[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Stefan Metzmacher metze at samba.org
Thu Jun 15 21:33:14 UTC 2017


Am 11.06.2017 um 23:06 schrieb Stefan Metzmacher via samba-technical:
> Am 10.04.2017 um 09:08 schrieb Stefan Metzmacher via samba-technical:
>> Hi Andrew,
>>
>>> Thanks.  For the manpage, try:
>>>
>>> By default, and with <smbconfoption name="map untrusted to
>>> domain">auto</smbconfoption> smbd will defer the mapping decision to
>>> the Comain Controller (DC) of the domain it is a member of, if it is
>>> not a DC.  If the DC indicates that the domain portion is unknown, then
>>> a local authentication is performed.  Standalone servers always ignore
>>> the domain.  This is basically the same as the behavior implemented in
>>> Windows.
>>>
>>> With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
>>> if a client connects to smbd using an untrusted domain name, such as
>>>      BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
>>> (forcing local authentication) before
>>>      attempting to authenticate that user.  While this appears similar
>>> to the default behaviour of <smbconfoption name="map untrusted to
>>> domain">auto</smbconfoption>, the difference is that smbd do not
>>> contact any DC first in this case, and so must intuit if the domain is
>>> trusted or not locally. 
>>>      </para>
>>>  
>>>      <para>
>>> With <smbconfoption name="map untrusted to
>>> domain">yes</smbconfoption>, smbd provides the
>>>      legacy behavior matching that of versions of Samba pre 3.4: if
>>> smbd was acting as a domain
>>>      member server, the BOGUS domain name would instead be replaced by
>>> the
>>>      primary domain which smbd was a member of.  In this case
>>> authentication
>>>      would be deferred off to a DC using the credentials DOMAIN\user.  
>>>      </para>
>>>  
>>>      <para>
>>> +    <smbconfoption name="map untrusted to domain">no</smbconfoption>,
>>> +    was the default up to Samba 4.6.
>>> +    </para>
>>> +
>>> +    <para>
>>>      When smbd is acting as a standalone server, this parameter has no
>>>      effect.
>>>      </para>
>>>  
>>>
>>> Finally, can you think of a situation that which will change when you
>>> change the default in 'docs-xml: change the default for "map untrusted
>>> to domain" to "auto"'?  Would UPNs behave differently?
>>
>> It makes a big difference for one-way trusts, see
>> https://bugzilla.samba.org/show_bug.cgi?id=8630
>>
>> If you have the following situation:
>>
>> childa.foresta.example.com <-> foresta.example.com <- one-way
>> forest-trust -> forestb.example.com
>>
>> forestb trusts foresta and we're a member of the domain forestb (MEMBERB).
>>
>> When we get a get an authentication for CHILDA\userchilda, it would
>> get mapped to MEMBERB\userchilda, because winbindd on MEMBERB doesn't have
>> CHILDA in the list of trusted domains, it doesn't have permissions to list
>> the domains in foresta.
>>
>> The key is that we skip is_trusted_domain() and just blindly pass the
>> authentication for CHILDA\userchilda to winbindd and winbindd just
>> uses it's default route (the primary domain on a member server) to forward
>> it to a DC (e.g. DC-A1) of the domain FORESTB. DC-A1 is able to establish
>> a netlogon schannel connection to a DC of FORESTA and call
>> netr_GetForestTrustInformation(). So DC-A1 know the correct route to CHILDA.
>>
>> I'll try to add an one-way trust test to autobuild.
> 
> After trying to add a test I realized that we can't support such a setup
> with our current ADDC capabilities yet:-(
> 
> However I have some patches for selftest to add a one-way trust, but
> it's not yet used, but it will make it easier to add tests once
> I've added support for NTLM trusts.
> 
> The two attached patchsets are in private autobuilds currently.

Some selftest patches are already in master, the rest needs more
work.

As the selftest are not directly attached to the
bug8630-v4.patches.txt changes, are there any objects against
the patches bug8630-v4.patches.txt? Sadly it's not possible
to have regression tests for the problem yet, but it still
passes all existing tests and fixes a long outstanding real world problem...

