Quantcast

[PATCH] Correctly handle !authoritative in the rpc-based auth backends

classic Classic list List threaded Threaded
54 messages Options
123
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
> The one I really care about from a personal perspective is the patch
> to remove "map untrusted to domain".

Understood.  

However as it hasn't been marked deprecated yet, we can't just drop it.

Perhaps you can start with a deprecation patch?

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
On Thu, Mar 16, 2017 at 07:52:34PM +1300, Andrew Bartlett wrote:
> On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
> > The one I really care about from a personal perspective is the patch
> > to remove "map untrusted to domain".
>
> Understood.  
>
> However as it hasn't been marked deprecated yet, we can't just drop it.
>
> Perhaps you can start with a deprecation patch?

How long is our official deprecation period for parameters? Two major
releases? Three?

Volker

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
On Thu, 2017-03-16 at 07:56 +0100, Volker Lendecke wrote:

> On Thu, Mar 16, 2017 at 07:52:34PM +1300, Andrew Bartlett wrote:
> > On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
> > > The one I really care about from a personal perspective is the
> > > patch
> > > to remove "map untrusted to domain".
> >
> > Understood.  
> >
> > However as it hasn't been marked deprecated yet, we can't just drop
> > it.
> >
> > Perhaps you can start with a deprecation patch?
>
> How long is our official deprecation period for parameters? Two major
> releases? Three?

A notice of one release period as far as I understand it.

That is, we have deprecated parameters for 4.6 (like the new lsa over
netlogon parameter) that we can drop in 4.7 in September.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
> On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
>> The one I really care about from a personal perspective is the patch
>> to remove "map untrusted to domain".
>
> Understood.  
>
> However as it hasn't been marked deprecated yet, we can't just drop it.

The point here is that we do the mapping in the wrong location,
we can keep the option "map unby implementing a fallback
*after* we get 'authoritative=0' from the dc.

But we definitely need to remove the completely broken
design of doing the mapping based on our by design incomplete
knowledge of possible trusted domains, before asking the backends.

Basically we would need something like:
"anonymous sam_strict winbind winbind_untrusted_to_domain sam_ignoredomain"

While winbind_untrusted_to_domain will be a noop
for the default "map untrusted to domain = no".

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Am 16.03.2017 um 08:51 schrieb Stefan Metzmacher:

> Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
>> On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
>>> The one I really care about from a personal perspective is the patch
>>> to remove "map untrusted to domain".
>>
>> Understood.  
>>
>> However as it hasn't been marked deprecated yet, we can't just drop it.
>
> The point here is that we do the mapping in the wrong location,
> we can keep the option "map unby implementing a fallback
> *after* we get 'authoritative=0' from the dc.
>
> But we definitely need to remove the completely broken
> design of doing the mapping based on our by design incomplete
> knowledge of possible trusted domains, before asking the backends.
>
> Basically we would need something like:
> "anonymous sam_strict winbind winbind_untrusted_to_domain sam_ignoredomain"
>
> While winbind_untrusted_to_domain will be a noop
> for the default "map untrusted to domain = no".
It's is_trusted_domain() that need to go!

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, 2017-03-16 at 08:51 +0100, Stefan Metzmacher wrote:

> Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
> > > The one I really care about from a personal perspective is the
> > > patch
> > > to remove "map untrusted to domain".
> >
> > Understood.  
> >
> > However as it hasn't been marked deprecated yet, we can't just drop
> > it.
>
> The point here is that we do the mapping in the wrong location,
> we can keep the option "map unby implementing a fallback
> *after* we get 'authoritative=0' from the dc.
>
> But we definitely need to remove the completely broken
> design of doing the mapping based on our by design incomplete
> knowledge of possible trusted domains, before asking the backends.
>
> Basically we would need something like:
> "anonymous sam_strict winbind winbind_untrusted_to_domain
> sam_ignoredomain"
>
> While winbind_untrusted_to_domain will be a noop
> for the default "map untrusted to domain = no".

Thanks for expressing it so well.  I was wondering the same thing, and
I'm glad there is a way to make progress here.

However, does 'map untrusted to domain' even work with NTLMv2, as
ntv2_owf_gen() takes the username and domain?  It would seem to me that
you need the parameter implemented on the DC, not the member server!
(And then this patch set).

Indeed, for compatibility we probably need to permit that using this
parameter that given the 'accept all domains' behaviour of the AD DC
before we tighten this up.

The challenge continues...

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Am 16.03.2017 um 09:00 schrieb Andrew Bartlett:

> On Thu, 2017-03-16 at 08:51 +0100, Stefan Metzmacher wrote:
>> Am 16.03.2017 um 07:52 schrieb Andrew Bartlett via samba-technical:
>>> On Thu, 2017-03-16 at 07:44 +0100, Volker Lendecke wrote:
>>>> The one I really care about from a personal perspective is the
>>>> patch
>>>> to remove "map untrusted to domain".
>>>
>>> Understood.  
>>>
>>> However as it hasn't been marked deprecated yet, we can't just drop
>>> it.
>>
>> The point here is that we do the mapping in the wrong location,
>> we can keep the option "map unby implementing a fallback
>> *after* we get 'authoritative=0' from the dc.
>>
>> But we definitely need to remove the completely broken
>> design of doing the mapping based on our by design incomplete
>> knowledge of possible trusted domains, before asking the backends.
>>
>> Basically we would need something like:
>> "anonymous sam_strict winbind winbind_untrusted_to_domain
>> sam_ignoredomain"
>>
>> While winbind_untrusted_to_domain will be a noop
>> for the default "map untrusted to domain = no".
>
> Thanks for expressing it so well.  I was wondering the same thing, and
> I'm glad there is a way to make progress here.
>
> However, does 'map untrusted to domain' even work with NTLMv2, as
> ntv2_owf_gen() takes the username and domain?  It would seem to me that
> you need the parameter implemented on the DC, not the member server!
> (And then this patch set).
I don't think it will work with ntlmv2, but I haven't tested it.
It would just mean that it's very unlikely that a lot of admins
are using this option at all.

> Indeed, for compatibility we probably need to permit that using this
> parameter that given the 'accept all domains' behaviour of the AD DC
> before we tighten this up.

I don't understand the above statement, you want to implement
'map untrusted to domain' on the AD DC itself?
I'm strongly against that, there's really no need for it.

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
On Thu, Mar 16, 2017 at 09:19:45AM +0100, Stefan Metzmacher wrote:
> I don't understand the above statement, you want to implement
> 'map untrusted to domain' on the AD DC itself?
> I'm strongly against that, there's really no need for it.

That's the current behaviour of the AD DC. People depend on it.

Volker

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Sat, 2017-03-11 at 14:40 +0100, Volker Lendecke wrote:

> On Sat, Mar 11, 2017 at 08:31:36AM +1300, Andrew Bartlett wrote:
> > On Fri, 2017-03-10 at 15:08 +0100, Volker Lendecke wrote:
> > > On Fri, Mar 10, 2017 at 05:46:58PM +1300, Andrew Bartlett wrote:
> > > >
> > > > The pdbtest patch looks wrong, we have been testing the
> > > > different
> > > > auth
> > > > methods via that tool, so fixing it to 'sam' seems to be
> > > > limiting
> > > > what
> > > > we are testing.
> > >
> > > Well, it does survive autobuild.
> >
> > Sure, but that is because you remove what it is testing.  pdbtest
> > is
> > acting as the driver for a sort of unit test of the auth subsystem,
> > as
> > controlled by 'auth methods'.  The tests set auth methods to
> > various
> > values to try and test those modules.
> >
> > This was added to ensure we didn't have untested code in the auth
> > subsystem and to avoid relying on indirect tests.
>
> https://git.samba.org/?p=vl/samba.git/.git;h=refs/heads/auth
>
> has fixes for this issue.
>
> Comments?
Volker's repo above no longer contains that branch, so I attach the
patches here, so we can continue working on this patch series.

Andrew Bartlett

vl-auth.patch (81K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, 2017-03-16 at 09:40 +0100, Volker Lendecke wrote:
> On Thu, Mar 16, 2017 at 09:19:45AM +0100, Stefan Metzmacher wrote:
> > I don't understand the above statement, you want to implement
> > 'map untrusted to domain' on the AD DC itself?
> > I'm strongly against that, there's really no need for it.
>
> That's the current behaviour of the AD DC. People depend on it.

I don't know if people depend on it, but the change from
sam_ignoredomain -> sam should be made more deliberately and I think
using this option, marked depricated, for a release would be a
reasonable way to phase this out.

We did similar things with the "lsa over netlogon" that we likewise
hope is never needed.

I know this all feels very disheartening, but I'm actually quite
confident we are honing in on a solution.  It will still require work -
probably a good solid week or two to nail it all down with the right
tests, but this isn't months away.  

I hope some other work currently in train by myself and the infamous
"team at Catalyst" may provide some of the infrastructure needed for
that.  Specifically I'm hoping to make it trivial to call SamLogon from
Python, and probably also the auth4 subsystem.

Thanks,

Andrew Bartlett


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Fri, Mar 17, 2017 at 10:54:11AM +1300, Andrew Bartlett via samba-technical wrote:
> Volker's repo above no longer contains that branch, so I attach the
> patches here, so we can continue working on this patch series.

Yes, I removed it for a reason. It is a waste of time to look at
because it does not meet any of the acceptance criteria that you
posted on this list. So it does not have the slightest value for you
to look at in this form.

Secondly we can not do any major changes before the end of this year
anyway, so we need to take a completely different route.  We will
extend the map untrusted to domain parameter with a third option to
match Windows behaviour. This won't be the default, so it will not
interfere with autobuild, but it will make us work more correctly in a
real Windows AD environment.

And once you and your team at Catalyst find the time or business
incentive, we will get the AD DC fixed in a manner that meets your
expectations.

Volker

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
wrote:

> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> > On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> > samba-
> > technical wrote:
> > > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > >
> > > > What return values do you propose?
> > >
> > > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
> > > I
> > > think.
> > >
> > > If we do the same with NO_SUCH_USER then the confusing mappings
> > > outside
> > > the auth subsytem go away, and we can probably dispense with the
> > > flag
> > > you so dislike (as then I think the different auth module lists
> > > would
> > > work).
> > >
> > > That is, break out of the auth module loop based on
> > > *authoriative,
> > > not
> > > NT_STATUS_NOT_IMPLEMENTED.  
> > >
> > > That way we have no need for flag based changes to return values,
> > > and
> > > callers like ntlm and ntlmssp can just ignore it, while netlogon
> > > can
> > > honour it.  
> > >
> > > I hope this helps,
> >
> > Just been following from the sidelines so I'm sure Volker can
> > comment
> > with *authoriative=1 :-), but that looks like a workable plan to
> > excise
> > USER_INFO_LOCAL_SAM_ONLY.
> >
> > Thanks Andrew !
>
> I just wanted to write down, while I still remember them, my guidance
> on how we can get this to a conclusion:
>
>  - make changes in sync between the two auth subsystems (the current
> patch set removes the offensive flag, but only in auth3)
>  - not attempt a change to inter-process communication in the same
> patch set (eg move to "sam" and "samba4:sam" if specifying auth
> module
> lists in winbindd)
>  - clearly distinguish between the 'smbd as client' and
> 'ntlm_auth/wbinfo as client' cases in winbindd.
>  - use *authoritative as the indicator. 
>  - have tests (both for the specific change desired, and for the
> other
> areas touched like rodc)
>  - be bisectable

We also need to keep netlogon in the AD DC talking to winbindd, not
just for the future trusted domains case, but for the RODC.  Remember
that domain members (PCs) need to talk to NETLOGON on the RODC which
may forward the passwords to a RW DC.  

I plan to write some tests for this part as we work to lock in this
support, as clearly it isn't covered right now.

