From: Stefan Metzmacher Date: Thu, 23 Jan 2020 15:21:43 +0000 (+0100) Subject: s3:auth_sam: map an empty domain or '.' to the local SAM name X-Git-Tag: ldb-2.1.1~181 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=590df382bea44eec2dbfd2a28c659b0a29188bca;p=thirdparty%2Fsamba.git s3:auth_sam: map an empty domain or '.' to the local SAM name When a domain member gets an empty domain name or '.', it should not forward the authentication to domain controllers of the primary domain. But we need to keep passing UPN account names with an empty domain to the DCs as a domain member. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/python/samba/tests/auth_log_winbind.py b/python/samba/tests/auth_log_winbind.py index 4f4beff1e32..4c68187aef8 100644 --- a/python/samba/tests/auth_log_winbind.py +++ b/python/samba/tests/auth_log_winbind.py @@ -321,7 +321,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase): self.assertEquals("unix:", msg["Authentication"]["localAddress"]) self.assertEquals('', msg["Authentication"]["clientDomain"]) # This is what the existing winbind implementation returns. - self.assertEquals("NT_STATUS_INVALID_HANDLE", + self.assertEquals("NT_STATUS_NO_SUCH_USER", msg["Authentication"]["status"]) self.assertEquals(self.credentials.get_username(), msg["Authentication"]["clientAccount"]) @@ -424,7 +424,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase): self.assertEquals("unix:", msg["Authentication"]["localAddress"]) self.assertEquals('', msg["Authentication"]["clientDomain"]) # This is what the existing winbind implementation returns. - self.assertEquals("NT_STATUS_INVALID_HANDLE", + self.assertEquals("NT_STATUS_NO_SUCH_USER", msg["Authentication"]["status"]) self.assertEquals(self.credentials.get_username(), msg["Authentication"]["clientAccount"]) diff --git a/selftest/knownfail.d/empty-domain-name b/selftest/knownfail.d/empty-domain-name index 9855e4d58c2..a1ffcaf7e3c 100644 --- a/selftest/knownfail.d/empty-domain-name +++ b/selftest/knownfail.d/empty-domain-name @@ -1,5 +1,5 @@ ^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*nt4_member -^samba3.blackbox.smbclient_auth.empty_domain.member_creds.smbclient.*as.user.*ad_member +^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*ad_member ^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*nt4_member ^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*ad_member ^samba3.blackbox.smbclient_auth.upn.domain_creds.smbclient.*as.*user.*nt4_member diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fa40a5c8f3e..c6357c696ea 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -93,10 +93,36 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context, return NT_STATUS_NOT_IMPLEMENTED; } + if (lp_server_role() == ROLE_DOMAIN_MEMBER) { + const char *p = NULL; + + p = strchr_m(user_info->mapped.account_name, '@'); + if (p != NULL) { + /* + * This needs to go to the DC, + * even if @ is the last character + */ + return NT_STATUS_NOT_IMPLEMENTED; + } + } + + if (effective_domain == NULL) { + effective_domain = ""; + } + DBG_DEBUG("Check auth for: [%s]\\[%s]\n", effective_domain, user_info->mapped.account_name); + + if (strequal(effective_domain, "") || strequal(effective_domain, ".")) { + /* + * An empty domain name or '.' should be handled + * as the local SAM name. + */ + effective_domain = lp_netbios_name(); + } + is_local_name = is_myname(effective_domain); is_my_domain = strequal(effective_domain, lp_workgroup()); @@ -174,6 +200,10 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context, return NT_STATUS_NOT_IMPLEMENTED; } + if (effective_domain == NULL) { + effective_domain = ""; + } + DBG_DEBUG("Check auth for: [%s]\\[%s]\n", effective_domain, user_info->mapped.account_name); @@ -189,6 +219,14 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context, return NT_STATUS_INVALID_SERVER_STATE; } + if (strequal(effective_domain, "") || strequal(effective_domain, ".")) { + /* + * An empty domain name or '.' should be handled + * as the local SAM name. + */ + effective_domain = lp_workgroup(); + } + is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup()); if (!is_my_domain) { DBG_INFO("%s is not our domain name (DC for %s)\n",