[PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working
Uri Simchoni
uri at samba.org
Tue Nov 21 18:10:09 UTC 2017
On 11/21/2017 01:36 PM, Samuel Cabrero via samba-technical wrote:
> After commit 8e88b56e the winbind parent process does set anymore
> auth_crap.domain to the winbind default domain when the domain was not
> specified in the request, causing the request to fail with
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>
> This commit restores the behavior in the winbind child. If 'winbind use
> default domain = yes' and no domain is specified in the request, will
> use the default domain. It also allows the domain to be specified in
> auth_crap.user as 'DOMAIN\user'.
>
> To test this I have added a new environment where 'winbind use default
> domain' is set to true.
>
> Comments and reviews appreciated!
>
I'm "guilty" for commit 8e88b56e so I have some comments.
This patch set won't survive autobuild - "samba3.unix.whoami ntlm
user at realm(ad_member)" fails. The reason is that it breaks
authenticating to SMB server using \upn at realm. (empty domain and user
component is upn at realm).
The point of commit 8e88b56e was that in NTLMv2, the domain is part of
the cryptographic material, and you are not allowed to change it
whimsically. An empty domain given to winbindd means that on the wire
the domain was empty, and if you change that, the v2-hash you get can't
possibly match the provided hash.
With NTLM(v1) the domain can be changed, and I suppose I was unaware of
the possible breakage with ntlm_auth (IIRC, smbd has not regressed due
to this change, at least not if "map untrusted to domain" is kept at its
default of "no").
I think also that the expected behavior should be documented in the bug
report / commit message - If I understand correctly, the expected
behavior is that \user mapped to DOMAIN\user - well that's inconsistent
with smbd, where \user is mapped to WORKSTATION\user, unless "map
untrusted to domain" is true.
Finally, another possible option for fixing this is in ntlm_auth. That
keeps Winbindd simple. Just a thought.
Thanks,
Uri.
More information about the samba-technical
mailing list