad_dc});
+ }
+ if (not defined($self->{vars}->{fl2000dc})) {
+ $self->setup_fl2000dc("$path/fl2000dc", $self->{vars}->{ad_dc});
+ }
+ return $target3->setup_admember("$path/ad_member",
+ $self->{vars}->{ad_dc},
+ $self->{vars}->{fl2008r2dc},
+ $self->{vars}->{fl2003dc},
+ $self->{vars}->{fl2000dc},
+ 29);
} elsif ($envname eq "ad_dc") {
return $self->setup_ad_dc("$path/ad_dc");
} elsif ($envname eq "ad_dc_no_nss") {
--
1.9.1
-------------- next part --------------
From b140e8e545e776e5b45e94a5cf6d0a901e9c9043 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 15:09:26 +0100
Subject: [PATCH 1/6] auth3: call is_trusted_domain() as the last condition
make_user_info_map()
We should avoid contacting winbind if we already know the domain is our
local sam or our primary domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ffd60e0..ec597e8 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -134,9 +134,11 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
* non-domain member box will also map to WORKSTATION\user.
* This also deals with the client passing in a "" domain */
- if (!upn_form && !is_trusted_domain(domain) &&
+ if (!upn_form &&
!strequal(domain, my_sam_name()) &&
- !strequal(domain, get_global_sam_name())) {
+ !strequal(domain, get_global_sam_name()) &&
+ !is_trusted_domain(domain))
+ {
if (lp_map_untrusted_to_domain())
domain = my_sam_name();
else
--
1.9.1
From bf12dcf89137daabd5491df07a82c942c2784d22 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:08:20 +0100
Subject: [PATCH 2/6] auth3: prepare the logic for "map untrusted to domain =
auto"
This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ec597e8..1021f2a 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -111,6 +111,7 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
bool was_mapped;
char *internal_username = NULL;
bool upn_form = false;
+ int map_untrusted = lp_map_untrusted_to_domain();
if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
upn_form = true;
@@ -134,15 +135,16 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
* non-domain member box will also map to WORKSTATION\user.
* This also deals with the client passing in a "" domain */
- if (!upn_form &&
+ if (map_untrusted != Auto && !upn_form &&
!strequal(domain, my_sam_name()) &&
!strequal(domain, get_global_sam_name()) &&
!is_trusted_domain(domain))
{
- if (lp_map_untrusted_to_domain())
+ if (map_untrusted) {
domain = my_sam_name();
- else
+ } else {
domain = get_global_sam_name();
+ }
DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
"workstation [%s]\n",
client_domain, domain, smb_name, workstation_name));
--
1.9.1
From 727425fc80df1f345e5546aa030b171695ff8f2c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 10 Jun 2017 13:30:44 +0200
Subject: [PATCH 3/6] docs-xml: improve documentation of "map untrusted to
domain"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
.../smbdotconf/security/mapuntrustedtodomain.xml | 25 +++++++++-------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 496e7c2..a02948a 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -5,27 +5,22 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- If a client connects to smbd using an untrusted domain name, such as
- BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
+ By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+ if a client connects to smbd using an untrusted domain name, such as
+ BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
+ (forcing local authentication) before
attempting to authenticate that user. In the case where smbd is acting as
- a PDC this will be DOMAIN\user. In the case where smbd is acting as a
+ a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a
domain member server or a standalone server this will be WORKSTATION\user.
</para>
<para>
- In previous versions of Samba (pre 3.4), if smbd was acting as a domain
- member server, the BOGUS domain name would instead be replaced by the
- primary domain which smbd was a member of. In this case authentication
- would be deferred off to a DC using the credentials DOMAIN\user.
+ With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
+ smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
+ the BOGUS domain name would always be replaced by the
+ primary domain before attempting to authenticate that user.
+ This will be DOMAIN\user in all server roles except active directory domain controller.
</para>
-
- <para>
- When this parameter is set to <constant>yes</constant> smbd provides the
- legacy behavior of mapping untrusted domain names to the primary domain.
