[PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samuel Cabrero scabrero at suse.de
Wed Nov 29 17:02:38 UTC 2017

Uri, thanks for your comments. I should have ran all tests before.

Following your suggestion, this patch fixes it in ntlm_auth. If an
empty domain is given (eg: --domain="" or --username="\user") but
"winbind use default domain = yes", then the winbind domain is used.

I have also added tests reusing the s4member_dflt_domain environment.


On Tue, 2017-11-21 at 20:10 +0200, Uri Simchoni via samba-technical
> On 11/21/2017 01:36 PM, Samuel Cabrero via samba-technical wrote:
> > After commit 8e88b56e the winbind parent process does set anymore
> > auth_crap.domain to the winbind default domain when the domain was
> > not
> > specified in the request, causing the request to fail with
> > 	
> > This commit restores the behavior in the winbind child. If 'winbind
> > use
> > default domain = yes' and no domain is specified in the request,
> > will
> > use the default domain. It also allows the domain to be specified
> > in
> > auth_crap.user as 'DOMAIN\user'.
> > 
> > To test this I have added a new environment where 'winbind use
> > default
> > domain' is set to true.
> > 
> > Comments and reviews appreciated!
> > 
> I'm "guilty" for commit 8e88b56e so I have some comments.
> This patch set won't survive autobuild - "samba3.unix.whoami ntlm
> user at realm(ad_member)" fails. The reason is that it breaks
> authenticating to SMB server using \upn at realm. (empty domain and user
> component is upn at realm).
> The point of commit 8e88b56e was that in NTLMv2, the domain is part
> of
> the cryptographic material, and you are not allowed to change it
> whimsically. An empty domain given to winbindd means that on the wire
> the domain was empty, and if you change that, the v2-hash you get
> can't
> possibly match the provided hash.
> With NTLM(v1) the domain can be changed, and I suppose I was unaware
> of
> the possible breakage with ntlm_auth (IIRC, smbd has not regressed
> due
> to this change, at least not if "map untrusted to domain" is kept at
> its
> default of "no").
> I think also that the expected behavior should be documented in the
> bug
> report / commit message - If I understand correctly, the expected
> behavior is that \user mapped to DOMAIN\user - well that's
> inconsistent
> with smbd, where \user is mapped to WORKSTATION\user, unless "map
> untrusted to domain" is true.
> Finally, another possible option for fixing this is in ntlm_auth.
> That
> keeps Winbindd simple. Just a thought.
> Thanks,
> Uri.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ntlm_auth-Honour-winbind-use-default-domain-when-emp.patch
Type: text/x-patch
Size: 1487 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171129/eaa1686e/0001-ntlm_auth-Honour-winbind-use-default-domain-when-emp.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-selftest-Add-tests-for-ntlm_auth-with-empty-domain.patch
Type: text/x-patch
Size: 11897 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171129/eaa1686e/0002-selftest-Add-tests-for-ntlm_auth-with-empty-domain.bin>

More information about the samba-technical mailing list