13879 – Simple bind doesn't work against an RODC (with non-preloaded users)

Bug 13879 - Simple bind doesn't work against an RODC (with non-preloaded users)

Summary: Simple bind doesn't work against an RODC (with non-preloaded users)

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.10.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	13377 14641 15001 15003
	Show dependency tree / graph

Reported:	2019-04-01 23:13 UTC by Garming Sam
Modified:	2022-05-03 00:11 UTC (History)
CC List:	4 users (show)

See Also:	14641 13377

Attachments
Test that fails currently (6.29 KB, patch) 2019-04-02 01:08 UTC, Garming Sam	no flags	Details
Patches for v4-16-test (58.25 KB, patch) 2022-03-10 12:23 UTC, Stefan Metzmacher	metze: review? (abartlet) jsutton: review+	Details
Patches for v4-15-test (58.28 KB, patch) 2022-03-10 12:23 UTC, Stefan Metzmacher	metze: review? (abartlet) jsutton: review+	Details
Patches for v4-14-test (58.28 KB, patch) 2022-03-10 12:24 UTC, Stefan Metzmacher	metze: review? (abartlet) jsutton: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Garming Sam 2019-04-01 23:13:17 UTC

It's unclear whether or not this has been broken for a long time or not, but in Samba 4.10, this doesn't work.

source3/winbindd/winbindd_irpc.c - wb_irpc_SamLogon

Returns NT_STATUS_REQUEST_NOT_ACCEPTED for non-UPN bind DNs (due to a missing target domain).

There appears to be crude handling of UPNs in wb_irpc_SamLogon which allows these to be forwarded onto winbind, however, there are some minor issues in winbind which prevent the authentication from succeeding (still).

How to correct the non-UPN DN bind isn't exactly clear currently. Somewhere in the stack, the name needs to be re-cracked, or the mapped name needs to be plumbed through (possibly with a flag).

Comment 1 Garming Sam 2019-04-02 01:08:05 UTC

Created attachment 15032 [details]
Test that fails currently

Here is a quick attempt at a test, note that this uses the standard user DN (there probably needs to be a test using the UPN). I'm not sure that this test actually works properly (and will work once simple binds are fixed), but at least it shows that this fails.

Comment 2 Samba QA Contact 2022-03-10 04:25:37 UTC

This bug was referenced in samba master:

a30a7626254c863f95b98c97ea46ff54b98078ad
90754591a7e4d5a3af70c01425930f4ec063c516
5a3214c99048a88b0a9f509e3b5b38326529b02c
03ba5af3d9eaeb5f0c7c1a1a61ef2ac454eb8392
751ce671a4af32bc1c56433a5a1c8161377856c5
0b1fbc9d56e2a25e3f1527ee5bc54880bdc65fc6
3625d1381592f7af8ec14715c6c2dfa4d9f02676
2ad44686229ba02f98de5769c26a3dfeaf5ada2b
62fb6c1dc8527db6cf0f08d4d06e8813707f767a
5c04c01354944fc3a64bb109bf3e9bf89086cc6f
31db704882bbcd569c2abb764ac1d3691ee0a267
a6fb598d9dcbfe21ef285b5f30fabcb88a259c93
9a4ac8ab2e2c8ee48f6bf5a6ecf7988c435ba1c6
859c7817350553259eb09c889bc40afebb60064a
99efe5f4e9ce426b28cef94d858849707ce15739
ca6948642bc2ff821ec4ca8ab24902b1ba9e8397
52787b9c1e9370133ff4481c62c2e7b9393c2439
c7b8c71b2b71bb9d95c33d403c4204376f443852
a12683bd1206df4d4d87a3842d92e34a69e172b7
c56cb12f347b7582290ce1d4dfe3959d69050bd9
e1d2c59d360fb4e72dafe788b5d9dbb0572bf811
8dfdbe095a4c8a7bedd29341656a7c3164517713
427125d182252d8aee3dd906ee34a909cdbb8ef3
24b580cae23860a0fe6c9d3a285d60564057043d
40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86