Andrew Bartlett


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:

> On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
> wrote:
>> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
>>> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
>>> samba-
>>> technical wrote:
>>>> On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
>>>>>
>>>>> What return values do you propose?
>>>>
>>>> NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
>>>> I
>>>> think.
>>>>
>>>> If we do the same with NO_SUCH_USER then the confusing mappings
>>>> outside
>>>> the auth subsytem go away, and we can probably dispense with the
>>>> flag
>>>> you so dislike (as then I think the different auth module lists
>>>> would
>>>> work).
>>>>
>>>> That is, break out of the auth module loop based on
>>>> *authoriative,
>>>> not
>>>> NT_STATUS_NOT_IMPLEMENTED.  
>>>>
>>>> That way we have no need for flag based changes to return values,
>>>> and
>>>> callers like ntlm and ntlmssp can just ignore it, while netlogon
>>>> can
>>>> honour it.  
>>>>
>>>> I hope this helps,
>>>
>>> Just been following from the sidelines so I'm sure Volker can
>>> comment
>>> with *authoriative=1 :-), but that looks like a workable plan to
>>> excise
>>> USER_INFO_LOCAL_SAM_ONLY.
>>>
>>> Thanks Andrew !
>>
>> I just wanted to write down, while I still remember them, my guidance
>> on how we can get this to a conclusion:
>>
>>  - make changes in sync between the two auth subsystems (the current
>> patch set removes the offensive flag, but only in auth3)
>>  - not attempt a change to inter-process communication in the same
>> patch set (eg move to "sam" and "samba4:sam" if specifying auth
>> module
>> lists in winbindd)
>>  - clearly distinguish between the 'smbd as client' and
>> 'ntlm_auth/wbinfo as client' cases in winbindd.
>>  - use *authoritative as the indicator.
>>  - have tests (both for the specific change desired, and for the
>> other
>> areas touched like rodc)
>>  - be bisectable
>
> We also need to keep netlogon in the AD DC talking to winbindd, not
> just for the future trusted domains case, but for the RODC.  Remember
> that domain members (PCs) need to talk to NETLOGON on the RODC which
> may forward the passwords to a RW DC.  
>
> I plan to write some tests for this part as we work to lock in this
> support, as clearly it isn't covered right now.
I'm currently looking into this and I might have something that should
do the job without changing too much within the next days.

If you send me the additional tests I can include them,
but calling an async irpc as a fallback in the netlogon server
should also handle the RODC case.

I think what we need is an test env that is a member in a domain
that has trusts to others. Maybe the 'ad_member' env could require
the fl2008r2dc to also available in addition to ad_dc.

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
On Monday, 20 March 2017 10:54:59 CET Stefan Metzmacher via samba-technical
wrote:

> Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-technical
> >
> > wrote:
> >> On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> >>> On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> >>> samba-
> >>>
> >>> technical wrote:
> >>>> On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> >>>>> What return values do you propose?
> >>>>
> >>>> NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it nicely
> >>>> I
> >>>> think.
> >>>>
> >>>> If we do the same with NO_SUCH_USER then the confusing mappings
> >>>> outside
> >>>> the auth subsytem go away, and we can probably dispense with the
> >>>> flag
> >>>> you so dislike (as then I think the different auth module lists
> >>>> would
> >>>> work).
> >>>>
> >>>> That is, break out of the auth module loop based on
> >>>> *authoriative,
> >>>> not
> >>>> NT_STATUS_NOT_IMPLEMENTED.
> >>>>
> >>>> That way we have no need for flag based changes to return values,
> >>>> and
> >>>> callers like ntlm and ntlmssp can just ignore it, while netlogon
> >>>> can
> >>>> honour it.
> >>>>
> >>>> I hope this helps,
> >>>
> >>> Just been following from the sidelines so I'm sure Volker can
> >>> comment
> >>> with *authoriative=1 :-), but that looks like a workable plan to
> >>> excise
> >>> USER_INFO_LOCAL_SAM_ONLY.
> >>>
> >>> Thanks Andrew !
> >>
> >> I just wanted to write down, while I still remember them, my guidance
> >>
> >> on how we can get this to a conclusion:
> >>  - make changes in sync between the two auth subsystems (the current
> >>
> >> patch set removes the offensive flag, but only in auth3)
> >>
> >>  - not attempt a change to inter-process communication in the same
> >>
> >> patch set (eg move to "sam" and "samba4:sam" if specifying auth
> >> module
> >> lists in winbindd)
> >>
> >>  - clearly distinguish between the 'smbd as client' and
> >>
> >> 'ntlm_auth/wbinfo as client' cases in winbindd.
> >>
> >>  - use *authoritative as the indicator.
> >>  - have tests (both for the specific change desired, and for the
> >>
> >> other
> >> areas touched like rodc)
> >>
> >>  - be bisectable
> >
> > We also need to keep netlogon in the AD DC talking to winbindd, not
> > just for the future trusted domains case, but for the RODC.  Remember
> > that domain members (PCs) need to talk to NETLOGON on the RODC which
> > may forward the passwords to a RW DC.
> >
> > I plan to write some tests for this part as we work to lock in this
> > support, as clearly it isn't covered right now.
>
> I'm currently looking into this and I might have something that should
> do the job without changing too much within the next days.
>
> If you send me the additional tests I can include them,
> but calling an async irpc as a fallback in the netlogon server
> should also handle the RODC case.
>
> I think what we need is an test env that is a member in a domain
> that has trusts to others. Maybe the 'ad_member' env could require
> the fl2008r2dc to also available in addition to ad_dc.
I've already did this, because we need some wbinfo -a and wbinfo -k tests with
trusted domains so we do not regress in future.


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

0001-selftest-Add-a-trust_member-target-environment.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Hi Andreas,

thanks! I'll improve this a bit.
I'll also add fl2003dc as dependency
and pass $self->{vars}->{fl2008r2dc}
and $self->{vars}->{fl2003dc} to setup_trustmember()

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan Metzmacher wrote:
> I'm currently looking into this and I might have something that should
> do the job without changing too much within the next days.

Can you share your ideas?

Volker

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Mon, 2017-03-20 at 10:54 +0100, Stefan Metzmacher wrote:

> Am 20.03.2017 um 00:19 schrieb Andrew Bartlett via samba-technical:
> > On Thu, 2017-03-16 at 16:06 +1300, Andrew Bartlett via samba-
> > technical
> > wrote:
> > > On Mon, 2017-03-13 at 17:19 -0700, Jeremy Allison wrote:
> > > > On Tue, Mar 14, 2017 at 12:51:31PM +1300, Andrew Bartlett via
> > > > samba-
> > > > technical wrote:
> > > > > On Mon, 2017-03-13 at 10:03 +0100, Volker Lendecke wrote:
> > > > > >
> > > > > > What return values do you propose?
> > > > >
> > > > > NT_STATUS_WRONG_PASSWORD with *authoriative=0 would do it
> > > > > nicely
> > > > > I
> > > > > think.
> > > > >
> > > > > If we do the same with NO_SUCH_USER then the confusing
> > > > > mappings
> > > > > outside
> > > > > the auth subsytem go away, and we can probably dispense with
> > > > > the
> > > > > flag
> > > > > you so dislike (as then I think the different auth module
> > > > > lists
> > > > > would
> > > > > work).
> > > > >
> > > > > That is, break out of the auth module loop based on
> > > > > *authoriative,
> > > > > not
> > > > > NT_STATUS_NOT_IMPLEMENTED.  
> > > > >
> > > > > That way we have no need for flag based changes to return
> > > > > values,
> > > > > and
> > > > > callers like ntlm and ntlmssp can just ignore it, while
> > > > > netlogon
> > > > > can
> > > > > honour it.  
> > > > >
> > > > > I hope this helps,
> > > >
> > > > Just been following from the sidelines so I'm sure Volker can
> > > > comment
> > > > with *authoriative=1 :-), but that looks like a workable plan
> > > > to
> > > > excise
> > > > USER_INFO_LOCAL_SAM_ONLY.
> > > >
> > > > Thanks Andrew !
> > >
> > > I just wanted to write down, while I still remember them, my
> > > guidance
> > > on how we can get this to a conclusion:
> > >
> > >  - make changes in sync between the two auth subsystems (the
> > > current
> > > patch set removes the offensive flag, but only in auth3)
> > >  - not attempt a change to inter-process communication in the
> > > same
> > > patch set (eg move to "sam" and "samba4:sam" if specifying auth
> > > module
> > > lists in winbindd)
> > >  - clearly distinguish between the 'smbd as client' and
> > > 'ntlm_auth/wbinfo as client' cases in winbindd.
> > >  - use *authoritative as the indicator. 
> > >  - have tests (both for the specific change desired, and for the
> > > other
> > > areas touched like rodc)
> > >  - be bisectable
> >
> > We also need to keep netlogon in the AD DC talking to winbindd, not
> > just for the future trusted domains case, but for the
> > RODC.  Remember
> > that domain members (PCs) need to talk to NETLOGON on the RODC
> > which
> > may forward the passwords to a RW DC.  
> >
> > I plan to write some tests for this part as we work to lock in this
> > support, as clearly it isn't covered right now.
>
> I'm currently looking into this and I might have something that
> should
> do the job without changing too much within the next days.
>
> If you send me the additional tests I can include them,
> but calling an async irpc as a fallback in the netlogon server
> should also handle the RODC case.

