[PATCH] fix Samba3 LSA CreateTrustedDomainsEx2

Alexander Bokovoy ab at samba.org
Fri Mar 2 12:53:06 MST 2012


I found out when using samba4 python bindings that the same code to
establish trusts works against Windows 2008 R2 DC but doesn't work
against Samba3. On deeper inspection it appeared that LSA
CreateTrustedDomainsEx2 implementation in Samba 3 ignores the fact
that only up to 16 bytes of session key are used for encryption of
authentication blob. Samba 4 code does automatically limit session key
to 16 bytes when attempting to encrypt/decrypt the authentication
blob, thus is working well.

Attached patch fixes the issue and makes sure we re-use common code to
extract the parts of the authentication blob. With it I'm now able to
successfully establish cross-forest trust between Windows 2008 R2 and
Samba 3 with FreeIPA 3 backend (in development).

I'll make sure there is torture test to cover the situation, however,
it would require parallel use of two DCs, how should this be done with
autobuild in mind?
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Refactor-CreateTrustedDomainEx2-to-use-common-code-a.patch
Type: text/x-patch
Size: 5277 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120302/1560e69a/attachment.bin>

More information about the samba-technical mailing list