auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC

It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 14 insertions, 1 deletions

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index ecb7d6b1cad..f366fb111ae 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -650,7 +650,20 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
 	case ROLE_ACTIVE_DIRECTORY_DC:
-		auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
+		/*
+		 * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
+		 * if everything (gensec/auth4) is fully async without nested
+		 * event loops!
+		 *
+		 * But for now we'll fail authentications for trusted
+		 * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
+		 * instead of silently mapping to local users.
+		 */
+		auth_methods = str_list_make(mem_ctx,
+					     "anonymous sam "
+					     "winbind_rodc sam_failtrusts "
+					     "sam_ignoredomain",
+					     NULL);
 		break;
 	}
 	return discard_const_p(const char *, auth_methods);