New issue
Advanced search Search tips

Issue 793849 link

Starred by 1 user
Status: Verified
Owner:
ljusten@chromium.org
Closed: Jan 2018
Cc:
ibezmenov@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

user auth does not work when machine domain is offline

Project Member Reported by rsorokin@chromium.org, Dec 11 2017 
"net ads workgroup failed: network problem"

Comment 1 by rsorokin@chromium.org, Jan 17 2018 

Done ?

Comment 2 by ljusten@chromium.org, Jan 18 2018

Status: Started (was: Assigned)
As soon as CL:868017 lands. Fix for this bug is a side-effect of that CL.
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 19 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/8502ec46deb2e63afac55b45c8c639c5da25e960

commit 8502ec46deb2e63afac55b45c8c639c5da25e960
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Jan 19 01:40:29 2018

authpolicy: Use user credentials for net ads search

We do net ads search to query user properties using machine credentials
for authentication. This causes issues for cross-domain authentication
(user domain != machine domain). This CL switches net ads search to use
user credentials.

As a result, AuthenticateUser cannot determine the user's sAMAccountName
based on objectGUID anymore before getting the user TGT. This causes the
authentication to fail when the username changes on the server. In
practice, the user will be forced to do an online authentication and
they have to enter their new username. Chrome automatically merges the
two profiles.

Similarly, GetUserStatus requires the user's TGT now. If it's not
present or invalid, the account_info and password_status fields cannot
be determined and are left unset. Chrome can handle this smoothly,
though, by popping up a notification when the TGT is invalid not valid.

BUG= chromium:793849 , chromium:802233 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy
     Manual testing on the device
     Tested that changing the username on the server works smoothly.

Change-Id: I4dc02399d5ff30234c000b1689ae6e2e8b999ba4
Reviewed-on: https://chromium-review.googlesource.com/868017
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/8502ec46deb2e63afac55b45c8c639c5da25e960/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/8502ec46deb2e63afac55b45c8c639c5da25e960/authpolicy/samba_interface.cc
[modify] https://crrev.com/8502ec46deb2e63afac55b45c8c639c5da25e960/authpolicy/samba_interface.h

Comment 4 by ljusten@chromium.org, Jan 22 2018

Status: Fixed (was: Started)
Verified in canary build 10328.0.0, 66.0.3327.0.

Comment 5 by krishna...@chromium.org, Feb 5 2018

Cc: ibezmenov@chromium.org

Comment 6 by ibezmenov@chromium.org, Apr 19 2018

Status: Verified (was: Fixed)
Verified fixed. Steps:

1. Join device to AD.
2. Login as a valid user, make some actions/changes (e.g. download files).
3. Change username on Windows Server.
4. Logout.
5. Login again with the same user -> Sign-in error notification is shown.
6. Logout.
7. Login with a new username using "Add Person" option -> Username changed correctly, all changes are in place

Chrome OS: 10575.4.0
Chrome: 67.0.3396.8
Device: Paine

Sign in to add a comment