diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-03-17 19:35:24 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-04-10 01:11:20 +0200 |
commit | 0ca09b0e10cdc7e6cef083289da85236d40082ef (patch) | |
tree | 965937623c033922fd627ddd673154dcd7b10711 /source4/auth | |
parent | 601892457865ec636dccab708d1380d58bb04fa3 (diff) | |
download | samba-0ca09b0e10cdc7e6cef083289da85236d40082ef.tar.gz |
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that
ignores the domain part.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/ntlm/auth.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 0843f4a561b..56676bbcdac 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -716,7 +716,40 @@ _PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct auth4_context **auth_ctx) { - return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx); + NTSTATUS status; + char **_auth_methods = NULL; + const char **auth_methods = NULL; + + /* + * As 'auth methods' is deprecated it will be removed + * in future releases again, but for now give + * admins the flexibility to configure, the behavior + * from Samba 4.6: "auth methods = anonymous sam_ignoredomain", + * for a while. + */ + auth_methods = lpcfg_auth_methods(lp_ctx); + if (auth_methods != NULL) { + DBG_NOTICE("using deprecated 'auth methods' values.\n"); + } else { + /* + * We can remove "winbind_rodc sam_failtrusts", + * when we made the netlogon retries to + * to contact winbind via irpc. + */ + _auth_methods = str_list_make(mem_ctx, + "sam " + "winbind_rodc sam_failtrusts", + NULL); + if (_auth_methods == NULL) { + return NT_STATUS_NO_MEMORY; + } + auth_methods = discard_const_p(const char *, _auth_methods); + } + + status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, + lp_ctx, NULL, auth_ctx); + talloc_free(_auth_methods); + return status; } /* the list of currently registered AUTH backends */ |