[PATCH] Ask local netlogon pipe on an AD DC

Volker Lendecke vl at samba.org
Thu Mar 2 08:47:19 UTC 2017 

On Thu, Mar 02, 2017 at 06:20:25AM +0100, Volker Lendecke wrote:
> On Thu, Mar 02, 2017 at 12:13:58PM +1300, Andrew Bartlett wrote:
> > The issue is that we use the same call for the 'implement auth_winbind'
> > and the 'back ntlm_auth' cases.  As you know, the needs for these two
> > are very different - we don't want winbindd re-checking passwords
> > already checked against the sam in smbd, but we do want ntlm_auth to
> > work for local accounts (and?) on a DC.
> 
> I believe all this is really making it more complicated than it really
> is. The only complicated thing is the crypto behind NTLM. The rest
> is just plumbing. We must walk a list of authorities and ask them one
> by one, not duplicating queries.
> 
> First we need to ask guest, then we need to look at the local sam.
> This can become complicated in the dsdb case due to different upn
> suffices and so on.
> 
> If local sam says "not for me", we need to ask the domain(s) we trust.
> On a member, that's "our" dc. On a classic DC, that's normal
> auth_winbind, on a AD DC, we don't have the code yet.  This will need
> the domain routing table.
> 
> If we get a "Dunno" from there too, then we need to fork the use
> cases: netlogond needs to return this to the client, local sesssetup
> (or altercontext for that matter) needs to ask the local sam again
> with "hey, sam_ignoredomain".
> 
> Does that mean we look at the local sam twice? Yes, in the local
> sesssetup case. But with completely different intentions. Once with
> the raw client domain/username combo, once with a "ignore the domain
> piece".
> 
> What I am trying to do with the patch is reducing the number of places
> that call "make_auth_context_x" in its different flavors and make this
> routing of the auth request more obvious.

Starting a design: On an AD DC, netlogond should be the only one
looking at dsdb for ntlm. Really the only one. If it does not know
about the domain, it asks winbind to do all the remote routing. That
might be the iprc call to winbind.

Sesssetup, ldapbind, altercontext, ntlm_auth and friends go to winbind
with the pipe protocol. This also asks netlogond over ncacn_unix. If
netlogond comes back to winbind for remote routing, that's no
real problem, this is over irpc that does not look locally. As an
optimization we could add a flag to the winbind->netlogond call saying
"Hey, I'm winbind, I will route on NOT_IMPLEMENTED myself". But that's
an optimization.

Volker

More information about the samba-technical mailing list