I'll likewise be able to get you some tests in the next few days.  Just
trying hard to swat away the auth-logging branch which has kind of
exploded.  It should be under control and up for review soon!

> I think what we need is an test env that is a member in a domain
> that has trusts to others. Maybe the 'ad_member' env could require
> the fl2008r2dc to also available in addition to ad_dc.

That sounds reasonable.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi Volker,

> On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan Metzmacher wrote:
>> I'm currently looking into this and I might have something that should
>> do the job without changing too much within the next days.
>
> Can you share your ideas?

https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth

This is very much work in progress, but if you look at the complete
diff against master you'll get the idea.

Ignore the lookupsid/names patches at the top, they don't work yet.

The "PASSED "preauth:map untrusted to domain" = no" patch and the one
without
it pass autobuild, but I need to cleanup a lot.

On a member winbindd I'm able to use wbinfo -a against a trusted domain now,
but smbclient against the member doesn't work yet (without a working
lookupsids/names
passthough). That's why I started with the lookupsids/names stuff.

metze



signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Am 21.03.2017 um 00:06 schrieb Stefan Metzmacher via samba-technical:
> Hi Volker,
>
>> On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan Metzmacher wrote:
>>> I'm currently looking into this and I might have something that should
>>> do the job without changing too much within the next days.
>>
>> Can you share your ideas?
>
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth

Ok,
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok
contains the first preparation step that should not really change the logic.

master3-auth is rebased on master3-auth-ok and needs further cleanup.

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] Correctly handle !authoritative in the rpc-based auth backends

Samba - samba-technical mailing list
Am 21.03.2017 um 08:59 schrieb Stefan Metzmacher via samba-technical:

> Am 21.03.2017 um 00:06 schrieb Stefan Metzmacher via samba-technical:
>> Hi Volker,
>>
>>> On Mon, Mar 20, 2017 at 10:54:59AM +0100, Stefan Metzmacher wrote:
>>>> I'm currently looking into this and I might have something that should
>>>> do the job without changing too much within the next days.
>>>
>>> Can you share your ideas?
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth
>
> Ok,
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok
> contains the first preparation step that should not really change the logic.
The following patchset also passed autobuild and should not change the
logic.

Please review:-)

I'll try to prepare the rest in the next days.

Andrew, I rebased you branch on top of this:
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-logging

metze

tmp.diff.txt (99K) Download Attachment
signature.asc (853 bytes) Download Attachment
123
Loading...