The Samba-Bugzilla – Attachment 4582 Details for
Bug 6650
Samba 3.4 member in samba (3.4) domain fails to authenticate users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master and v3-4-test.
0001-s3-fix-bug-6650-authentication-at-member-servers.patch (text/plain), 2.54 KB, created by
Michael Adam
on 2009-08-21 07:44:55 UTC
(
hide
)
Description:
Patch for master and v3-4-test.
Filename:
MIME Type:
Creator:
Michael Adam
Created:
2009-08-21 07:44:55 UTC
Size:
2.54 KB
patch
obsolete
>From efd8ca2c53a931135038d95622b38ff72fd04b89 Mon Sep 17 00:00:00 2001 >From: Michael Adam <obnox@samba.org> >Date: Fri, 21 Aug 2009 13:59:16 +0200 >Subject: [PATCH] s3: fix bug #6650, authentication at member servers when winbindd is not running > >Authentication of domain users on the member server fails when winbindd >is not running. This is because the is_trusted_domain() check behaves >differently when winbindd is running and when it isn't: >Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also >give a result for our own domain, this succeeds for the member >server's own domain when winbindd is running. When winbindd is not >running, is_trusted_domain() checks (and possibly updates) the trustdom >cache, and this does the lsa_EnumTrustDom() rpc call to the DC which >does not return its own domain. > >In case of winbindd not running, before 3.4, the domain part was _silently_ >mapped to the workgroup in auth_util.c:make_user_info_map(), >which effectively did nothing in the member case. > >But then the parameter "map untrusted to domain" was introduced >and the mapping was made to the workstation name instead of >the workgroup name by default unless "map untrusted to domain = yes". >(Commits > d8c54fddda2dba3cbc5fc13e93431b152813892e, > 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and > fbca26923915a70031f561b198cfe2cc0d9c3aa6) >This was ok as long as winbindd was running, but with winbindd not running, >these changes actually uncovered the above logic bug in the check. > >So the correct check is to treat the workgroup as trusted / or known >in the member case. This is most easily achieved by not comparing the >domain name against get_global_sam_name() which is the host name unless >for a DC but against my_sam_name() which is the workgroup for a DC and for >a member, too. (These names are not very intuitive...) > >I admit that this is a very long commit message for a one-liner, but this has >needed some tracking down, and I think the change deserves some justification. > >Michael >--- > source3/auth/auth_util.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index d53da78..1d25e22 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -221,7 +221,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, > * This also deals with the client passing in a "" domain */ > > if (!is_trusted_domain(domain) && >- !strequal(domain, get_global_sam_name()) ) >+ !strequal(domain, my_sam_name())) > { > if (lp_map_untrusted_to_domain()) > domain = my_sam_name(); >-- >1.6.0.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4582">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 6650
: 4582