[PATCH] Ask local netlogon pipe on an AD DC
Volker Lendecke
vl at samba.org
Thu Mar 2 05:20:25 UTC 2017
On Thu, Mar 02, 2017 at 12:13:58PM +1300, Andrew Bartlett wrote:
> The issue is that we use the same call for the 'implement auth_winbind'
> and the 'back ntlm_auth' cases. As you know, the needs for these two
> are very different - we don't want winbindd re-checking passwords
> already checked against the sam in smbd, but we do want ntlm_auth to
> work for local accounts (and?) on a DC.
I believe all this is really making it more complicated than it really
is. The only complicated thing is the crypto behind NTLM. The rest
is just plumbing. We must walk a list of authorities and ask them one
by one, not duplicating queries.
First we need to ask guest, then we need to look at the local sam.
This can become complicated in the dsdb case due to different upn
suffices and so on.
If local sam says "not for me", we need to ask the domain(s) we trust.
On a member, that's "our" dc. On a classic DC, that's normal
auth_winbind, on a AD DC, we don't have the code yet. This will need
the domain routing table.
If we get a "Dunno" from there too, then we need to fork the use
cases: netlogond needs to return this to the client, local sesssetup
(or altercontext for that matter) needs to ask the local sam again
with "hey, sam_ignoredomain".
Does that mean we look at the local sam twice? Yes, in the local
sesssetup case. But with completely different intentions. Once with
the raw client domain/username combo, once with a "ignore the domain
piece".
What I am trying to do with the patch is reducing the number of places
that call "make_auth_context_x" in its different flavors and make this
routing of the auth request more obvious.
Volker
More information about the samba-technical
mailing list