[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Stefan Metzmacher metze at samba.org
Mon Mar 20 09:54:59 UTC 2017


Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
> wrote:
>> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
>>> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
>>> samba-
>>> technical wrote:
>>>> On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
>>>>>
>>>>> What return values do you propose?
>>>>
>>>> NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
>>>> I
>>>> think.
>>>>
>>>> If we do the same with NO_SUCH_USER then the confusing mappings
>>>> outside
>>>> the auth subsytem go away, and we can probably dispense with the
>>>> flag
>>>> you so dislike (as then I think the different auth module lists
>>>> would
>>>> work).
>>>>
>>>> That is, break out of the auth module loop based on
>>>> *authoriative,
>>>> not
>>>> NT_STATUS_NOT_IMPLEMENTED.  
>>>>
>>>> That way we have no need for flag based changes to return values,
>>>> and
>>>> callers like ntlm and ntlmssp can just ignore it, while netlogon
>>>> can
>>>> honour it.  
>>>>
>>>> I hope this helps,
>>>
>>> Just been following from the sidelines so I'm sure Volker can
>>> comment
>>> with *authoriative=1 :-), but that looks like a workable plan to
>>> excise
>>> USER_INFO_LOCAL_SAM_ONLY.
>>>
>>> Thanks Andrew !
>>
>> I just wanted to write down, while I still remember them, my guidance
>> on how we can get this to a conclusion:
>>
>>  - make changes in sync between the two auth subsystems (the current
>> patch set removes the offensive flag, but only in auth3)
>>  - not attempt a change to inter-process communication in the same
>> patch set (eg move to "sam" and "samba4:sam" if specifying auth
>> module
>> lists in winbindd)
>>  - clearly distinguish between the 'smbd as client' and
>> 'ntlm_auth/wbinfo as client' cases in winbindd.
>>  - use *authoritative as the indicator. 
>>  - have tests (both for the specific change desired, and for the
>> other
>> areas touched like rodc)
>>  - be bisectable
> 
> We also need to keep netlogon in the AD DC talking to winbindd, not
> just for the future trusted domains case, but for the RODC.  Remember
> that domain members (PCs) need to talk to NETLOGON on the RODC which
> may forward the passwords to a RW DC.  
> 
> I plan to write some tests for this part as we work to lock in this
> support, as clearly it isn't covered right now.

I'm currently looking into this and I might have something that should
do the job without changing too much within the next days.

If you send me the additional tests I can include them,
but calling an async irpc as a fallback in the netlogon server
should also handle the RODC case.

I think what we need is an test env that is a member in a domain
that has trusts to others. Maybe the 'ad_member' env could require
the fl2008r2dc to also available in addition to ad_dc.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170320/ed383eb0/signature.sig>


More information about the samba-technical mailing list