Univention Bugzilla – Attachment 9973 Details for
Bug 47314
Cross-domain share access via same user+password doesn't work any more on UCS memberserver
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
s3-auth-add-map-untrusted-to-domain-handling.patch
s3-auth-add-map-untrusted-to-domain-handling.patch (text/plain), 5.86 KB, created by
Arvid Requate
on 2019-04-15 19:43:39 CEST
(
hide
)
Description:
s3-auth-add-map-untrusted-to-domain-handling.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2019-04-15 19:43:39 CEST
Size:
5.86 KB
patch
obsolete
>Revert upstream changes e7bc23e44c0^..43984b8292 > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index fbc36423e2b..8e7fa914748 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -110,6 +110,12 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, > NTSTATUS result; > bool was_mapped; > char *internal_username = NULL; >+ bool upn_form = false; >+ int map_untrusted = lp_map_untrusted_to_domain(); >+ >+ if (client_domain[0] == '\0' && strchr(smb_name, '@')) { >+ upn_form = true; >+ } > > was_mapped = map_username(talloc_tos(), smb_name, &internal_username); > if (!internal_username) { >@@ -119,12 +125,35 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, > DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n", > client_domain, smb_name, workstation_name)); > >- /* >- * We let the auth stack canonicalize, username >- * and domain. >- */ > domain = client_domain; > >+ /* If you connect to a Windows domain member using a bogus domain name, >+ * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if >+ * the Windows box is a DC the name will become DOMAIN\user and be >+ * authenticated against AD, if the Windows box is a member server but >+ * not a DC the name will become WORKSTATION\user. A standalone >+ * non-domain member box will also map to WORKSTATION\user. >+ * This also deals with the client passing in a "" domain */ >+ >+ if (map_untrusted != Auto && !upn_form && >+ !strequal(domain, my_sam_name()) && >+ !strequal(domain, get_global_sam_name()) && >+ !is_trusted_domain(domain)) >+ { >+ if (map_untrusted) { >+ domain = my_sam_name(); >+ } else { >+ domain = get_global_sam_name(); >+ } >+ DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from " >+ "workstation [%s]\n", >+ client_domain, domain, smb_name, workstation_name)); >+ } >+ >+ /* We know that the given domain is trusted (and we are allowing them), >+ * it is our global SAM name, or for legacy behavior it is our >+ * primary domain name */ >+ > result = make_user_info(mem_ctx, user_info, smb_name, internal_username, > client_domain, domain, workstation_name, > remote_address, local_address, >diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml >new file mode 100644 >index 00000000000..f782a512204 >--- /dev/null >+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml >@@ -0,0 +1,55 @@ >+<samba:parameter name="map untrusted to domain" >+ context="G" >+ type="enum" >+ enumlist="enum_bool_auto" >+ deprecated="1" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption> >+ smbd will defer the decision whether the domain name provided by the >+ client is a valid domain name to the Domain Controller (DC) of >+ the domain it is a member of, if it is not a DC. If the DC indicates >+ that the domain portion is unknown, then a local authentication is performed. >+ Standalone servers always ignore the domain. This is basically the same as >+ the behavior implemented in Windows. >+ </para> >+ >+ <para> >+ With <smbconfoption name="map untrusted to domain">no</smbconfoption>, >+ if a client connects to smbd using an untrusted domain name, such as >+ BOGUS\user, smbd replaces the BOGUS domain with it's SAM name >+ (forcing local authentication) before >+ attempting to authenticate that user. In the case where smbd is acting as >+ a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a >+ domain member server or a standalone server this will be WORKSTATION\user. >+ While this appears similar to the behaviour of >+ <smbconfoption name="map untrusted to domain">auto</smbconfoption>, >+ the difference is that smbd will use a cached (maybe incomplete) list >+ of trusted domains in order to classify a domain as "untrusted" >+ before contacting any DC first. >+ </para> >+ >+ <para> >+ With <smbconfoption name="map untrusted to domain">yes</smbconfoption>, >+ smbd provides the legacy behavior matching that of versions of Samba pre 3.4: >+ the BOGUS domain name would always be replaced by the >+ primary domain before attempting to authenticate that user. >+ This will be DOMAIN\user in all server roles except active directory domain controller. >+ </para> >+ >+ <para> >+ <smbconfoption name="map untrusted to domain">no</smbconfoption>, >+ was the default up to Samba 4.6. >+ </para> >+ >+ <para> >+ <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added >+ and become the default with Samba 4.7.0. As the option is marked as >+ <constant>deprecated</constant> it will be removed in a future release, while the behavior of >+ <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept. >+ </para> >+</description> >+ >+<value type="default">auto</value> >+</samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index ddb45073b1b..508fa5a692d 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2840,6 +2840,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > > lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT); > >+ lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto"); >+ > lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto"); > > lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default"); >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 5853c8f70c0..a34b3dbd1ad 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -867,6 +867,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > > Globals.min_receivefile_size = 0; > >+ Globals.map_untrusted_to_domain = Auto; > Globals.multicast_dns_register = true; > > Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9973">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 47314
:
9973