RFC Reroute samlogon for trusted child domain user if samlogon fails
Noel Power
nopower at suse.com
Mon Nov 9 16:48:43 UTC 2015
On 03/11/15 13:33, Noel Power wrote:
>> We still need to keep the handling of
>> LOGON_KRB5_FAIL_CLOCK_SKEW.
> I didn't notice this, <sigh> this makes things difficult and I need some
> advice on how to proceed. The problem now is that krb5 auth happens in
> the winbindd(trusted domain) child and the samlogon happens in the other
> winbindd(primary) child, the samlogon needs access to the krb5 error
> status from the winbind(trusted domain) child, getting that error to the
> parent is easy enough (assuming my reuse of the reject_reason response
> member is ok) However trying to transfer that error status from the
> parent to the primary domain winbind child doesn't seem easily achieved
> ( I thought of using the extra data field in the request and introducing
> some new flag to indicate to use that ) However... that seems ugly and I
> don't want to waste time on an unacceptable solution, any ideas?
>
Any suggestion or idea ? anyone
Noel
More information about the samba-technical
mailing list