[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Stefan Metzmacher
metze at samba.org
Fri Mar 10 15:31:34 UTC 2017
Hi,
> We have two entry points into winbind. One for ntlm_auth/smbd, and one
> for netlogond. ntlm_auth/smbd right now go through the pipe, but this
> is not set in stone, the main point is that netlogond has a special
> entry into winbind, the irpc interface.
>
> The flow would be:
>
> ntlm_auth goes to winbind through the pipe. As part of the pipe
> handler we ask netlogond over NCACN_UNIX.
Volker, I think you should use 'NCALRPC' instead of NCACN_UNIX_STREAM
in your patchset :-)
> Essentially what we need is a way for winbind to tell netlogond that
> it should not ask winbind over irpc in the unkown domain / uncached
> pwd case but return NO_SUCH_USER/!authoritative. How we do that is
> mechanics. Different socket name for ncacn_unix, different schannel
> type, metze even mentioned that a new, private dcerpc interface idl
> would be possible. A new rpc interface could also enable passing more
> information to netlogon for logging purposes. Client IP address for
> example comes to mind.
I think it would be better to use custom calls in both directions,
from winbindd to the netlogon server and the other direction.
BTW: what's the error message from an RODC for an existing user
without cached password if no RWDC is reachable?
>> The other case we have to support, which is more difficult, is that
>> when we are an RODC or even a full DC, we should present wrong password
>> to the PDC emulator. On the RODC this allows the bad password count to
>> be updated (otherwise it can't be stored anywhere), and on an RW DC it
>> is intended to give the user a second chance to authenticate with their
>> new password before replication catches up.
>
> Every logon failure against a DC via netlogon triggers a callback to
> the PDC emulator done by the DC? Wow, I did not know that. Need to
> think about it.
Andrew, are you referring to the netr_LogonSendToSam() calls shown in
[MS-ADOD] ?
3.2.5 Example 5: Change a User Account's Password Against a Non-PDC DC
https://msdn.microsoft.com/en-us/library/hh872148.aspx
and
3.2.6 Example 6: Update the User's lastLogOnTimeStamp Against an RODC
When the User Binds to an LDAP Server
https://msdn.microsoft.com/en-us/library/hh872036.aspx
I guess logonCount, badPwdCount and badPasswordTime are still maintained
on the RODC itself as these attributes are marked with
FLAG_ATTR_NOT_REPLICATED.
It would be interesting to see what a non-pdc emulator will do with
failing LogonSamLogon calls and if there's a difference between
interactive and network
logons.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170310/2b461b13/signature.sig>
More information about the samba-technical
mailing list