[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Mon Mar 20 20:05:59 UTC 2017

On Mon, 2017-03-20 at 10:54 +0100, Stefan Metzmacher wrote:
> Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-
> > technical
> > wrote:
> > > On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> > > > On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> > > > samba-
> > > > technical wrote:
> > > > > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > > > > 
> > > > > > What return values do you propose?
> > > > > 
> > > > > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it
> > > > > nicely
> > > > > I
> > > > > think.
> > > > > 
> > > > > If we do the same with NO_SUCH_USER then the confusing
> > > > > mappings
> > > > > outside
> > > > > the auth subsytem go away, and we can probably dispense with
> > > > > the
> > > > > flag
> > > > > you so dislike (as then I think the different auth module
> > > > > lists
> > > > > would
> > > > > work).
> > > > > 
> > > > > That is, break out of the auth module loop based on
> > > > > *authoriative,
> > > > > not
> > > > > NT_STATUS_NOT_IMPLEMENTED.  
> > > > > 
> > > > > That way we have no need for flag based changes to return
> > > > > values,
> > > > > and
> > > > > callers like ntlm and ntlmssp can just ignore it, while
> > > > > netlogon
> > > > > can
> > > > > honour it.  
> > > > > 
> > > > > I hope this helps,
> > > > 
> > > > Just been following from the sidelines so I'm sure Volker can
> > > > comment
> > > > with *authoriative=1 :-), but that looks like a workable plan
> > > > to
> > > > excise
> > > > USER_INFO_LOCAL_SAM_ONLY.
> > > > 
> > > > Thanks Andrew !
> > > 
> > > I just wanted to write down, while I still remember them, my
> > > guidance
> > > on how we can get this to a conclusion:
> > > 
> > >  - make changes in sync between the two auth subsystems (the
> > > current
> > > patch set removes the offensive flag, but only in auth3)
> > >  - not attempt a change to inter-process communication in the
> > > same
> > > patch set (eg move to "sam" and "samba4:sam" if specifying auth
> > > module
> > > lists in winbindd)
> > >  - clearly distinguish between the 'smbd as client' and
> > > 'ntlm_auth/wbinfo as client' cases in winbindd.
> > >  - use *authoritative as the indicator. 
> > >  - have tests (both for the specific change desired, and for the
> > > other
> > > areas touched like rodc)
> > >  - be bisectable
> > 
> > We also need to keep netlogon in the AD DC talking to winbindd, not
> > just for the future trusted domains case, but for the
> > RODC.  Remember
> > that domain members (PCs) need to talk to NETLOGON on the RODC
> > which
> > may forward the passwords to a RW DC.  
> > 
> > I plan to write some tests for this part as we work to lock in this
> > support, as clearly it isn't covered right now.
> 
> I'm currently looking into this and I might have something that
> should
> do the job without changing too much within the next days.
> 
> If you send me the additional tests I can include them,
> but calling an async irpc as a fallback in the netlogon server
> should also handle the RODC case.

I'll likewise be able to get you some tests in the next few days.  Just
trying hard to swat away the auth-logging branch which has kind of
exploded.  It should be under control and up for review soon!

> I think what we need is an test env that is a member in a domain
> that has trusts to others. Maybe the 'ad_member' env could require
> the fl2008r2dc to also available in addition to ad_dc.

That sounds reasonable.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba