s4-11 interdomain trusts
Andrew Bartlett
abartlet at samba.org
Thu Mar 11 20:12:35 MST 2010
On Thu, 2010-03-11 at 11:38 -0800, Matthew Geddes wrote:
> On 10 March 2010 11:25, simo <idra at samba.org> wrote:
>
> > On Wed, 2010-03-10 at 11:17 -0800, Matthew Geddes wrote:
> > > On 10 March 2010 10:55, simo <idra at samba.org> wrote:
> > >
> > > > I haven't yet attacked the problem, as a client samba 4 lacks a lot of
> > > > stuff and that is a pre-requisite to be able to connect to another DC
> > to
> > > > do any operation,
> > >
> > >
> > > What sorts of things? I'd like to take a look.
> >
> > DNS client library with DNS+CLDAP ping discovery for example.
> >
>
> I'm not sure what the relationship between a DNS client library and CLDAP
> would be. Sure, we'd pull some of the fields from the CLDAP netlogont query
> response and do DNS lookups on those, but apart from that, I'm at a loss.
> What am I missing?
>
> What else needed?
>
> Apologies for the delay in getting this patch to you. I'll give you a quick
> run through what the changes are by filename:
Is there any chance you could re-send them in 'git format-patch' format?
See http://wiki.samba.org/index.php/Contribute and
http://wiki.samba.org/index.php/Using_Git_for_Samba_Development
This will help us quickly pull in the easy changes, while concentrating
later on the ones that need some greater thought and review.
> * auth/ntlm/auth_winbind.c
>
> Saw a segfault. Made it stop.
>
> * rpc_server/lsa/dcesrv_lsa.c
> * dsdb/common/util.c
>
> When we add a trust, we were writing a string, but attempting to read a
> dom_sid structure. We could have fixed this by going the other way and
> keeping it a string all over, but Windows 2003 seems to keep it binary too,
> so I picked that.
I agree about the rpc_server changes, but why try and change the common
utility functions? I would rather not see those functions
auto-convert.
> * rpc_server/netlogon/dcerpc_netlogon.c
>
> When enumerating domain trusts, enumerate domain trusts as well as just us.
>
> * kdc/hdb-samba4.c
>
> In general, both principal->name.name_string.val[1] and principal->realm
> will both be our domain, but in the case where we're requesting a TGT for a
> trusted host, principal->name.name_string.val[1] will be the trusted realm.
OK. I'll need to look at this carefully.
> Overall, it doesn't complete the interdomain trust stuff, but it gets us
> part of the way there.
Indeed!
Thank you so much for doing this. The inter-domain trusts area is vital
for Samba4, but has not had much attention until now.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100312/788baca1/attachment.pgp>
More information about the samba-technical
mailing list