Major enhancements in Samba 3.4.0 include:
-o
-
+Authentication Changes:
+o Changed the way smbd handles untrusted domain names given during user
+ authentication
+
+Authentication Changes
+======================
+
+Previously, when Samba was a domain member and a client was connecting using an
+untrusted domain name, such as BOGUS\user smbd would remap the untrusted
+domain to the primary domain smbd was a member of and attempt authentication
+using that DOMAIN\user name. This differed from how a Windows member server
+would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
+the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
+where smbd is acting as a domain member server this will be WORKSTATION\user.
+Thus, smbd will never assume that an incoming user name which is not qualified
+with the same primary domain, is part of smbd's primary domain.
+
+While this behavior matches Windows, it may break some workflows which depended
+on smbd to always pass through bogus names to the DC for verification. A new
+parameter "map untrusted to domain" can be enabled to revert to the legacy
+behavior.
######################################################################
Reporting bugs & Development Discussion
if (!is_trusted_domain(domain) &&
!strequal(domain, get_global_sam_name()) )
{
- domain = get_global_sam_name();
- DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] on "
+ if (lp_map_untrusted_to_domain())
+ domain = my_sam_name();
+ else
+ domain = get_global_sam_name();
+ DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
"workstation [%s]\n",
client_domain, domain, smb_name, wksta_name));
}
- /* we know that it is a trusted domain (and we are allowing them) or it
- * is our domain */
+ /* We know that the given domain is trusted (and we are allowing them),
+ * it is our global SAM name, or for legacy behavior it is our
+ * primary domain name */
result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, wksta_name,
bool lp_stat_cache(void);
int lp_max_stat_cache_size(void);
bool lp_allow_trusted_domains(void);
+bool lp_map_untrusted_to_domain(void);
int lp_restrict_anonymous(void);
bool lp_lanman_auth(void);
bool lp_ntlm_auth(void);
/* The following definitions come from passdb/passdb.c */
+const char *my_sam_name(void);
struct samu *samu_new( TALLOC_CTX *ctx );
NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd);
NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd);
struct param_opt_struct *param_opt;
int cups_connection_timeout;
char *szSMBPerfcountModule;
+ bool bMapUntrustedToDomain;
};
static struct global Globals;
.enum_list = enum_kerberos_method,
.flags = FLAG_ADVANCED,
},
+ {
+ .label = "map untrusted to domain",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bMapUntrustedToDomain,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED | FLAG_GLOBAL,
+ },
{N_("Logging Options"), P_SEP, P_SEPARATOR},
Globals.bRegistryShares = False;
Globals.iminreceivefile = 0;
+
+ Globals.bMapUntrustedToDomain = false;
}
/*******************************************************************
FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache)
FN_GLOBAL_INTEGER(lp_max_stat_cache_size, &Globals.iMaxStatCacheSize)
FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains)
+FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain)
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
+/******************************************************************
+ Get the default domain/netbios name to be used when
+ testing authentication.
+
+ LEGACY: this function provides the legacy domain mapping used with
+ the lp_map_untrusted_to_domain() parameter
+******************************************************************/
+
+const char *my_sam_name(void)
+{
+ /* Standalone servers can only use the local netbios name */
+ if ( lp_server_role() == ROLE_STANDALONE )
+ return global_myname();
+
+ /* Default to the DOMAIN name when not specified */
+ return lp_workgroup();
+}
+
/**********************************************************************
***********************************************************************/
git.samba.org / amitay / samba.git / commitdiff