LSA forest trust tests

Sumit Bose sbose at redhat.com
Mon Dec 12 01:57:00 MST 2011 

On Sat, Dec 10, 2011 at 03:07:01PM +1100, Andrew Bartlett wrote:
> Sumit,
> 
> I've been looking into the rpc.lsa.forest.trust test that you wrote,
> because running it against Samba4 found some segfaults, and it looks
> like a really good way to properly cover our inter-domain trust logic.  
> 
> However in doing this, I have some questions:
> 
> Which version of windows and what functional level is this expected to
> pass against? I'm guessing it was written to Win2008 with functional
> level Windows 2000, but I wanted to double-check.  

I think it was Win2008 with a functional level Win2008, but I'm not sure
since I delete the test environment some time ago. I did test with
Windows 2003 R3 as well, but mostly I used Win2008. So chances are that
the current version might have some issues with 2003 as you mention
below.

> 
> The reason that I'm a little confused is that this test expects that
> both LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES exist, and
> TRUST_ATTRIBUTE_FOREST_TRANSITIVE be supported.  I've been testing with
> Windows 2003 R2 in functional level Windows 2003 R2, and that particular
> combination supports neither, so I have modified the test to cope.
> 

ok

> I also cannot find any instance where this test is currently run in
> Samba, so I presume it was written for some manual testing.  Can you
> fill me in on any details I should know of, so I can avoid breaking it
> as I fix up the test?

I used the test primarily to test the work I did for IPA. Günther is
planning to enhance tdbsam so that the tests can also be used with 'make
check'. Since he hasn't started I think your changes will not break
anything.

> 
> I would also like to modify the test to not use a fixed password, but to
> generate a random one at runtime.  This will avoid leaving fixed
> passwords on domains that may have been placed under test if the test is
> interrupted and the trust not removed.  Would that be OK?

Yes, please do. It would be nice if you can send me a note when you are
done. Then I will check if my environment still passes the new tests
which I expect to be more rigid and profound than my simple ones.

Thank you.

bye,
Sumit

> 
> My changes so far are in:
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/fix-trusts
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
>

More information about the samba-technical mailing list