Bug 12709 - The auth4 stack maps any client provided domain to the local domain before calling the backends
Summary: The auth4 stack maps any client provided domain to the local domain before ca...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.6.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
: 11833 12811 (view as bug list)
Depends on: 12731
Blocks: 2976
  Show dependency treegraph
 
Reported: 2017-03-22 09:52 UTC by Stefan Metzmacher
Modified: 2017-06-29 06:45 UTC (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-03-22 09:52:14 UTC 
Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:
    
      [2017/03/22 10:09:54.268472,  3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
        auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
      [2017/03/22 10:09:54.268496,  5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
        map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
        auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]
Comment 1 Stefan Metzmacher 2017-06-07 08:42:54 UTC 
*** Bug 12811 has been marked as a duplicate of this bug. ***
Comment 2 Andrew Bartlett 2017-06-27 18:55:08 UTC 
Is this fixed by 236b24dfd29f1343c6de9a1e8c8baf3d2991244e in master for 4.7?
Comment 3 Stefan Metzmacher 2017-06-27 21:53:14 UTC 
(In reply to Andrew Bartlett from comment #2)

Yes, together with the sam_failtrusts module.
Comment 4 Andrew Bartlett 2017-06-28 10:00:53 UTC 
*** Bug 11833 has been marked as a duplicate of this bug. ***