I've attached the current state on top of master...

Please review and push:-)

Thanks!
metze
Pleas

-------------- next part --------------
From 5f0cff55264a12cda3819f19dfb8dc359c81f323 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 15:09:26 +0100
Subject: [PATCH 1/6] auth3: call is_trusted_domain() as the last condition
 make_user_info_map()

We should avoid contacting winbind if we already know the domain is our
local sam or our primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_util.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ffd60e0..ec597e8 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -134,9 +134,11 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	 * non-domain member box will also map to WORKSTATION\user.
 	 * This also deals with the client passing in a "" domain */
 
-	if (!upn_form && !is_trusted_domain(domain) &&
+	if (!upn_form &&
 	    !strequal(domain, my_sam_name()) &&
-	    !strequal(domain, get_global_sam_name())) {
+	    !strequal(domain, get_global_sam_name()) &&
+	    !is_trusted_domain(domain))
+	{
 		if (lp_map_untrusted_to_domain())
 			domain = my_sam_name();
 		else
-- 
1.9.1


From 952b2426536b3cc7f8fbff1d4d700dfb7e91f733 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:08:20 +0100
Subject: [PATCH 2/6] auth3: prepare the logic for "map untrusted to domain =
 auto"

This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_util.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ec597e8..1021f2a 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -111,6 +111,7 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	bool was_mapped;
 	char *internal_username = NULL;
 	bool upn_form = false;
+	int map_untrusted = lp_map_untrusted_to_domain();
 
 	if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
 		upn_form = true;
@@ -134,15 +135,16 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	 * non-domain member box will also map to WORKSTATION\user.
 	 * This also deals with the client passing in a "" domain */
 
-	if (!upn_form &&
+	if (map_untrusted != Auto && !upn_form &&
 	    !strequal(domain, my_sam_name()) &&
 	    !strequal(domain, get_global_sam_name()) &&
 	    !is_trusted_domain(domain))
 	{
-		if (lp_map_untrusted_to_domain())
+		if (map_untrusted) {
 			domain = my_sam_name();
-		else
+		} else {
 			domain = get_global_sam_name();
+		}
 		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
 			  "workstation [%s]\n",
 			  client_domain, domain, smb_name, workstation_name));
-- 
1.9.1


From 8b49d6798a06103050914af86bfc09821793044f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 10 Jun 2017 13:30:44 +0200
Subject: [PATCH 3/6] docs-xml: improve documentation of "map untrusted to
 domain"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 .../smbdotconf/security/mapuntrustedtodomain.xml   | 25 +++++++++-------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 496e7c2..a02948a 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -5,27 +5,22 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-    If a client connects to smbd using an untrusted domain name, such as
-    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
+    By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    if a client connects to smbd using an untrusted domain name, such as
+    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
+    (forcing local authentication) before
     attempting to authenticate that user.  In the case where smbd is acting as
-    a PDC this will be DOMAIN\user.  In the case where smbd is acting as a
+    a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
     domain member server or a standalone server this will be WORKSTATION\user.
     </para>
 
     <para>
-    In previous versions of Samba (pre 3.4), if smbd was acting as a domain
-    member server, the BOGUS domain name would instead be replaced by the
-    primary domain which smbd was a member of.  In this case authentication
-    would be deferred off to a DC using the credentials DOMAIN\user.
+    With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
+    smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
+    the BOGUS domain name would always be replaced by the
+    primary domain before attempting to authenticate that user.
+    This will be DOMAIN\user in all server roles except active directory domain controller.
     </para>
-
-    <para>
-    When this parameter is set to <constant>yes</constant> smbd provides the
-    legacy behavior of mapping untrusted domain names to the primary domain.
-    When smbd is not acting as a domain member server, this parameter has no
-    effect.
-    </para>
-
 </description>
 
