From 2a57b285ce0a7417b14ab028b2f711d1048eb27c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 17 Mar 2017 14:54:16 +0100 Subject: [PATCH] auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC It's better to consistently fail authentications for users of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET, instead of silently mapping them to local users, by accident. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source4/auth/ntlm/auth.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index ecb7d6b1cad..f366fb111ae 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -650,7 +650,20 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context * case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: case ROLE_ACTIVE_DIRECTORY_DC: - auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL); + /* + * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind" + * if everything (gensec/auth4) is fully async without nested + * event loops! + * + * But for now we'll fail authentications for trusted + * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET, + * instead of silently mapping to local users. + */ + auth_methods = str_list_make(mem_ctx, + "anonymous sam " + "winbind_rodc sam_failtrusts " + "sam_ignoredomain", + NULL); break; } return discard_const_p(const char *, auth_methods); -- 2.34.1