[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Andrew Bartlett abartlet at samba.org
Wed Mar 22 13:56:39 UTC 2017 

On Wed, 2017-03-22 at 10:56 +0100, Stefan Metzmacher via samba-
technical wrote:
> Am 22.03.2017 um 09:19 schrieb Stefan Metzmacher via samba-technical:
> > Hi Andrew,
> > 
> > > > > > > On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan
> > > > > > > Metzmacher
> > > > > > > wrote:
> > > > > > > > I'm currently looking into this and I might have
> > > > > > > > something
> > > > > > > > that should
> > > > > > > > do the job without changing too much within the next
> > > > > > > > days.
> > > > > > > 
> > > > > > > Can you share your ideas?
> > > > > > 
> > > > > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
> > > > > > efs/he
> > > > > > ads/master3-auth
> > > > > 
> > > > > Ok,
> > > > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=ref
> > > > > s/head
> > > > > s/master3-auth-ok
> > > > > contains the first preparation step that should not really
> > > > > change
> > > > > the logic.
> > > > 
> > > > The following patchset also passed autobuild and should not
> > > > change
> > > > the
> > > > logic.
> > > 
> > > Can you help me understand how this patch doesn't change the
> > > logic?
> > > 
> > > auth3: Don't try other auth modules on any error
> > > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=987e5
> > > ab6310
> > > 6f2d427fe11ad780962f2f1e317bf
> > 
> > If you look at the current make_auth_context_subsystem(), then
> > the behavior change is more theoretical. The most complex
> > combination of modules is "guest sam winbind:*".
> > And check_guest_security(), auth_samstrict_auth() and
> > check_winbind_security()
> > seem to verify user_info->mapped.*, so we'll never process the
> > same authentication in more than one module. Except maybe
> > a problem from make_server_info_guest(), but at that point we've
> > already verified that the username was empty and no password was
> > provided and in that case any further module will always generate
> > result != NT_STATUS_OK.
> > 
> > > Otherwise it looks OK.
> > 
> > Is it ok to push it with your review, now?
> > So that we have it out of our way?
> 
> I guess we should add "BUG: https://bugzilla.samba.org/show_bug.cgi?i
> d=2976"
> to at least some of the commits.

Thanks.  I'm going to add what tests I can tomorrow, and then review
and push it, thanks to your clarification above.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list