[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andrew Bartlett
abartlet at samba.org
Sun Mar 19 23:19:22 UTC 2017
On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> > On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> > samba-
> > technical wrote:
> > > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > >
> > > > What return values do you propose?
> > >
> > > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
> > > I
> > > think.
> > >
> > > If we do the same with NO_SUCH_USER then the confusing mappings
> > > outside
> > > the auth subsytem go away, and we can probably dispense with the
> > > flag
> > > you so dislike (as then I think the different auth module lists
> > > would
> > > work).
> > >
> > > That is, break out of the auth module loop based on
> > > *authoriative,
> > > not
> > > NT_STATUS_NOT_IMPLEMENTED.
> > >
> > > That way we have no need for flag based changes to return values,
> > > and
> > > callers like ntlm and ntlmssp can just ignore it, while netlogon
> > > can
> > > honour it.
> > >
> > > I hope this helps,
> >
> > Just been following from the sidelines so I'm sure Volker can
> > comment
> > with *authoriative=1 :-), but that looks like a workable plan to
> > excise
> > USER_INFO_LOCAL_SAM_ONLY.
> >
> > Thanks Andrew !
>
> I just wanted to write down, while I still remember them, my guidance
> on how we can get this to a conclusion:
>
> - make changes in sync between the two auth subsystems (the current
> patch set removes the offensive flag, but only in auth3)
> - not attempt a change to inter-process communication in the same
> patch set (eg move to "sam" and "samba4:sam" if specifying auth
> module
> lists in winbindd)
> - clearly distinguish between the 'smbd as client' and
> 'ntlm_auth/wbinfo as client' cases in winbindd.
> - use *authoritative as the indicator.
> - have tests (both for the specific change desired, and for the
> other
> areas touched like rodc)
> - be bisectable
We also need to keep netlogon in the AD DC talking to winbindd, not
just for the future trusted domains case, but for the RODC. Remember
that domain members (PCs) need to talk to NETLOGON on the RODC which
may forward the passwords to a RW DC.
I plan to write some tests for this part as we work to lock in this
support, as clearly it isn't covered right now.
Andrew Bartlett
More information about the samba-technical
mailing list