[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Andrew Bartlett abartlet at samba.org
Thu Mar 16 03:06:22 UTC 2017


On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via samba-
> technical wrote:
> > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > 
> > > What return values do you propose?
> > 
> > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely I
> > think.
> > 
> > If we do the same with NO_SUCH_USER then the confusing mappings
> > outside
> > the auth subsytem go away, and we can probably dispense with the
> > flag
> > you so dislike (as then I think the different auth module lists
> > would
> > work).
> > 
> > That is, break out of the auth module loop based on *authoriative,
> > not
> > NT_STATUS_NOT_IMPLEMENTED.  
> > 
> > That way we have no need for flag based changes to return values,
> > and
> > callers like ntlm and ntlmssp can just ignore it, while netlogon
> > can
> > honour it.  
> > 
> > I hope this helps,
> 
> Just been following from the sidelines so I'm sure Volker can comment
> with *authoriative=1 :-), but that looks like a workable plan to
> excise
> USER_INFO_LOCAL_SAM_ONLY.
> 
> Thanks Andrew !

I just wanted to write down, while I still remember them, my guidance
on how we can get this to a conclusion:

 - make changes in sync between the two auth subsystems (the current
patch set removes the offensive flag, but only in auth3)
 - not attempt a change to inter-process communication in the same
patch set (eg move to "sam" and "samba4:sam" if specifying auth module
lists in winbindd)
 - clearly distinguish between the 'smbd as client' and
'ntlm_auth/wbinfo as client' cases in winbindd.
 - use *authoritative as the indicator. 
 - have tests (both for the specific change desired, and for the other
areas touched like rodc)
 - be bisectable

I realise this remains a large task, but we need changes here done
carefully and clearly tested.  Sadly given the issues I found during my
review, that this patch set passed autobuild only showed the deficiency
of our current tests. 

Thanks,

Andrew Bartlett



More information about the samba-technical mailing list