s4-11 interdomain trusts

Andrew Bartlett abartlet at samba.org
Thu Mar 11 20:12:35 MST 2010 

On Thu, 2010-03-11 at 11:38 -0800, Matthew Geddes wrote:
> On 10 March 2010 11:25, simo <idra at samba.org> wrote:
> 
> > On Wed, 2010-03-10 at 11:17 -0800, Matthew Geddes wrote:
> > > On 10 March 2010 10:55, simo <idra at samba.org> wrote:
> > >
> > > > I haven't yet attacked the problem, as a client samba 4 lacks a lot of
> > > > stuff and that is a pre-requisite to be able to connect to another DC
> > to
> > > > do any operation,
> > >
> > >
> > > What sorts of things? I'd like to take a look.
> >
> > DNS client library with DNS+CLDAP ping discovery for example.
> >
> 
> I'm not sure what the relationship between a DNS client library and CLDAP
> would be. Sure, we'd pull some of the fields from the CLDAP netlogont query
> response and do DNS lookups on those, but apart from that, I'm at a loss.
> What am I missing?
> 
> What else needed?
> 
> Apologies for the delay in getting this patch to you. I'll give you a quick
> run through what the changes are by filename:

Is there any chance you could re-send them in 'git format-patch' format?

See http://wiki.samba.org/index.php/Contribute and 
http://wiki.samba.org/index.php/Using_Git_for_Samba_Development

This will help us quickly pull in the easy changes, while concentrating
later on the ones that need some greater thought and review. 

>  * auth/ntlm/auth_winbind.c
> 
> Saw a segfault. Made it stop.
> 
>  * rpc_server/lsa/dcesrv_lsa.c
>  * dsdb/common/util.c
> 
> When we add a trust, we were writing a string, but attempting to read a
> dom_sid structure. We could have fixed this by going the other way and
> keeping it a string all over, but Windows 2003 seems to keep it binary too,
> so I picked that.

I agree about the rpc_server changes, but why try and change the common
utility functions?  I would rather not see those functions
auto-convert.  

>  * rpc_server/netlogon/dcerpc_netlogon.c
> 
> When enumerating domain trusts, enumerate domain trusts as well as just us.
> 
>  * kdc/hdb-samba4.c
> 
> In general, both principal->name.name_string.val[1] and principal->realm
> will both be our domain, but in the case where we're requesting a TGT for a
> trusted host, principal->name.name_string.val[1] will be the trusted realm.

OK.  I'll need to look at this carefully. 

> Overall, it doesn't complete the interdomain trust stuff, but it gets us
> part of the way there.

Indeed!

Thank you so much for doing this.  The inter-domain trusts area is vital
for Samba4, but has not had much attention until now. 


Andrew Bartlett


-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100312/788baca1/attachment.pgp>

More information about the samba-technical mailing list