- When smbd is not acting as a domain member server, this parameter has no
- effect.
- </para>
-
</description>
<value type="default">no</value>
--
1.9.1
From 530e687eae81bba3a5a35f9d2a970b4d1c65b97b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:11:26 +0100
Subject: [PATCH 4/6] docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
.../smbdotconf/security/mapuntrustedtodomain.xml | 23 +++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index a02948a..095ce6e 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -1,10 +1,21 @@
<samba:parameter name="map untrusted to domain"
context="G"
- type="boolean"
+ type="enum"
+ enumlist="enum_bool_auto"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
+ With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+ smbd will defer the decision whether the domain name provided by the
+ client is a valid domain name to the Domain Controller (DC) of
+ the domain it is a member of, if it is not a DC. If the DC indicates
+ that the domain portion is unknown, then a local authentication is performed.
+ Standalone servers always ignore the domain. This is basically the same as
+ the behavior implemented in Windows.
+ </para>
+
+ <para>
By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
if a client connects to smbd using an untrusted domain name, such as
BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
@@ -12,6 +23,11 @@
attempting to authenticate that user. In the case where smbd is acting as
a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a
domain member server or a standalone server this will be WORKSTATION\user.
+ While this appears similar to the behaviour of
+ <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
+ the difference is that smbd will use a cached (maybe incomplete) list
+ of trusted domains in order to classify a domain as "untrusted"
+ before contacting any DC first.
</para>
<para>
@@ -21,6 +37,11 @@
primary domain before attempting to authenticate that user.
This will be DOMAIN\user in all server roles except active directory domain controller.
</para>
+
+ <para>
+ <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+ with Samba 4.7.0.
+ </para>
</description>
<value type="default">no</value>
--
1.9.1
From 0dd775db376aca1b894677f6b82208ab87cc59cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:11:26 +0100
Subject: [PATCH 5/6] docs-xml: change the default for "map untrusted to
domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.
Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/mapuntrustedtodomain.xml | 15 +++++++++++----
lib/param/loadparm.c | 2 ++
source3/param/loadparm.c | 2 +-
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 095ce6e..f782a51 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -6,7 +6,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+ By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>
smbd will defer the decision whether the domain name provided by the
client is a valid domain name to the Domain Controller (DC) of
the domain it is a member of, if it is not a DC. If the DC indicates
@@ -16,7 +16,7 @@
</para>
<para>
- By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+ With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
if a client connects to smbd using an untrusted domain name, such as
BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
(forcing local authentication) before
@@ -39,10 +39,17 @@
</para>
<para>
+ <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+ was the default up to Samba 4.6.
+ </para>
+
+ <para>
<smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
- with Samba 4.7.0.
+ and become the default with Samba 4.7.0. As the option is marked as
+ <constant>deprecated</constant> it will be removed in a future release, while the behavior of
+ <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.
</para>
</description>
-<value type="default">no</value>
+<value type="default">auto</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 860f3e2..9f32d7b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2835,6 +2835,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
+ lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");
+
lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 91ecba8..297a7e9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -859,7 +859,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.min_receivefile_size = 0;
- Globals.map_untrusted_to_domain = false;
+ Globals.map_untrusted_to_domain = Auto;
Globals.multicast_dns_register = true;
Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
--
1.9.1
From b2877356927c4d485b7d238deb5af88ddc2024e0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Apr 2017 11:22:25 +0200
Subject: [PATCH 6/6] WHATSNEW: change the default for "map untrusted to
domain" to "auto"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8548e16..624193d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -102,7 +102,9 @@ smb.conf changes
-------------- ----------- -------
auth event notification New parameter no
auth methods Deprecated
- map untrusted to domain Deprecated
+ map untrusted to domain New value/ auto
+ Default changed/
+ Deprecated
strict sync Default changed yes
Removal of lpcfg_register_defaults_hook()
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170611/076f473d/signature.sig>
More information about the samba-technical
mailing list