[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andrew Bartlett
abartlet at samba.org
Thu Mar 16 22:01:51 UTC 2017
On Thu, 2017-03-16 at 09:40 +0100, Volker Lendecke wrote:
> On Thu, Mar 16, 2017 at 09:19:45AM +0100, Stefan Metzmacher wrote:
> > I don't understand the above statement, you want to implement
> > 'map untrusted to domain' on the AD DC itself?
> > I'm strongly against that, there's really no need for it.
>
> That's the current behaviour of the AD DC. People depend on it.
I don't know if people depend on it, but the change from
sam_ignoredomain -> sam should be made more deliberately and I think
using this option, marked depricated, for a release would be a
reasonable way to phase this out.
We did similar things with the "lsa over netlogon" that we likewise
hope is never needed.
I know this all feels very disheartening, but I'm actually quite
confident we are honing in on a solution. It will still require work -
probably a good solid week or two to nail it all down with the right
tests, but this isn't months away.
I hope some other work currently in train by myself and the infamous
"team at Catalyst" may provide some of the infrastructure needed for
that. Specifically I'm hoping to make it trivial to call SamLogon from
Python, and probably also the auth4 subsystem.
Thanks,
Andrew Bartlett
More information about the samba-technical
mailing list