[PATCH] Correctly handle !authoritative in the rpc-based auth backends

Jeremy Allison jra at samba.org
Thu Mar 23 01:46:14 UTC 2017 

On Wed, Mar 22, 2017 at 05:00:47PM +0100, Stefan Metzmacher via samba-technical wrote:
> 
> The attached patches for bugs
> https://bugzilla.samba.org/show_bug.cgi?id=8630
> (support for 'map untrusted to domain = auto')
> and
> https://bugzilla.samba.org/show_bug.cgi?id=2976
> are attached (required in the given order)
> 
> The unrelated idl patches can be pushed before...
> 
> I'm currently running autobuilds with for the patches related to
> each bug, 1st just 8630, then 8630+2976 and so on...
> 
> I'll post the patches for
> https://bugzilla.samba.org/show_bug.cgi?id=12709
> (The auth4 stack maps any client provided domain to the local domain
> before calling the backends)
> and
> https://bugzilla.samba.org/show_bug.cgi?id=12710
> (The netlogon server should not allow LogonSamLogon for anonymous)
> in the next mail.
> 
> The patches attached here are also in
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok
> 
> Please just review, I'll push then.

unrelated idl patches - Reviewed-by: Jeremy Allison <jra at samba.org>

Typo's in the below:

> From fa3c00bf92a7efae6d76a4595fd64b5398d3f8d2 Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Wed, 22 Mar 2017 12:11:26 +0100
> Subject: [PATCH 8/8] docs-xml: document "map untrusted to domain = auto"
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
> 
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
> ---
>  .../smbdotconf/security/mapuntrustedtodomain.xml   | 23 ++++++++++++++++++++--
>  1 file changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> index 496e7c2..f745e9a 100644
> --- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> +++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
> @@ -1,6 +1,7 @@
>  <samba:parameter name="map untrusted to domain"
>                   context="G"
> -                 type="boolean"
> +                 type="enum"
> +                 enumlist="enum_bool_auto"
>                   deprecated="1"
>                   xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
>  <description>
> @@ -20,13 +21,31 @@
>      </para>
>  
>      <para>
> -    When this parameter is set to <constant>yes</constant> smbd provides the
> +    The above describes the situation with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
> +    witch was the default up to Samba 4.6.

       ^^^^^
       which

> +    </para>
> +
> +    <para>
> +    When this parameter is set to <smbconfoption name="map untrusted to domain">yes</smbconfoption> smbd provides the
>      legacy behavior of mapping untrusted domain names to the primary domain.
>      When smbd is not acting as a domain member server, this parameter has no
>      effect.
>      </para>
>  
> +    <para>
> +    When this parameter is set to <smbconfoption name="map untrusted to domain">auto</smbconfoption> smbd will
> +    deferr the mapping decision to the stack of auth method backends.

       ^^^^^^
       defer

> +    Each auth method is able to say I'm not authoritative and the
> +    next backend will be used. This is basically the behavior

                                          ^^^^^^^^^
                                          the same as
> +    implemented in Windows.
> +    </para>
> +
> +    <para>
> +    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
> +    for Samba 4.7, and might be backport to some 4.6 release.

                                   ^^^^^^^^
                                   backported

Cheers,

	Jeremy.

More information about the samba-technical mailing list