Authentication on a DC
Volker Lendecke
vl at samba.org
Mon Feb 27 11:05:24 UTC 2017
Hi!
Right now I'm trying to correctly return NT_STATUS_NO_SUCH_USER with
authoritative=0 from our DC implementation(s) in the case when our
netlogon server does not know the domain name. I'm hitting wall after
wall with autobuild, so I would like to lay out what I think is a flaw
in our authentication approach.
On a DC, we have two cases which I believe are to be handled
differently:
* Acting as a DC
* Giving access to a local resource
When giving access to a local resource, we need to fall back to
essentially sam_ignoredomain when the user comes in with a completely
unknown domain name. We should not do this as a netlogon server, we
should return the NO_SUCH_USER/authoritative=0. This case is
essentially handled through NT_STATUS_NOT_IMPLEMENTED internally.
The design flaw is I believe that we force all authentication through
a single set of auth methods, not looking at the use case.
Forcing everything through this single interface makes things like
"USER_INFO_LOCAL_SAM_ONLY" necessary in the first place. If
winbindd_pam had the liberty to just create an auth context with just
"sam", this flag would not be required.
Comments?
Volker
More information about the samba-technical
mailing list