Bug 9762 - winbind on AD domain member refuses requests from untrusted domains
Summary: winbind on AD domain member refuses requests from untrusted domains
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.12
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-03 15:56 UTC by Deyan Stoykov
Modified: 2019-07-31 10:50 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Deyan Stoykov 2013-04-03 15:56:43 UTC
Winbind doesn't authenticate requests that prepend a not-existent domain to the username when the machine is joined into an AD domain. Users that are logged in locally or into another domain with the same username and password are not identified by ntlm_auth unless they specifically enter their usernames as AD_DOMAIN\USERNAME. This breaks transparent ntlm authentication in squid and apache.

* "map untrusted to domain" doesn't make a difference - it only affects smbd.
* "security = domain" or "security = ads" against an AD domain doesn't make a difference.
* "security = domain" against a Samba 3 domain works.

Steps to reproduce:

1. Setup a minimal AD domain member configuration.

[global]
        workgroup = UNI-RUSE
        realm = UNI-RUSE.BG
        security = ADS
        wins server = 172.16.0.6, 172.16.0.10
        template homedir = /dev/null
        template shell = /sbin/nologin
        idmap config * : range = 1000000-1999999
        idmap config * : backend = tdb

2. net ads join

3. /etc/init.d/winbind start

Expected result:

# wbinfo -a fgdgdgd\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded 

Actual result: 

# wbinfo -a fgdgdgd\\dstoykov%password
plaintext password authentication failed
Could not authenticate user fgdgdgd\dstoykov with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user fgdgdgd\dstoykov with challenge/response
# wbinfo -i fgdgdgd\\dstoykov
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user fgdgdgd\dstoykov

# wbinfo -a uni-ruse\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo -i uni-ruse\\dstoykov
UNI-RUSE\dstoykov:*:1000000:1000000::/dev/null:/sbin/nologin

Result with security=domain, AD domain

/* Same as above */

Result with security=domain, Samba 3.6 domain controller

# wbinfo -a fgdgdgd\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded 
# wbinfo -i fgdgdgd\\dstoykov
UCCD\dstoykov:*:1000000:1000000::/dev/null:/sbin/nologin
Comment 1 Deyan Stoykov 2015-07-07 08:42:06 UTC
changed version as the issue still exists in 4.1
Comment 2 Stefan Metzmacher 2019-07-31 10:50:43 UTC
I don't think that happens with current releases.

Please reopen if it's not fixed.