[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Jeremy Allison
jra at samba.org
Thu Mar 23 01:46:14 UTC 2017
On Wed, Mar 22, 2017 at 05:00:47PM +0100, Stefan Metzmacher via samba-technical wrote:
>
> The attached patches for bugs
> https://bugzilla.samba.org/show_bug.cgi?id=8630
> (support for 'map untrusted to domain = auto')
> and
> https://bugzilla.samba.org/show_bug.cgi?id=2976
> are attached (required in the given order)
>
> The unrelated idl patches can be pushed before...
>
> I'm currently running autobuilds with for the patches related to
> each bug, 1st just 8630, then 8630+2976 and so on...
>
> I'll post the patches for
> https://bugzilla.samba.org/show_bug.cgi?id=12709
> (The auth4 stack maps any client provided domain to the local domain
> before calling the backends)
> and
> https://bugzilla.samba.org/show_bug.cgi?id=12710
> (The netlogon server should not allow LogonSamLogon for anonymous)
> in the next mail.
>
> The patches attached here are also in
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok
>
> Please just review, I'll push then.
unrelated idl patches - Reviewed-by: Jeremy Allison <jra at samba.org>
Typo's in the below:
> From fa3c00bf92a7efae6d76a4595fd64b5398d3f8d2 Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Wed, 22 Mar 2017 12:11:26 +0100
> Subject: [PATCH 8/8] docs-xml: document "map untrusted to domain = auto"
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
> .../smbdotconf/security/mapuntrustedtodomain.xml | 23 ++++++++++++++++++++--
> 1 file changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> index 496e7c2..f745e9a 100644
> --- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> +++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> @@ -1,6 +1,7 @@
> <samba:parameter name="map untrusted to domain"
> context="G"
> - type="boolean"
> + type="enum"
> + enumlist="enum_bool_auto"
> deprecated="1"
> xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> <description>
> @@ -20,13 +21,31 @@
> </para>
>
> <para>
> - When this parameter is set to <constant>yes</constant> smbd provides the
> + The above describes the situation with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
> + witch was the default up to Samba 4.6.
^^^^^
which
> + </para>
> +
> + <para>
> + When this parameter is set to <smbconfoption name="map untrusted to domain">yes</smbconfoption> smbd provides the
> legacy behavior of mapping untrusted domain names to the primary domain.
> When smbd is not acting as a domain member server, this parameter has no
> effect.
> </para>
>
> + <para>
> + When this parameter is set to <smbconfoption name="map untrusted to domain">auto</smbconfoption> smbd will
> + deferr the mapping decision to the stack of auth method backends.
^^^^^^
defer
> + Each auth method is able to say I'm not authoritative and the
> + next backend will be used. This is basically the behavior
^^^^^^^^^
the same as
> + implemented in Windows.
> + </para>
> +
> + <para>
> + <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
> + for Samba 4.7, and might be backport to some 4.6 release.
^^^^^^^^
backported
Cheers,
Jeremy.
More information about the samba-technical
mailing list