[TNG] Status (?)

[Elrond]

Hi all of you,

This time, I'm trying to write a "status-report" for the
current cvs-version of TNG.


What happened in the last time
==============================

The release of 2.5(.3) is quite some time ago, so I don't
know rely, what happened since then, so I'm trying to write
the stuff, that comes to my mind. ;)

Some annoying pipe-reusing has been fixed (it's only a
workaround). Interesting is still, that it was only
reported for Suns, but it should have happened everywhere,
and I couldn't reproduce this myself.

Sander wrote some Smart Memory Allocator for the parser, so
maybe TNG is now a little faster, when it comes to big
things.

I've also tried to merge some things from HEAD, but some
would have meant more drastic modifications, so I didn't do
that. I've tried to merge some oplock-stuff from HEAD, but
I don't know anything about that, so that might be broken.

I've added some bunch of rpcclient-commands for viewing
privileges/rights on remote NT-boxes. Try: "enumprivs -i"
and "lsaenumsids -p" (for -p you need to be admin, the rest
work anonymously).

lsa_lookup_names/sids has been fixed to some degree, but
there are still issues left (never ending story/saga).

The server-side implementation of lsa_enum_trusted_domains
has been writen. This means: If samba is trusting another
domain, the member of the samba-domain now know about this
trust and show the trusted domain in the logon-dialog and
other dialogs. This doesn't mean, that this works any
further nor the opposite (wasn't able to test). For
instructions on setting up trusts, see below.

The kickoff_time and the password_last_set-time were
exchanged on the wire and now should be correct.

Luke noted, that multiple-pdu might be broken. This means,
that large queries and responses will have problems, this
will especialy affect printing, but also might affect
usrmgr in large domains and the like.

Printing isn't currently interesting to me, so I don't
know, wether it works or not.

Someone noted some time ago, that password-changing doesn't
work. From rpcclient it works at least for me.

Also some internal restructuring happened to make TNG look
more like HEAD.


What I would like
=================

Okay, so much for that.


I wont be able to work on samba the whole next week, nor
will I be able to read mail or something like this.

This means, that this is a good time to test current cvs,
since it wont change and people have a common basis to
discuss problems and research them.

So what I would like people to do: Test current cvs and try
everything out, that is of interest.
If you get it to crash or find a real bug, please try to
write up a good bug-report to samba-ntdom (people on the
list should be able to help out in how to do so)
Otherwise write some _short_ status-report at the end of next
week, so I know, what stuff works, and what doesn't work,
for those things, that don't work, please maybe also write
a short note, how important that would be.

If stuff looks good, I will ask Luke to make an
alpha-2.6 release. (So you could think of current cvs as
pre-2.6).


On my list, what should happen then is writing up some
internal support functions for using sidlc for DCE/RPC and
making policy-handles more secure.


Interdomain trust-relationships
===============================

Okay, I wrote above, I'm going to explain, how to setup
those.

First of all, I have to write, that this all is still more
experimental than all of the rest, so don't expect
anything.

Okay, for simplicity, we have a samba-tng domain SAMBADOM
with its PDC SAMBAPDC, and the same on the NT-side: NTDOM
and NTPDC.

1. NTDOM trusts SAMBADOM

   (this was already descibed by someone, some time ago, so
    those might be able to give more help)

   Okay, this is quite simple to setup:
   - Go to SAMBAPDC and create the users ntpdc$ and ntdom$
     in your passwd.
   - Create both in you smbpasswd as
     interdom-trust-accounts with rpcclient:
       createuser ntdom$ -i
       createuser ntpdc$ -i
       samuserset ntdom$ -p somepw
       samuserset ntpdc$ -p somepw
     (use the _same_ pw above)
   - Go to ntpdc
   - Use usrmgr to tell ntpdc, that is trusting SAMBADOM
     and use the pw specified above.
   - If you know the registry key to stop the PDC to change
     the trust-passwords in regular times, this will help,
     otherwise:
   - Every 2/4 weeks, the ntpdc will change the password,
     but it will only change the password on one of the
     both entries above, so you must copy the new pw over
     to the other.
     (My guess is, it will change the ntdom$-pw)

   One of my next things will be to get rid of those two
   entries and only have one, ntdom$

2. sambadom trusts ntdom

   This is more complex but should work to some degree:

   - Go to ntpdc and prepare the stuff there ("allowed to
     trust this domain")
   - IMPORTANT: Use a password, which has length, that is
     precisely eight (8) characters long.
     (This has something to do with enryptions, and we
     don't know yet the behaviour for other length, that
     are not a multiple of 4
   - Add something like this to your smb.conf:
     trusted domains = ntdom=ntpdc
   - Run rpcclient -S ntpdc -U %
     [NTPDC]$ lsaq
     you need the Domain-SID from there.
   - Find the directory with the file SAMBADOM.SID in it.
   - Create a file NTDOM.SID there, with the only content
     being the above SID.
   - rpcclient -S . -U root% (as root)
     $ createsecret G$$NTDOM
     $ setsecret G$$NTDOM pw-for-trust
     (pw-for-trust is from above and exactly 8 chars long)

   That should be it. samba will not currently try to
   change the trust-pw, so you might need to tell your
   ntpdc, that this is not necessary (no idea, how to do
   that)


Okay, that's for it.


    Elrond