Comment 3 Stefan Metzmacher 2022-03-10 12:23:18 UTC

Created attachment 17198 [details]
Patches for v4-16-test

Comment 4 Stefan Metzmacher 2022-03-10 12:23:51 UTC

Created attachment 17199 [details]
Patches for v4-15-test

Comment 5 Stefan Metzmacher 2022-03-10 12:24:17 UTC

Created attachment 17200 [details]
Patches for v4-14-test

Comment 6 Stefan Metzmacher 2022-03-15 20:31:56 UTC

jsutton please don't forget to re-assign the bug to Jule (janger@samba.org)
once you grant the review+. It's needed to get things pushed to the
release branches.

Comment 7 Jule Anger 2022-03-16 13:42:29 UTC

Pushed to autobuild-v4-{16,15,14}-test.

Comment 8 Samba QA Contact 2022-03-16 14:55:11 UTC

This bug was referenced in samba v4-16-test:

528ed90d03ab74f45f5c6d790e468445767b259e
43c4dc75e21051e41dc2ed8dc8e2c42857aa6591
ff7ffbdf612dbf1a1e177b57deb2bcabf4152d23
c35de738dad02b847aab18220228dcab6e45fab0
4b245891416d421bd6c0899d6098af16d1648d05
54bb3569e5d66bc5a8d62174c811bd21221cb364
d92b46a4c04f2e2b30e60069404d0f4d31c2491e
64b2075c119e0cfa401082993f692bd48a343090
fcec3b21d9a9cf77567dcdfb993a430785236ede
80f35f7ab6a992d8b93c1e12b061039ee64d117b
9898afd747f790521cacca91e64bb9e9838b8817
6841fdef65bbe62260f9eb200d00742e3aef1a8f
27a8698ced542308c5e72648e1a65dfb41ce1943
7b31dcbd70464a5a110452b70079ff230748114d
20be02ecfded1de4e765fba78f0b7d9a5f2e6837
b353567acf0a6b813b79cb782d9888b69b14180f
03996701fb5421916eba5616be2cf3fa2041b450
e691165b4de1466a11fe8288c1601ced31b9f1ff
a219a81ff89912cbd55050e9e1fa78731f66e3bc
c46c341016d82566d97829d67b40a0e7bed25f36
cd29a661e0f552b0d29c87fae7a9be8703c3a9db
1e617128adbb8eadf8e66473260b28a07894db30
f4e3909545013dafccba1e7ac22e3a78209b77ea
7bb17ee5134fa8cbcc2278da142defa4834bd2b3
bf8f8c592b0395562a7bd296505c24ec09f65e4b

Comment 9 Samba QA Contact 2022-03-16 15:55:36 UTC

This bug was referenced in samba v4-14-test:

5ca483720320fa8662ab3aca375c48b9e1347859
657c7c9a34bd8a848ac2d41cb2541c51e5716563
6e43d4ca919698c2153262294961fef944312dd8
845d3674286b410070d215a73f75af4e758935af
275f57f3796d7e74a2a9b69de51be53b89814f06
50954766056e974f0ca4eb244e8c76e8c731a223
2472d44f9c93ab03bc0919bebc61b6874348001e
1a0d92a9bef54a725266caec944f7882101a5a89
c331fc104e75d303e42ef88097bf88851941f4d2
e7a0e1db90d1accd7b3602e5d0a088de74bd329d
dd91493ed62fd2118f7a896e51251d3b3ea6493d
1ead3a4d0dd7d5b2c65b93c0501c3da9267e08dd
9d4b98aa568ae7b7bc0a481587922eb869161740
1d8369c9232f9350fef001ed8f1138a903fdde8f
7ef4c442c6356e9670ae4f8253b129e4acc54725
e0222e2fd8b9c84dd74356a5273741f57ea6ed42
9981c6731d017f24991df9448687ed1bea709234
8bdf62eb2d3180b900e77992845d13f50689488a
311a4cc141acaae8a10084f56e23efa352518ff3
57401a170aaa097e42c6e310e7ed76d9ae5a0b60
9b631f4efebd45b921a7d0461fe2b548698003aa
8fa656cdeed16e24803ecae840397f94412821c2
f4179deb2736ece953c5fa9d29358f3cb4d01d1c
65498505cbfab81471e77fd1eedad4c7374be32d
2a9a5185553ba7b4abc6e65680f881ee936842a1

