[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Volker Lendecke
vl at samba.org
Thu Mar 16 06:44:29 UTC 2017
On Thu, Mar 16, 2017 at 04:06:22PM +1300, Andrew Bartlett via samba-technical wrote:
> I just wanted to write down, while I still remember them, my guidance
> on how we can get this to a conclusion:
>
> - make changes in sync between the two auth subsystems (the current
> patch set removes the offensive flag, but only in auth3)
> - not attempt a change to inter-process communication in the same
> patch set (eg move to "sam" and "samba4:sam" if specifying auth module
> lists in winbindd)
> - clearly distinguish between the 'smbd as client' and
> 'ntlm_auth/wbinfo as client' cases in winbindd.
> - use *authoritative as the indicator.
> - have tests (both for the specific change desired, and for the other
> areas touched like rodc)
> - be bisectable
>
> I realise this remains a large task, but we need changes here done
> carefully and clearly tested. Sadly given the issues I found during my
> review, that this patch set passed autobuild only showed the deficiency
> of our current tests.
The one I really care about from a personal perspective is the patch
to remove "map untrusted to domain". winbind must be changed to not
enumerate trusted domains. Everything else was just necessary to push
this one through autobuild. The main blocker is bug 2976 in the AD DC.
So if you could provide a quick fix for this bug from more than a
decade ago that re-surfaced with the release of the AD DC, I will keep
my fingers off source4/auth and let this be handled better by your
team at Catalyst.
Thanks,
Volker
More information about the samba-technical
mailing list