[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andreas Schneider
asn at samba.org
Mon Mar 20 10:40:56 UTC 2017
On Monday, 20 March 2017 10:54:59 CET Stefan Metzmacher via samba-technical
wrote:
> Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
> >
> > wrote:
> >> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> >>> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> >>> samba-
> >>>
> >>> technical wrote:
> >>>> On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> >>>>> What return values do you propose?
> >>>>
> >>>> NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
> >>>> I
> >>>> think.
> >>>>
> >>>> If we do the same with NO_SUCH_USER then the confusing mappings
> >>>> outside
> >>>> the auth subsytem go away, and we can probably dispense with the
> >>>> flag
> >>>> you so dislike (as then I think the different auth module lists
> >>>> would
> >>>> work).
> >>>>
> >>>> That is, break out of the auth module loop based on
> >>>> *authoriative,
> >>>> not
> >>>> NT_STATUS_NOT_IMPLEMENTED.
> >>>>
> >>>> That way we have no need for flag based changes to return values,
> >>>> and
> >>>> callers like ntlm and ntlmssp can just ignore it, while netlogon
> >>>> can
> >>>> honour it.
> >>>>
> >>>> I hope this helps,
> >>>
> >>> Just been following from the sidelines so I'm sure Volker can
> >>> comment
> >>> with *authoriative=1 :-), but that looks like a workable plan to
> >>> excise
> >>> USER_INFO_LOCAL_SAM_ONLY.
> >>>
> >>> Thanks Andrew !
> >>
> >> I just wanted to write down, while I still remember them, my guidance
> >>
> >> on how we can get this to a conclusion:
> >> - make changes in sync between the two auth subsystems (the current
> >>
> >> patch set removes the offensive flag, but only in auth3)
> >>
> >> - not attempt a change to inter-process communication in the same
> >>
> >> patch set (eg move to "sam" and "samba4:sam" if specifying auth
> >> module
> >> lists in winbindd)
> >>
> >> - clearly distinguish between the 'smbd as client' and
> >>
> >> 'ntlm_auth/wbinfo as client' cases in winbindd.
> >>
> >> - use *authoritative as the indicator.
> >> - have tests (both for the specific change desired, and for the
> >>
> >> other
> >> areas touched like rodc)
> >>
> >> - be bisectable
> >
> > We also need to keep netlogon in the AD DC talking to winbindd, not
> > just for the future trusted domains case, but for the RODC. Remember
> > that domain members (PCs) need to talk to NETLOGON on the RODC which
> > may forward the passwords to a RW DC.
> >
> > I plan to write some tests for this part as we work to lock in this
> > support, as clearly it isn't covered right now.
>
> I'm currently looking into this and I might have something that should
> do the job without changing too much within the next days.
>
> If you send me the additional tests I can include them,
> but calling an async irpc as a fallback in the netlogon server
> should also handle the RODC case.
>
> I think what we need is an test env that is a member in a domain
> that has trusts to others. Maybe the 'ad_member' env could require
> the fl2008r2dc to also available in addition to ad_dc.
I've already did this, because we need some wbinfo -a and wbinfo -k tests with
trusted domains so we do not regress in future.
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-selftest-Add-a-trust_member-target-environment.patch
Type: text/x-patch
Size: 4580 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170320/3921ef2a/0001-selftest-Add-a-trust_member-target-environment.bin>
More information about the samba-technical
mailing list