diff options
| author | Stefan Metzmacher <metze@samba.org> | 2022-03-03 11:10:00 +0100 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2022-03-16 14:40:08 +0000 |
| commit | bf8f8c592b0395562a7bd296505c24ec09f65e4b (patch) | |
| tree | 55ddc4a3e882d3ada234c692216b21045ee2d63e | |
| parent | 7bb17ee5134fa8cbcc2278da142defa4834bd2b3 (diff) | |
| download | samba-bf8f8c592b0395562a7bd296505c24ec09f65e4b.tar.gz | |
s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.
Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.
Currently this only applies to an RODC that forwards
the request to an RWDC.
But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
(cherry picked from commit 40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Mar 16 14:40:08 UTC 2022 on sn-devel-184
| -rw-r--r-- | selftest/knownfail.d/rodc_rwdc | 1 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth_simple.c | 5 |
2 files changed, 3 insertions, 3 deletions
diff --git a/selftest/knownfail.d/rodc_rwdc b/selftest/knownfail.d/rodc_rwdc deleted file mode 100644 index c148d035f5e..00000000000 --- a/selftest/knownfail.d/rodc_rwdc +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.rodc_rwdc.*test_ldap_change_password_simple_bind diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index 4f8267e9285..006e4d8279a 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -121,8 +121,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c return tevent_req_post(req, ev); } - user_info->mapped.account_name = nt4_username; - user_info->mapped.domain_name = nt4_domain; + user_info->orig_client = user_info->client; + user_info->client.account_name = nt4_username; + user_info->client.domain_name = nt4_domain; user_info->cracknames_called = true; subreq = auth_check_password_send(state, ev, |