Comment 10 Samba QA Contact 2022-03-17 10:55:49 UTC

This bug was referenced in samba v4-15-test:

2bbb9a4298c19ccbf0fbd6ca4e984f1cd329f04e
84f7b94852a7719df716ca5285e4da29d793d1a0
92da29a1136eb8c97db2bf97e927e539edd7b8cc
7b63119267a92f8ac752325b95f90b75ffa6db1f
72698f73949536f2e44d0165ffa44f2dd38c9ddc
ec84a7acfcc92cf5e722bac7113e7a071f934ff4
0da8b2b368321d57368424374bd9c8d0536900ac
af30bd71cd33512fd78e686a9864d8fb3189c60c
e69264845334eb51773afdac4841ad7d9fca6b04
02824c7942db4b93bd0e1a525361ad00b13eca1c
2d425bb116a93ed219f01ee0203b58867748ae8b
db17de0b611e4d5de824fe3790c81f17805ec23c
240785f4e4fe10788790be169f8e591cf2d777b7
dffebcba823c13b1cf29ac2d6209223e248f278c
c6bb5e6277667e3993ac73b21afa76bb5b24e4d5
63a6fb82a77940d47ce2a2862c5b2245c8f16af3
070af6f1fa07e528e5ada8a0f13cdaf6a5858890
a304052c4fcc8f5f59e923e4032dd30fa139ca86
249b023f2b89f02443106585b16ecd56922b3411
8cd57a22283033efd70d67fc6593b4dbc205b9d5
2e41cbc8bec5707ac54fb6f43bdab54ae69e6317
2c15a949f5da95eae73a478f17edf124de81ecfe
5e81cde9faeb2dda7b2ee807611365c830fb1adf
54fd8eb1aac02cbd30c65b1617025dd1b7cf425e
1f1d6d4e745b99fea2986e4ee65006be5f77ec09

Comment 11 Jule Anger 2022-03-17 11:02:42 UTC

Closing out bug report.

Thanks!

Comment 12 Samba QA Contact 2022-03-21 12:17:22 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.0):

528ed90d03ab74f45f5c6d790e468445767b259e
43c4dc75e21051e41dc2ed8dc8e2c42857aa6591
ff7ffbdf612dbf1a1e177b57deb2bcabf4152d23
c35de738dad02b847aab18220228dcab6e45fab0
4b245891416d421bd6c0899d6098af16d1648d05
54bb3569e5d66bc5a8d62174c811bd21221cb364
d92b46a4c04f2e2b30e60069404d0f4d31c2491e
64b2075c119e0cfa401082993f692bd48a343090
fcec3b21d9a9cf77567dcdfb993a430785236ede
80f35f7ab6a992d8b93c1e12b061039ee64d117b
9898afd747f790521cacca91e64bb9e9838b8817
6841fdef65bbe62260f9eb200d00742e3aef1a8f
27a8698ced542308c5e72648e1a65dfb41ce1943
7b31dcbd70464a5a110452b70079ff230748114d
20be02ecfded1de4e765fba78f0b7d9a5f2e6837
b353567acf0a6b813b79cb782d9888b69b14180f
03996701fb5421916eba5616be2cf3fa2041b450
e691165b4de1466a11fe8288c1601ced31b9f1ff
a219a81ff89912cbd55050e9e1fa78731f66e3bc
c46c341016d82566d97829d67b40a0e7bed25f36
cd29a661e0f552b0d29c87fae7a9be8703c3a9db
1e617128adbb8eadf8e66473260b28a07894db30
f4e3909545013dafccba1e7ac22e3a78209b77ea
7bb17ee5134fa8cbcc2278da142defa4834bd2b3
bf8f8c592b0395562a7bd296505c24ec09f65e4b

