[PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Uri Simchoni uri at samba.org
Tue Aug 7 20:36:50 UTC 2018

On 08/07/2018 07:15 PM, Aurélien Aptel wrote:
> (Sorry if dupplicate email, resending with different address)
> Looks good to me, what do you think Uri?
> Reviewed-by: Aurelien Aptel <aaptel at suse.com>


If I understand correctly, even before the patch, doing "ntlm_auth
--username=foo" would authenticate as DOMAIN\foo, irrespective of
"winbind use default domain". The patch covers "ntlm_auth
--username=\foo" and "ntlm_auth --domain=''", in the case where "winbind
use default domain" is true.

If that's correct, then I don't think the patch "honours" winbind use
default domain, because in the cases that the patch changes, the domain
is explicitly set to be empty, whereas only in the first case the domain
is not specified (and there we don't consult use-default-domain....).

Even the comment before the patch says "if opt_domain is "" then send no
domain" which means that at one time or another it was intentional.

I realize *something* got broken for *someone* and you try to fix it. I
read the bug report, about Wine running ntlm_auth, but it's not clear
which parameters it uses.

Can you correct me if I'm wrong about what this patch does, or, if I'm
right explain why would the user of ntlm_auth explicitly specify "\user"
(and not just "user"), or specify "--domain=" (and not just omit the
domain parameter), and then expect this to represent the default domain?

Also, if this is indeed the expected behavior of ntlm_auth, then it
should be documented because at least to me it looks surprising.

Regarding the tests, wouldn't buf.startswith("AF ") be more readable
than buf.count("AF ",0, 3) == 1 ?


More information about the samba-technical mailing list