sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code

s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names

Browse Source 
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.

Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.

Currently this only applies to an RODC that forwards
the request to an RWDC.

But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184

(cherry picked from commit 40f2070d3b)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Mar 16 15:37:02 UTC 2022 on sn-devel-184
This commit is contained in:
Stefan Metzmacher 2022-03-03 11:10:00 +01:00 committed by Jule Anger
parent 65498505cb
commit 2a9a518555
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/rodc_rwdc
View File

@ -1 +0,0 @@
^samba4.ldap.rodc_rwdc.*test_ldap_change_password_simple_bind

5
source4/auth/ntlm/auth_simple.c
View File

@ -121,8 +121,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
return tevent_req_post(req, ev);
}
user_info->mapped.account_name = nt4_username;
user_info->mapped.domain_name = nt4_domain;
user_info->orig_client = user_info->client;
user_info->client.account_name = nt4_username;
user_info->client.domain_name = nt4_domain;
user_info->cracknames_called = true;
subreq = auth_check_password_send(state, ev,