From 5cd4b7b7c03df6e896186d985b6858a06aa40b3f Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Thu, 12 Feb 2009 13:01:45 -0800 Subject: s3: Added new parameter "map untrusted to domain" When enabled this reverts smbd to the legacy domain remapping behavior when a user provides an untrusted domain This partially reverts d8c54fdd --- WHATSNEW.txt | 23 +++++++++++++++++++++-- source3/auth/auth_util.c | 12 ++++++++---- source3/include/proto.h | 2 ++ source3/param/loadparm.c | 13 +++++++++++++ source3/passdb/passdb.c | 18 ++++++++++++++++++ 5 files changed, 62 insertions(+), 6 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 65d226cfc2..066f718999 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/. Major enhancements in Samba 3.4.0 include: -o - +Authentication Changes: +o Changed the way smbd handles untrusted domain names given during user + authentication + +Authentication Changes +====================== + +Previously, when Samba was a domain member and a client was connecting using an +untrusted domain name, such as BOGUS\user smbd would remap the untrusted +domain to the primary domain smbd was a member of and attempt authentication +using that DOMAIN\user name. This differed from how a Windows member server +would behave. Now, smbd will replace the BOGUS name with it's SAM name. In +the case where smbd is acting as a PDC this will be DOMAIN\user. In the case +where smbd is acting as a domain member server this will be WORKSTATION\user. +Thus, smbd will never assume that an incoming user name which is not qualified +with the same primary domain, is part of smbd's primary domain. + +While this behavior matches Windows, it may break some workflows which depended +on smbd to always pass through bogus names to the DC for verification. A new +parameter "map untrusted to domain" can be enabled to revert to the legacy +behavior. ###################################################################### Reporting bugs & Development Discussion diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f942b2e50a..892e5c4ab7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -226,14 +226,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, if (!is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) { - domain = get_global_sam_name(); - DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] on " + if (lp_map_untrusted_to_domain()) + domain = my_sam_name(); + else + domain = get_global_sam_name(); + DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from " "workstation [%s]\n", client_domain, domain, smb_name, wksta_name)); } - /* we know that it is a trusted domain (and we are allowing them) or it - * is our domain */ + /* We know that the given domain is trusted (and we are allowing them), + * it is our global SAM name, or for legacy behavior it is our + * primary domain name */ result = make_user_info(user_info, smb_name, internal_username, client_domain, domain, wksta_name, diff --git a/source3/include/proto.h b/source3/include/proto.h index 2365015544..7ad063ef47 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4067,6 +4067,7 @@ bool lp_nt_status_support(void); bool lp_stat_cache(void); int lp_max_stat_cache_size(void); bool lp_allow_trusted_domains(void); +bool lp_map_untrusted_to_domain(void); int lp_restrict_anonymous(void); bool lp_lanman_auth(void); bool lp_ntlm_auth(void); @@ -4435,6 +4436,7 @@ bool sid_check_is_in_our_domain(const DOM_SID *sid); /* The following definitions come from passdb/passdb.c */ +const char *my_sam_name(void); struct samu *samu_new( TALLOC_CTX *ctx ); NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd); NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 0dfbb09331..a127ec5394 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -345,6 +345,7 @@ struct global { struct param_opt_struct *param_opt; int cups_connection_timeout; char *szSMBPerfcountModule; + bool bMapUntrustedToDomain; }; static struct global Globals; @@ -1776,6 +1777,15 @@ static struct parm_struct parm_table[] = { .enum_list = enum_kerberos_method, .flags = FLAG_ADVANCED, }, + { + .label = "map untrusted to domain", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.bMapUntrustedToDomain, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED | FLAG_GLOBAL, + }, {N_("Logging Options"), P_SEP, P_SEPARATOR}, @@ -5053,6 +5063,8 @@ static void init_globals(bool first_time_only) Globals.bRegistryShares = False; Globals.iminreceivefile = 0; + + Globals.bMapUntrustedToDomain = false; } /******************************************************************* @@ -5351,6 +5363,7 @@ FN_GLOBAL_BOOL(lp_nt_status_support, &Globals.bNTStatusSupport) FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache) FN_GLOBAL_INTEGER(lp_max_stat_cache_size, &Globals.iMaxStatCacheSize) FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains) +FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain) FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous) FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth) FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth) diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index c526a175f2..95e5deb36f 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -27,6 +27,24 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_PASSDB +/****************************************************************** + Get the default domain/netbios name to be used when + testing authentication. + + LEGACY: this function provides the legacy domain mapping used with + the lp_map_untrusted_to_domain() parameter +******************************************************************/ + +const char *my_sam_name(void) +{ + /* Standalone servers can only use the local netbios name */ + if ( lp_server_role() == ROLE_STANDALONE ) + return global_myname(); + + /* Default to the DOMAIN name when not specified */ + return lp_workgroup(); +} + /********************************************************************** ***********************************************************************/ -- cgit