Bug 13879 - Simple bind doesn't work against an RODC (with non-preloaded users)
Summary: Simple bind doesn't work against an RODC (with non-preloaded users)
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Blocks: 13377
  Show dependency treegraph
Reported: 2019-04-01 23:13 UTC by Garming Sam
Modified: 2021-02-16 21:01 UTC (History)
1 user (show)

See Also:

Test that fails currently (6.29 KB, patch)
2019-04-02 01:08 UTC, Garming Sam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2019-04-01 23:13:17 UTC
It's unclear whether or not this has been broken for a long time or not, but in Samba 4.10, this doesn't work.

source3/winbindd/winbindd_irpc.c - wb_irpc_SamLogon

Returns NT_STATUS_REQUEST_NOT_ACCEPTED for non-UPN bind DNs (due to a missing target domain).

There appears to be crude handling of UPNs in wb_irpc_SamLogon which allows these to be forwarded onto winbind, however, there are some minor issues in winbind which prevent the authentication from succeeding (still).

How to correct the non-UPN DN bind isn't exactly clear currently. Somewhere in the stack, the name needs to be re-cracked, or the mapped name needs to be plumbed through (possibly with a flag).
Comment 1 Garming Sam 2019-04-02 01:08:05 UTC
Created attachment 15032 [details]
Test that fails currently

Here is a quick attempt at a test, note that this uses the standard user DN (there probably needs to be a test using the UPN). I'm not sure that this test actually works properly (and will work once simple binds are fixed), but at least it shows that this fails.