1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC

It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2017-03-17 14:54:16 +01:00 committed by Andrew Bartlett
parent bb6583fdf2
commit 2a57b285ce

View File

@ -650,7 +650,20 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
/*
* TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
* if everything (gensec/auth4) is fully async without nested
* event loops!
*
* But for now we'll fail authentications for trusted
* domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
* instead of silently mapping to local users.
*/
auth_methods = str_list_make(mem_ctx,
"anonymous sam "
"winbind_rodc sam_failtrusts "
"sam_ignoredomain",
NULL);
break;
}
return discard_const_p(const char *, auth_methods);