s4:auth/ntlmssp: add support for using "winbind" as DC
authorStefan Metzmacher <metze@samba.org>
Fri, 16 Jun 2017 23:06:46 +0000 (01:06 +0200)
committerAndreas Schneider <asn@cryptomilk.org>
Mon, 7 Aug 2017 13:20:03 +0000 (15:20 +0200)
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
selftest/knownfail
source4/auth/ntlm/auth.c
source4/selftest/tests.py

index 1b5a98c59b586a6d0f5fe7f757a57fcb914761a8..c525447ccc412796a4d9c4468f7cb472e5a40acd 100644 (file)
 #
 ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs:local\)
 #
-# The following should pass once we have trust support
-^samba4.blackbox.trust_ntlm.Test07.*client.*with.ADDOMAIN\\Administrator%locDCpass1\(fl2008r2dc:local\)
-^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2008r2dc:local\)
+# winbindd doesn't handle routing for domain="" and
+# account="Administrator@ADDOMAIN" yet.
+#
 ^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator@ADDOMAIN%locDCpass1\(fl2008r2dc:local\)
 ^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator@ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2008r2dc:local\)
-^samba4.blackbox.trust_ntlm.Test07.*client.*with.ADDOMAIN\\Administrator%locDCpass1\(fl2003dc:local\)
-^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2003dc:local\)
 ^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator@ADDOMAIN%locDCpass1\(fl2003dc:local\)
 ^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator@ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2003dc:local\)
 # We currently don't send referrals for LDAP modify of non-replicated attrs
index 3424e503b3e0457b188e16e94f4b1dfce7ffbd66..56c1bcfd3d48ee79b9a23878092af3c2b04ea3c6 100644 (file)
@@ -768,25 +768,10 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
                auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
                break;
        case ROLE_DOMAIN_MEMBER:
-               auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
-               break;
        case ROLE_DOMAIN_BDC:
        case ROLE_DOMAIN_PDC:
        case ROLE_ACTIVE_DIRECTORY_DC:
-               /*
-                * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
-                * if everything (gensec/auth4) is fully async without nested
-                * event loops!
-                *
-                * But for now we'll fail authentications for trusted
-                * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
-                * instead of silently mapping to local users.
-                */
-               auth_methods = str_list_make(mem_ctx,
-                                            "anonymous sam "
-                                            "winbind_rodc sam_failtrusts "
-                                            "sam_ignoredomain",
-                                            NULL);
+               auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
                break;
        }
        return discard_const_p(const char *, auth_methods);
index 2865095b0058d996c1491f341f5ccda16d12b349..3f3d21685ff568aea69e999a3451a0132dd6b26b 100755 (executable)
@@ -409,8 +409,8 @@ else:
     plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
     plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
 
-plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_NO_TRUST_LSA_SECRET'])
-plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_NO_TRUST_LSA_SECRET'])
+plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_LOGON_FAILURE'])
+plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE'])
 plantestsuite("samba4.blackbox.trust_ntlm", "ad_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])
 plantestsuite("samba4.blackbox.trust_ntlm", "nt4_member:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$SERVER', '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$DOMAIN', '$DOMAIN', 'member', 'auto', 'NT_STATUS_LOGON_FAILURE'])