[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Andrew Bartlett abartlet at samba.org
Sun Mar 12 20:59:29 UTC 2017


On Fri, 2017-03-10 at 16:31 +0100, Stefan Metzmacher wrote:
> Hi,

> > Essentially what we need is a way for winbind to tell netlogond
> > that
> > it should not ask winbind over irpc in the unkown domain / uncached
> > pwd case but return NO_SUCH_USER/!authoritative. How we do that is
> > mechanics. Different socket name for ncacn_unix, different schannel
> > type, metze even mentioned that a new, private dcerpc interface idl
> > would be possible. A new rpc interface could also enable passing
> > more
> > information to netlogon for logging purposes. Client IP address for
> > example comes to mind.
> 
> I think it would be better to use custom calls in both directions,
> from winbindd to the netlogon server and the other direction.
> 
> BTW: what's the error message from an RODC for an existing user
> without cached password if no RWDC is reachable?

I don't know, but Douglas did a pile of work building RODC tests last
year.  Sadly we didn't get them to a point where they could be part of
make test (particularly because of difficulty making the RWDC
unreachable on demand), but it is on our 'soon' agenda to work on.

> > > The other case we have to support, which is more difficult, is
> > > that
> > > when we are an RODC or even a full DC, we should present wrong
> > > password
> > > to the PDC emulator.  On the RODC this allows the bad password
> > > count to
> > > be updated (otherwise it can't be stored anywhere), and on an RW
> > > DC it
> > > is intended to give the user a second chance to authenticate with
> > > their
> > > new password before replication catches up.
> > 
> > Every logon failure against a DC via netlogon triggers a callback
> > to
> > the PDC emulator done by the DC? Wow, I did not know that. Need to
> > think about it.
> 
> Andrew, are you referring to the netr_LogonSendToSam() calls shown in
> [MS-ADOD] ?
> 
> 3.2.5 Example 5: Change a User Account's Password Against a Non-PDC
> DC
> https://msdn.microsoft.com/en-us/library/hh872148.aspx
> 
> and
> 
> 3.2.6 Example 6: Update the User's lastLogOnTimeStamp Against an RODC
> When the User Binds to an LDAP Server
> https://msdn.microsoft.com/en-us/library/hh872036.aspx
> 
> I guess logonCount, badPwdCount and badPasswordTime are still
> maintained
> on the RODC itself as these attributes are marked with
> FLAG_ATTR_NOT_REPLICATED.
> 
> It would be interesting to see what a non-pdc emulator will do with
> failing LogonSamLogon calls and if there's a difference between
> interactive and network
> logons.

I've not looked up the docs for the mechanics, but I have seen it
clearly in traces that a wrong password is forwarded to the DC. 
LogonSendToSam certainly looks like a very interesting and important
call to support.

Thanks,

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170313/1a290daf/signature.sig>


More information about the samba-technical mailing list