[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Stefan Metzmacher metze at samba.org
Thu Mar 16 08:19:45 UTC 2017 

Am 16.03.2017 um 09:00 schrieb Andrew Bartlett:
> On Thu, 2017-03-16 at 08:51 +0100, Stefan Metzmacher wrote:
>> Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
>>> On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
>>>> The one I really care about from a personal perspective is the
>>>> patch
>>>> to remove "map untrusted to domain".
>>>
>>> Understood.  
>>>
>>> However as it hasn't been marked deprecated yet, we can't just drop
>>> it.
>>
>> The point here is that we do the mapping in the wrong location,
>> we can keep the option "map unby implementing a fallback
>> *after* we get 'authoritative=0' from the dc.
>>
>> But we definitely need to remove the completely broken
>> design of doing the mapping based on our by design incomplete
>> knowledge of possible trusted domains, before asking the backends.
>>
>> Basically we would need something like:
>> "anonymous sam_strict winbind winbind_untrusted_to_domain
>> sam_ignoredomain"
>>
>> While winbind_untrusted_to_domain will be a noop
>> for the default "map untrusted to domain = no".
> 
> Thanks for expressing it so well.  I was wondering the same thing, and
> I'm glad there is a way to make progress here.
> 
> However, does 'map untrusted to domain' even work with NTLMv2, as
> ntv2_owf_gen() takes the username and domain?  It would seem to me that
> you need the parameter implemented on the DC, not the member server! 
> (And then this patch set). 

I don't think it will work with ntlmv2, but I haven't tested it.
It would just mean that it's very unlikely that a lot of admins
are using this option at all.

> Indeed, for compatibility we probably need to permit that using this
> parameter that given the 'accept all domains' behaviour of the AD DC
> before we tighten this up.

I don't understand the above statement, you want to implement
'map untrusted to domain' on the AD DC itself?
I'm strongly against that, there's really no need for it.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170316/db2961fd/signature.sig>

More information about the samba-technical mailing list