SAMLOGON UDP request
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Dec 15 17:22:14 GMT 1998
On Tue, 15 Dec 1998, Andrew Tridgell wrote:
> > yes, in an inter-domain environment. we look up the SID against the known
> > inter-domain trust SIDs and return the known PDC for that SID.
>
> great, that is the first possibly valid reason I've seen for having
> the SID in nmbd.
andrew, jeremy, remember that i can never or at least rarely come up with
immediate reasons (within two days) it usually takes me two to three
weeks. i still may know why something may not be a good idea, i just
can't justify it, the design is still partially subconscious.
> 1) the code I removed didn't do this.
that code is a subset of what is required.
> 2) doing this requires changes to much more than just
> nmbd_processlogon.c as requests for other domains won't even get that
> far. We'd have to change the code that determines if the domain name
> is a local name or add the foreign domains to our locally registered
> name list for each subnet. If we did the latter (which would probably
> be the rifght thing to do) then we'd need to go carefully through all
> the other datagram code and make sure we don't reply inappropriately
> to other requests.
don't worry: NT registers FORIEGN_DOMAIN<00> and on this name it answers
*all* requests that are sent to FORIEGN_DOMAIN<00>.
therefore we don't need to "reply inappropriately", we actually need to go
carefully through all the other datagram code to make sure that we _do_
reply appropriately.
i have seen foriegn trusted domains sending each other "become backup
master browswer" packets, for example.
> If we decide that it is appropriate then we will certainly _not_ be
> doing it the way you did it before. That broke lots of peoples setups
> including nmbd on samba.anu.edu.au. The right way to do it is to only
> fetch the SID when the first such foreign logon datagram comes in. It
> is totally wrong to make nmbd exit because it _might_ receive a domain
> logon request for a foreign domain! If, when it does receive such a
> request, it can't get the SID then it should log a warning and ignore
> the packet. Not bloody exit.
>
> ok?
sounds good to me, more like what NT does, only better.
More information about the samba-technical
mailing list