Bug 13206 - Unable to authenticate with an empty string domain ''
Summary: Unable to authenticate with an empty string domain ''
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.4
Hardware: All All
: P5 regression (vote)
Target Milestone: 4.7
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-01-08 03:42 UTC by Garming Sam
Modified: 2020-01-23 14:58 UTC (History)
6 users (show)

See Also:

patch for master (910 bytes, patch)
2018-01-08 03:42 UTC, Garming Sam
no flags Details
trace of windows (23.58 KB, application/vnd.tcpdump.pcap)
2018-01-08 21:13 UTC, Garming Sam
no flags Details
patch for master (with tests) (7.76 KB, patch)
2018-01-08 21:22 UTC, Garming Sam
no flags Details
Patch for 4.8 cherry-picked from master (11.56 KB, patch)
2018-02-27 10:30 UTC, Ralph Böhme
metze: review+
Patches for v4-7-test (11.50 KB, patch)
2018-03-20 06:41 UTC, Stefan Metzmacher
metze: review? (slow)
metze: review? (abartlet)
asn: review+
metze: review? (garming)
Patches for v4-6-test (5.71 KB, patch)
2018-03-20 06:42 UTC, Stefan Metzmacher
metze: review? (slow)
metze: review? (abartlet)
asn: review+
metze: review? (garming)

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2018-01-08 03:42:12 UTC
There appears to be a regression with being able to authenticate with an empty string domain since 4.7 (introduced with modified UPN handling). This was noticed when running the Microsoft test-suites which did not appear to supply a domain when required.
Comment 1 Garming Sam 2018-01-08 03:42:52 UTC
Created attachment 13895 [details]
patch for master
Comment 2 Garming Sam 2018-01-08 03:43:56 UTC
Currently working on tidying up some tests, I've verified that these tests pass on v4-6-test but not master without the patch.
Comment 3 Andrew Bartlett 2018-01-08 03:46:11 UTC
Comment on attachment 13895 [details]
patch for master

The change looks good once the tests are included.  I'll review those on the list when they land.
Comment 4 Stefan Metzmacher 2018-01-08 09:23:54 UTC
(In reply to Andrew Bartlett from comment #3)

I'd really like to see tests and captures against windows before this hits master...
Comment 5 Andrew Bartlett 2018-01-08 09:29:10 UTC
Yes, Garming tested this against windows, the test that was run will be with the change that is included. 

The original use case was actually that the Microsoft Protocol Test Suites require this for the auto-configuration!
Comment 6 Garming Sam 2018-01-08 21:13:55 UTC
Created attachment 13896 [details]
trace of windows
Comment 7 Garming Sam 2018-01-08 21:15:05 UTC
You can see in frame 44, that no domain is specified.
Comment 8 Garming Sam 2018-01-08 21:16:24 UTC
The trace was generated by the bind.py test (__main__.BindTests.test_user_account_bind_no_domain) against Windows 2012 R2.
Comment 9 Garming Sam 2018-01-08 21:22:38 UTC
Created attachment 13897 [details]
patch for master (with tests)

Sending to the list also...
Comment 10 Stefan Metzmacher 2018-01-08 21:26:03 UTC
(In reply to Garming Sam from comment #8)

In order to judge if the patch is correct, you need to use NTLMSSP against
a member server.

Are you really seeing authentication errors against Samba?
I guess "sam_ignoredomain" backend is supposed to catch that case,
but "sam" needs to be strict as that's also used in the netlogon server,
while the fallback to "sam_ignoredomain" is only called for NTLMSSP
(and legacy SMB1 authentication).
Comment 11 Garming Sam 2018-01-08 21:44:23 UTC
test: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx
time: 2018-01-08 21:36:44.088516Z
successful: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx
time: 2018-01-08 21:36:44.088681Z
time: 2018-01-08 21:36:44.088831Z
test: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExMSCHAPv2
time: 2018-01-08 21:36:44.248944Z
successful: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExMSCHAPv2
time: 2018-01-08 21:36:44.249050Z
time: 2018-01-08 21:36:44.249131Z
test: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExNTLM
time: 2018-01-08 21:36:44.408952Z
successful: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExNTLM
time: 2018-01-08 21:36:44.409092Z
time: 2018-01-08 21:36:44.409207Z
test: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain
time: 2018-01-08 21:36:44.559329Z
successful: samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain

I've now run my NETLOGON test against my Windows DC and it seems to pass as well.
Comment 12 Andrew Bartlett 2018-01-08 21:54:55 UTC
(In reply to Stefan Metzmacher from comment #10)
I would note that this patch restores the 4.6 behaviour, avoiding a real-world regression.  

Given we have test results against Windows showing that the netlogon server needed to honour this, I think the patch is reasonable.
Comment 13 Stefan Metzmacher 2018-02-21 00:13:38 UTC
I'll get back to this soon...
Comment 14 Ralph Böhme 2018-02-27 10:30:30 UTC
Created attachment 13995 [details]
Patch for 4.8 cherry-picked from master
Comment 15 Stefan Metzmacher 2018-02-27 15:36:24 UTC
Pushed to autobuild-v4-8-test. But needs backport to older versions.
Comment 16 Stefan Metzmacher 2018-02-28 16:16:01 UTC
(In reply to Stefan Metzmacher from comment #15)

Pushed to v4-8-test.
Comment 17 Stefan Metzmacher 2018-03-20 06:41:30 UTC
Created attachment 14060 [details]
Patches for v4-7-test
Comment 18 Stefan Metzmacher 2018-03-20 06:42:06 UTC
Created attachment 14061 [details]
Patches for v4-6-test
Comment 19 Andreas Schneider 2018-03-20 12:27:26 UTC
Karolin, please add the patches for 4.6 and 4.7 too. Thanks!
Comment 20 Stefan Metzmacher 2018-03-20 16:14:10 UTC
Pushed to autobuild-v4-{6,7}-test
Comment 21 Stefan Metzmacher 2018-03-21 05:57:55 UTC
(In reply to Stefan Metzmacher from comment #20)

Pushed to v4-{6,7}-test.
Comment 22 Björn Jacke 2020-01-23 14:58:45 UTC
source3 for the winbind member server case has a similar issue, opened bug 14247 for that.