auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC

It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index ecb7d6b1cad7bb7e0b5712d3cec07d64b4200b89..f366fb111aea3099cf54b640254c795dd425444e 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -650,7 +650,20 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
        case ROLE_DOMAIN_BDC:
        case ROLE_DOMAIN_PDC:
        case ROLE_ACTIVE_DIRECTORY_DC:
-               auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
+               /*
+                * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
+                * if everything (gensec/auth4) is fully async without nested
+                * event loops!
+                *
+                * But for now we'll fail authentications for trusted
+                * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
+                * instead of silently mapping to local users.
+                */
+               auth_methods = str_list_make(mem_ctx,
+                                            "anonymous sam "
+                                            "winbind_rodc sam_failtrusts "
+                                            "sam_ignoredomain",
+                                            NULL);
                break;
        }
        return discard_const_p(const char *, auth_methods);