Bug 12709 - The auth4 stack maps any client provided domain to the local domain before calling the backends
The auth4 stack maps any client provided domain to the local domain before ca...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.6.0
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
: 11833 12811 (view as bug list)
Depends on: 12731
Blocks: 2976
  Show dependency treegraph
 
Reported: 2017-03-22 09:52 UTC by Stefan Metzmacher
Modified: 2017-06-29 06:45 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-03-22 09:52:14 UTC
Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:
    
      [2017/03/22 10:09:54.268472,  3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
        auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
      [2017/03/22 10:09:54.268496,  5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
        map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
        auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]
Comment 1 Stefan Metzmacher 2017-06-07 08:42:54 UTC
*** Bug 12811 has been marked as a duplicate of this bug. ***
Comment 2 Andrew Bartlett 2017-06-27 18:55:08 UTC
Is this fixed by 236b24dfd29f1343c6de9a1e8c8baf3d2991244e in master for 4.7?
Comment 3 Stefan Metzmacher 2017-06-27 21:53:14 UTC
(In reply to Andrew Bartlett from comment #2)

Yes, together with the sam_failtrusts module.
Comment 4 Andrew Bartlett 2017-06-28 10:00:53 UTC
*** Bug 11833 has been marked as a duplicate of this bug. ***