[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Stefan Metzmacher
metze at samba.org
Wed Mar 22 08:19:05 UTC 2017
Hi Andrew,
>>>>> On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan Metzmacher
>>>>> wrote:
>>>>>> I'm currently looking into this and I might have something
>>>>>> that should
>>>>>> do the job without changing too much within the next days.
>>>>>
>>>>> Can you share your ideas?
>>>>
>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
>>>> ads/master3-auth
>>>
>>> Ok,
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/head
>>> s/master3-auth-ok
>>> contains the first preparation step that should not really change
>>> the logic.
>>
>> The following patchset also passed autobuild and should not change
>> the
>> logic.
>
> Can you help me understand how this patch doesn't change the logic?
>
> auth3: Don't try other auth modules on any error
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=987e5ab6310
> 6f2d427fe11ad780962f2f1e317bf
If you look at the current make_auth_context_subsystem(), then
the behavior change is more theoretical. The most complex
combination of modules is "guest sam winbind:*".
And check_guest_security(), auth_samstrict_auth() and
check_winbind_security()
seem to verify user_info->mapped.*, so we'll never process the
same authentication in more than one module. Except maybe
a problem from make_server_info_guest(), but at that point we've
already verified that the username was empty and no password was
provided and in that case any further module will always generate
result != NT_STATUS_OK.
> Otherwise it looks OK.
Is it ok to push it with your review, now?
So that we have it out of our way?
> I've been promising to write SamLogon tests all
> week, I'm going to write those next which will give me a little more
> confidence in changes to this area.
>
> We really need more tests here, ideally on SamLogon, even if they start
> with running wbinfo -a and smbclient with more combinations.
I'll try to add some basic tests in the following patches, which will
change the behavior.
> I've also looked at the master3-auth branch and I don't have any
> concerns.
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170322/61b93a11/signature.sig>
More information about the samba-technical
mailing list