 <value type="default">no</value>
-- 
1.9.1


From 5f3bdd65ec6791a12fd0bac962089929db41b6a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:11:26 +0100
Subject: [PATCH 4/6] docs-xml: document "map untrusted to domain = auto"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 .../smbdotconf/security/mapuntrustedtodomain.xml   | 23 +++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index a02948a..095ce6e 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -1,10 +1,21 @@
 <samba:parameter name="map untrusted to domain"
                  context="G"
-                 type="boolean"
+                 type="enum"
+                 enumlist="enum_bool_auto"
                  deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
+    With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+    smbd will defer the decision whether the domain name provided by the
+    client is a valid domain name to the Domain Controller (DC) of
+    the domain it is a member of, if it is not a DC.  If the DC indicates
+    that the domain portion is unknown, then a local authentication is performed.
+    Standalone servers always ignore the domain.  This is basically the same as
+    the behavior implemented in Windows.
+    </para>
+
+    <para>
     By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
     if a client connects to smbd using an untrusted domain name, such as
     BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
@@ -12,6 +23,11 @@
     attempting to authenticate that user.  In the case where smbd is acting as
     a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
     domain member server or a standalone server this will be WORKSTATION\user.
+    While this appears similar to the behaviour of
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
+    the difference is that smbd will use a cached (maybe incomplete) list
+    of trusted domains in order to classify a domain as "untrusted"
+    before contacting any DC first.
     </para>
 
     <para>
@@ -21,6 +37,11 @@
     primary domain before attempting to authenticate that user.
     This will be DOMAIN\user in all server roles except active directory domain controller.
     </para>
+
+    <para>
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+    with Samba 4.7.0.
+    </para>
 </description>
 
 <value type="default">no</value>
-- 
1.9.1


From eacb8d79245bf6fc39c5d421f797dd7ae6c6039d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 12:11:26 +0100
Subject: [PATCH 5/6] docs-xml: change the default for "map untrusted to
 domain" to "auto"

This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/mapuntrustedtodomain.xml | 15 +++++++++++----
 lib/param/loadparm.c                                  |  2 ++
 source3/param/loadparm.c                              |  2 +-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
index 095ce6e..f782a51 100644
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -6,7 +6,7 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>
-    With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+    By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>
     smbd will defer the decision whether the domain name provided by the
     client is a valid domain name to the Domain Controller (DC) of
     the domain it is a member of, if it is not a DC.  If the DC indicates
@@ -16,7 +16,7 @@
     </para>
 
     <para>
-    By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
     if a client connects to smbd using an untrusted domain name, such as
     BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
     (forcing local authentication) before
@@ -39,10 +39,17 @@
     </para>
 
     <para>
+    <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    was the default up to Samba 4.6.
+    </para>
+
+    <para>
     <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
-    with Samba 4.7.0.
+    and become the default with Samba 4.7.0. As the option is marked as
+    <constant>deprecated</constant> it will be removed in a future release, while the behavior of
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.
     </para>
 </description>
 
-<value type="default">no</value>
+<value type="default">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 860f3e2..9f32d7b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2835,6 +2835,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
 
+	lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");
+
 	lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
 
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 91ecba8..297a7e9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -859,7 +859,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.min_receivefile_size = 0;
 
-	Globals.map_untrusted_to_domain = false;
+	Globals.map_untrusted_to_domain = Auto;
 	Globals.multicast_dns_register = true;
 
 	Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
-- 
1.9.1


From ae6627e23fe2564134ad761ca608aa30f554988c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Apr 2017 11:22:25 +0200
Subject: [PATCH 6/6] WHATSNEW: change the default for "map untrusted to
 domain" to "auto"

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1a36e88..8b646f9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -102,7 +102,9 @@ smb.conf changes
   --------------                -----------             -------
   auth event notification       New parameter           no
   auth methods                  Deprecated
-  map untrusted to domain       Deprecated
+  map untrusted to domain       New value/              auto
+                                Default changed/
+                                Deprecated
   profile acls                  Deprecated
   strict sync                   Default changed         yes
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170615/b72c0b9e/signature.sig>


More information about the samba-technical mailing list