[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Andrew Bartlett
abartlet at samba.org
Mon Mar 20 20:05:59 UTC 2017
On Mon, 2017-03-20 at 10:54 +0100, Stefan Metzmacher wrote:
> Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-
> > technical
> > wrote:
> > > On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> > > > On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> > > > samba-
> > > > technical wrote:
> > > > > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > > > >
> > > > > > What return values do you propose?
> > > > >
> > > > > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it
> > > > > nicely
> > > > > I
> > > > > think.
> > > > >
> > > > > If we do the same with NO_SUCH_USER then the confusing
> > > > > mappings
> > > > > outside
> > > > > the auth subsytem go away, and we can probably dispense with
> > > > > the
> > > > > flag
> > > > > you so dislike (as then I think the different auth module
> > > > > lists
> > > > > would
> > > > > work).
> > > > >
> > > > > That is, break out of the auth module loop based on
> > > > > *authoriative,
> > > > > not
> > > > > NT_STATUS_NOT_IMPLEMENTED.
> > > > >
> > > > > That way we have no need for flag based changes to return
> > > > > values,
> > > > > and
> > > > > callers like ntlm and ntlmssp can just ignore it, while
> > > > > netlogon
> > > > > can
> > > > > honour it.
> > > > >
> > > > > I hope this helps,
> > > >
> > > > Just been following from the sidelines so I'm sure Volker can
> > > > comment
> > > > with *authoriative=1 :-), but that looks like a workable plan
> > > > to
> > > > excise
> > > > USER_INFO_LOCAL_SAM_ONLY.
> > > >
> > > > Thanks Andrew !
> > >
> > > I just wanted to write down, while I still remember them, my
> > > guidance
> > > on how we can get this to a conclusion:
> > >
> > > - make changes in sync between the two auth subsystems (the
> > > current
> > > patch set removes the offensive flag, but only in auth3)
> > > - not attempt a change to inter-process communication in the
> > > same
> > > patch set (eg move to "sam" and "samba4:sam" if specifying auth
> > > module
> > > lists in winbindd)
> > > - clearly distinguish between the 'smbd as client' and
> > > 'ntlm_auth/wbinfo as client' cases in winbindd.
> > > - use *authoritative as the indicator.
> > > - have tests (both for the specific change desired, and for the
> > > other
> > > areas touched like rodc)
> > > - be bisectable
> >
> > We also need to keep netlogon in the AD DC talking to winbindd, not
> > just for the future trusted domains case, but for the
> > RODC. Remember
> > that domain members (PCs) need to talk to NETLOGON on the RODC
> > which
> > may forward the passwords to a RW DC.
> >
> > I plan to write some tests for this part as we work to lock in this
> > support, as clearly it isn't covered right now.
>
> I'm currently looking into this and I might have something that
> should
> do the job without changing too much within the next days.
>
> If you send me the additional tests I can include them,
> but calling an async irpc as a fallback in the netlogon server
> should also handle the RODC case.
I'll likewise be able to get you some tests in the next few days. Just
trying hard to swat away the auth-logging branch which has kind of
exploded. It should be under control and up for review soon!
> I think what we need is an test env that is a member in a domain
> that has trusts to others. Maybe the 'ad_member' env could require
> the fl2008r2dc to also available in addition to ad_dc.
That sounds reasonable.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list