[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andrew Bartlett
abartlet at samba.org
Thu Mar 16 03:06:22 UTC 2017
On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via samba-
> technical wrote:
> > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > >
> > > What return values do you propose?
> >
> > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely I
> > think.
> >
> > If we do the same with NO_SUCH_USER then the confusing mappings
> > outside
> > the auth subsytem go away, and we can probably dispense with the
> > flag
> > you so dislike (as then I think the different auth module lists
> > would
> > work).
> >
> > That is, break out of the auth module loop based on *authoriative,
> > not
> > NT_STATUS_NOT_IMPLEMENTED.
> >
> > That way we have no need for flag based changes to return values,
> > and
> > callers like ntlm and ntlmssp can just ignore it, while netlogon
> > can
> > honour it.
> >
> > I hope this helps,
>
> Just been following from the sidelines so I'm sure Volker can comment
> with *authoriative=1 :-), but that looks like a workable plan to
> excise
> USER_INFO_LOCAL_SAM_ONLY.
>
> Thanks Andrew !
I just wanted to write down, while I still remember them, my guidance
on how we can get this to a conclusion:
- make changes in sync between the two auth subsystems (the current
patch set removes the offensive flag, but only in auth3)
- not attempt a change to inter-process communication in the same
patch set (eg move to "sam" and "samba4:sam" if specifying auth module
lists in winbindd)
- clearly distinguish between the 'smbd as client' and
'ntlm_auth/wbinfo as client' cases in winbindd.
- use *authoritative as the indicator.
- have tests (both for the specific change desired, and for the other
areas touched like rodc)
- be bisectable
I realise this remains a large task, but we need changes here done
carefully and clearly tested. Sadly given the issues I found during my
review, that this patch set passed autobuild only showed the deficiency
of our current tests.
Thanks,
Andrew Bartlett
More information about the samba-technical
mailing list