[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andrew Bartlett
abartlet at samba.org
Thu Mar 16 08:00:59 UTC 2017
On Thu, 2017-03-16 at 08:51 +0100, Stefan Metzmacher wrote:
> Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
> > > The one I really care about from a personal perspective is the
> > > patch
> > > to remove "map untrusted to domain".
> >
> > Understood.
> >
> > However as it hasn't been marked deprecated yet, we can't just drop
> > it.
>
> The point here is that we do the mapping in the wrong location,
> we can keep the option "map unby implementing a fallback
> *after* we get 'authoritative=0' from the dc.
>
> But we definitely need to remove the completely broken
> design of doing the mapping based on our by design incomplete
> knowledge of possible trusted domains, before asking the backends.
>
> Basically we would need something like:
> "anonymous sam_strict winbind winbind_untrusted_to_domain
> sam_ignoredomain"
>
> While winbind_untrusted_to_domain will be a noop
> for the default "map untrusted to domain = no".
Thanks for expressing it so well. I was wondering the same thing, and
I'm glad there is a way to make progress here.
However, does 'map untrusted to domain' even work with NTLMv2, as
ntv2_owf_gen() takes the username and domain? It would seem to me that
you need the parameter implemented on the DC, not the member server!
(And then this patch set).
Indeed, for compatibility we probably need to permit that using this
parameter that given the 'accept all domains' behaviour of the AD DC
before we tighten this up.
The challenge continues...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list