mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
It's better to consistently fail authentications for users of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET, instead of silently mapping them to local users, by accident. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
bb6583fdf2
commit
2a57b285ce
@ -650,7 +650,20 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
|
||||
case ROLE_DOMAIN_BDC:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
|
||||
/*
|
||||
* TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
|
||||
* if everything (gensec/auth4) is fully async without nested
|
||||
* event loops!
|
||||
*
|
||||
* But for now we'll fail authentications for trusted
|
||||
* domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
|
||||
* instead of silently mapping to local users.
|
||||
*/
|
||||
auth_methods = str_list_make(mem_ctx,
|
||||
"anonymous sam "
|
||||
"winbind_rodc sam_failtrusts "
|
||||
"sam_ignoredomain",
|
||||
NULL);
|
||||
break;
|
||||
}
|
||||
return discard_const_p(const char *, auth_methods);
|
||||
|
Loading…
Reference in New Issue
Block a user