Bug 3807 - check_domain_match() doesn't check alt_name of domain
check_domain_match() doesn't check alt_name of domain
Status: RESOLVED LATER
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.21c
x86 Linux
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-26 07:07 UTC by Buck Huppmann
Modified: 2007-04-15 08:00 UTC (History)
0 users

See Also:


Attachments
patch that does what i want (1.30 KB, patch)
2006-07-14 17:27 UTC, Buck Huppmann
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Buck Huppmann 2006-05-26 07:07:53 UTC
personally significant discrepancy in samba 3.0.21c acting as a ``member
server'' in a Windows 2003 domain versus (at least) Windows 2003 SP1: if
samba isn't set to ``allow trusted domains'' then check_domain_match()
will fail to validate NTLM logons that specify the fully-qualified domain
of the user account, as indicated below. (all names [hopefully non-mislead-
ingly] changed to keep with tradition)

don't know if anybody else cares, but, again, i have my reasons for wishing
samba was a little more like Windows on just this one point

thanks

--buck, maryland, u.s.a.

linux% smbclient //windows/ipc\$ -c exit -W example
Password:
Domain=[EXAMPLE] OS=[Windows Server 2003 3790 Service Pack 1]
Server=[Windows Server 2003 5.2]

linux% smbclient //windows/ipc\$ -c exit -W example.com
Password:
Domain=[EXAMPLE] OS=[Windows Server 2003 3790 Service Pack 1]
Server=[Windows Server 2003 5.2]

linux% smbclient //localhost/ipc\$ -c exit -W example
Password:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.0.21c]

linux% smbclient //localhost/ipc\$ -c exit -W example.com
Password:
session setup failed: NT_STATUS_LOGON_FAILURE

linux% sudo grep -A`sudo wc -l /var/log/samba/log.linux | awk '{print $1}'` check_domain_match /var/log/samba/log.linux
[2006/05/26 07:11:21, 1] auth/auth.c:check_domain_match
  check_domain_match: Attempt to connect as user myaccount from domain EXAMPLE.COM denied.
Comment 1 Buck Huppmann 2006-05-26 07:13:23 UTC
should have proofed it before submitting it

actually, the stuff about ``allow trusted domains'' was conjectural based
solely on looking at the code. i have no experience with changing that setting,
but thought the speculation might help illuminate why this is happening with
my config and maybe, by contrast, why it hasn't been noticed by anybody else,
but it could be just a red herring
Comment 2 Buck Huppmann 2006-07-14 17:27:49 UTC
Created attachment 2038 [details]
patch that does what i want

no guarantee of efficiency, leak-free-ness, won't-eat-your-homework-ness, etc.
Comment 3 Gerald (Jerry) Carter 2007-04-14 17:41:18 UTC
Buck, Connecting as EXAMPLE.COM\user and EXAMPLE\user are not the same thing.
The proper fix is to support the UPN (user@example.com).  So I'm going to 
reject this patch and look at a propoer fix in the future.
Comment 4 Buck Huppmann 2007-04-15 08:00:41 UTC
could you elaborate, purely for my benefit, on why they're not the same thing?
if the one is an alt_name for the other, then why shouldn't samba treat them
equivalently, at least for purposes of the check_domain_match()/
lp_allow_trusted_domains()==False checking?

anyway, i have my patch that works for me, so i'm not personally concerned about
this, except for curiosity's sake; if you could take a second to satisfy that,
i'd be appreciative. (on top of the usual appreciation for you guys' continued
work on samba)