s4-11 interdomain trusts
simo
idra at samba.org
Wed Mar 10 11:15:04 MST 2010
On Wed, 2010-03-10 at 10:10 -0800, Matthew Geddes wrote:
> Hi,
>
> I've been poking about a little with interdomain trusts with Samba 4 alpha
> 11 with some success. I found a couple of problems that I'll send patches
> for soon, but I have Windows Server 2003 forming a one-way trust with Samba
> 4 where we trust the Windows domain and it doesn't trust us (ie, netdom
> trust samba /domain:windows). A Samba 3 member of that domain calling
> LsaEnumTrusts will get back a list of trusted domains, as does calling the
> RPC directly using rpcclient.
>
> The issue I'm currently hitting is that when a client from the windows
> domain hits the Samba 3 server (member of S4 domain) and uses credentials
> from the windows domain, the Samba 3 server makes a netrLogonSamLogon call
> against Samba 4, which barfs because it's not one of its local domains (true
> enough). I'm guessing Samba 4 needs to send the Windows DC a
> netrLogonSamLogon in that case and return the response it gets back to the
> Samba 3 host.
>
> Has anyone else been looking into this particular part of the trust chain?
> Does anyone have any guidance about the best place to implement it in S4 (as
> a separate auth backend? in the rpc server? In s4 winbindd?)? I couldn't see
> anything in git master that looked like it did what I'm looking for -- did I
> miss it?
>
> Thanks in advance.
Matthew, I am looking in cross forest trusts, which present some of the
same problems.
As far as I could see, in Samba 4 we totally lack any infrastructure to
do netlogon calls on behalf of clients so anything NTLM based is
confined to the specific S4 server being contacted.
In samba 3.x that is done by winbind.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list