summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2017-03-17 19:35:24 +0100
committerAndrew Bartlett <abartlet@samba.org>2017-04-10 01:11:20 +0200
commit0ca09b0e10cdc7e6cef083289da85236d40082ef (patch)
tree965937623c033922fd627ddd673154dcd7b10711 /source4/auth
parent601892457865ec636dccab708d1380d58bb04fa3 (diff)
downloadsamba-0ca09b0e10cdc7e6cef083289da85236d40082ef.tar.gz
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that ignores the domain part. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/ntlm/auth.c35
1 files changed, 34 insertions, 1 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 0843f4a561b..56676bbcdac 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -716,7 +716,40 @@ _PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx)
{
- return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx);
+ NTSTATUS status;
+ char **_auth_methods = NULL;
+ const char **auth_methods = NULL;
+
+ /*
+ * As 'auth methods' is deprecated it will be removed
+ * in future releases again, but for now give
+ * admins the flexibility to configure, the behavior
+ * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
+ * for a while.
+ */
+ auth_methods = lpcfg_auth_methods(lp_ctx);
+ if (auth_methods != NULL) {
+ DBG_NOTICE("using deprecated 'auth methods' values.\n");
+ } else {
+ /*
+ * We can remove "winbind_rodc sam_failtrusts",
+ * when we made the netlogon retries to
+ * to contact winbind via irpc.
+ */
+ _auth_methods = str_list_make(mem_ctx,
+ "sam "
+ "winbind_rodc sam_failtrusts",
+ NULL);
+ if (_auth_methods == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ auth_methods = discard_const_p(const char *, _auth_methods);
+ }
+
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg,
+ lp_ctx, NULL, auth_ctx);
+ talloc_free(_auth_methods);
+ return status;
}
/* the list of currently registered AUTH backends */