RFC Reroute samlogon for trusted child domain user if samlogon fails
Noel Power
nopower at suse.com
Fri Oct 30 16:55:04 UTC 2015
On 30/10/15 16:01, Noel Power wrote:
> On 30/10/15 10:29, Noel Power wrote:
>> Hi,
>>
>> revisiting the issue turned up in previous 'winbindd crash' thread
>>
>> On 22/10/15 12:03, Stefan Metzmacher wrote:
>>
>>> Hi Noel,
>>>
>> [...]
>>
>>> I think what we really need is a way to return to the parent and have
>>> the fallback logic there,
>>> the parent should then re-route to the correct domain child by clearing
>>> WBFLAG_PAM_CONTACT_TRUSTDOM
>>> before calling find_auth_domain().
>> something like the patch attached ? is this the correct direction/approach ?
>>
> lets forget about this for the moment, I need to rethink some things
>
ok here we go again, some little changes (to avoid calling kerberos a
second time) I think there must be a better way to transfer that the
netlogon pipe access failed than the current status check, be interested
to hear if anyone has any ideas (but perhaps my approach is bogus anyway??)
Interestingly we lose potentially interesting information with this
regression, e.g. When a user account is disabled because we never get to
successfully fallback to samlogon we miss the nice information it gives
like NT_STATUS_ACCOUNT_DISABLED and thus on the command line e.g.
ssh/pam just repeatedly prompts for the password and gives up with no
info, /var/log/messages just has a cryptic
NT_STATUS_CANT_ACCESS_DOMAIN_INFO error. Note: previously logon faliures
in this scenario would print "Your account is disabled, contact a
sysadmin blah blah" after each password enter
Noel
More information about the samba-technical
mailing list