s4-11 interdomain trusts

simo idra at samba.org
Thu Mar 11 22:18:35 MST 2010 

On Thu, 2010-03-11 at 11:38 -0800, Matthew Geddes wrote:
> On 10 March 2010 11:25, simo <idra at samba.org> wrote:
> 
> > On Wed, 2010-03-10 at 11:17 -0800, Matthew Geddes wrote:
> > > On 10 March 2010 10:55, simo <idra at samba.org> wrote:
> > >
> > > > I haven't yet attacked the problem, as a client samba 4 lacks a lot of
> > > > stuff and that is a pre-requisite to be able to connect to another DC
> > to
> > > > do any operation,
> > >
> > >
> > > What sorts of things? I'd like to take a look.
> >
> > DNS client library with DNS+CLDAP ping discovery for example.
> >
> 
> I'm not sure what the relationship between a DNS client library and CLDAP
> would be. Sure, we'd pull some of the fields from the CLDAP netlogont query
> response and do DNS lookups on those, but apart from that, I'm at a loss.
> What am I missing?

Windows checks both through DNS and CLDAP calls to find the right server
to contact. Both checks are foten part of the same discovery mechanism
and are used at the same time.

> What else needed?
> 
> Apologies for the delay in getting this patch to you. I'll give you a quick
> run through what the changes are by filename:
> 
>  * auth/ntlm/auth_winbind.c
> 
> Saw a segfault. Made it stop.
> 
>  * rpc_server/lsa/dcesrv_lsa.c
>  * dsdb/common/util.c
> 
> When we add a trust, we were writing a string, but attempting to read a
> dom_sid structure. We could have fixed this by going the other way and
> keeping it a string all over, but Windows 2003 seems to keep it binary too,
> so I picked that.
> 
>  * rpc_server/netlogon/dcerpc_netlogon.c

Matthew, you should really use git and the master tree, I have already
coded and committed code that properly cover both your proposed changes
a few weeks ago.
Working on alpha11 is not really a good idea.

> When enumerating domain trusts, enumerate domain trusts as well as just us.
> 
>  * kdc/hdb-samba4.c
> 
> In general, both principal->name.name_string.val[1] and principal->realm
> will both be our domain, but in the case where we're requesting a TGT for a
> trusted host, principal->name.name_string.val[1] will be the trusted realm.

I need to verify this, so far I haven't seen problems with the little
experimentation I could do.

> Overall, it doesn't complete the interdomain trust stuff, but it gets us
> part of the way there.

Yes a little step for a man .... :)

Please use master, and possibly git, it will help.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list