SAMLOGON UDP request

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Dec 15 17:22:14 GMT 1998 

On Tue, 15 Dec 1998, Andrew Tridgell wrote:

> > yes, in an inter-domain environment.  we look up the SID against the known
> > inter-domain trust SIDs and return the known PDC for that SID.
> 
> great, that is the first possibly valid reason I've seen for having
> the SID in nmbd. 

andrew, jeremy, remember that i can never or at least rarely come up with
immediate reasons (within two days) it usually takes me two to three
weeks.  i still may know why something may not be a good idea, i just
can't justify it, the design is still partially subconscious.

> 1) the code I removed didn't do this. 

that code is a subset of what is required.

> 2) doing this requires changes to much more than just
> nmbd_processlogon.c as requests for other domains won't even get that
> far. We'd have to change the code that determines if the domain name
> is a local name or add the foreign domains to our locally registered
> name list for each subnet. If we did the latter (which would probably
> be the rifght thing to do) then we'd need to go carefully through all
> the other datagram code and make sure we don't reply inappropriately
> to other requests.

don't worry: NT registers FORIEGN_DOMAIN<00> and on this name it answers
*all* requests that are sent to FORIEGN_DOMAIN<00>.

therefore we don't need to "reply inappropriately", we actually need to go
carefully through all the other datagram code to make sure that we _do_
reply appropriately.

i have seen foriegn trusted domains sending each other "become backup
master browswer" packets, for example.


> If we decide that it is appropriate then we will certainly _not_ be
> doing it the way you did it before. That broke lots of peoples setups
> including nmbd on samba.anu.edu.au. The right way to do it is to only
> fetch the SID when the first such foreign logon datagram comes in. It
> is totally wrong to make nmbd exit because it _might_ receive a domain
> logon request for a foreign domain! If, when it does receive such a
> request, it can't get the SID then it should log a warning and ignore
> the packet. Not bloody exit.
> 
> ok?

sounds good to me, more like what NT does, only better.

More information about the samba-technical mailing list