Comment 13 Samba QA Contact 2022-04-04 12:51:48 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.13):

5ca483720320fa8662ab3aca375c48b9e1347859
657c7c9a34bd8a848ac2d41cb2541c51e5716563
6e43d4ca919698c2153262294961fef944312dd8
845d3674286b410070d215a73f75af4e758935af
275f57f3796d7e74a2a9b69de51be53b89814f06
50954766056e974f0ca4eb244e8c76e8c731a223
2472d44f9c93ab03bc0919bebc61b6874348001e
1a0d92a9bef54a725266caec944f7882101a5a89
c331fc104e75d303e42ef88097bf88851941f4d2
e7a0e1db90d1accd7b3602e5d0a088de74bd329d
dd91493ed62fd2118f7a896e51251d3b3ea6493d
1ead3a4d0dd7d5b2c65b93c0501c3da9267e08dd
9d4b98aa568ae7b7bc0a481587922eb869161740
1d8369c9232f9350fef001ed8f1138a903fdde8f
7ef4c442c6356e9670ae4f8253b129e4acc54725
e0222e2fd8b9c84dd74356a5273741f57ea6ed42
9981c6731d017f24991df9448687ed1bea709234
8bdf62eb2d3180b900e77992845d13f50689488a
311a4cc141acaae8a10084f56e23efa352518ff3
57401a170aaa097e42c6e310e7ed76d9ae5a0b60
9b631f4efebd45b921a7d0461fe2b548698003aa
8fa656cdeed16e24803ecae840397f94412821c2
f4179deb2736ece953c5fa9d29358f3cb4d01d1c
65498505cbfab81471e77fd1eedad4c7374be32d
2a9a5185553ba7b4abc6e65680f881ee936842a1

Comment 14 Samba QA Contact 2022-04-26 14:43:53 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.7):

2bbb9a4298c19ccbf0fbd6ca4e984f1cd329f04e
84f7b94852a7719df716ca5285e4da29d793d1a0
92da29a1136eb8c97db2bf97e927e539edd7b8cc
7b63119267a92f8ac752325b95f90b75ffa6db1f
72698f73949536f2e44d0165ffa44f2dd38c9ddc
ec84a7acfcc92cf5e722bac7113e7a071f934ff4
0da8b2b368321d57368424374bd9c8d0536900ac
af30bd71cd33512fd78e686a9864d8fb3189c60c
e69264845334eb51773afdac4841ad7d9fca6b04
02824c7942db4b93bd0e1a525361ad00b13eca1c
2d425bb116a93ed219f01ee0203b58867748ae8b
db17de0b611e4d5de824fe3790c81f17805ec23c
240785f4e4fe10788790be169f8e591cf2d777b7
dffebcba823c13b1cf29ac2d6209223e248f278c
c6bb5e6277667e3993ac73b21afa76bb5b24e4d5
63a6fb82a77940d47ce2a2862c5b2245c8f16af3
070af6f1fa07e528e5ada8a0f13cdaf6a5858890
a304052c4fcc8f5f59e923e4032dd30fa139ca86
249b023f2b89f02443106585b16ecd56922b3411
8cd57a22283033efd70d67fc6593b4dbc205b9d5
2e41cbc8bec5707ac54fb6f43bdab54ae69e6317
2c15a949f5da95eae73a478f17edf124de81ecfe
5e81cde9faeb2dda7b2ee807611365c830fb1adf
54fd8eb1aac02cbd30c65b1617025dd1b7cf425e
1f1d6d4e745b99fea2986e4ee65006be5f77ec09

Comment 15 Samba QA Contact 2022-05-03 00:11:05 UTC

This bug was referenced in samba master:

e93d73b618797565dec66b31de961dc062264bd2