[PATCH] fix Samba3 LSA CreateTrustedDomainsEx2

Andrew Bartlett abartlet at samba.org
Fri Mar 2 14:30:19 MST 2012

On Fri, 2012-03-02 at 21:53 +0200, Alexander Bokovoy wrote:
> Hi,
> I found out when using samba4 python bindings that the same code to
> establish trusts works against Windows 2008 R2 DC but doesn't work
> against Samba3. On deeper inspection it appeared that LSA
> CreateTrustedDomainsEx2 implementation in Samba 3 ignores the fact
> that only up to 16 bytes of session key are used for encryption of
> authentication blob. Samba 4 code does automatically limit session key
> to 16 bytes when attempting to encrypt/decrypt the authentication
> blob, thus is working well.
> Attached patch fixes the issue and makes sure we re-use common code to
> extract the parts of the authentication blob. With it I'm now able to
> successfully establish cross-forest trust between Windows 2008 R2 and
> Samba 3 with FreeIPA 3 backend (in development).
> I'll make sure there is torture test to cover the situation, however,
> it would require parallel use of two DCs, how should this be done with
> autobuild in mind?

Yes, the selftest environment can run quite complex things.  You can
join s3dc or a new env to one of the Samba4 domains if you want.  We
already join a s3 AD domain member to 'dc' as s3member, and that might
be a good guide.  I'm very happy to either review, guide or assist in
any reasonable way as you navigate our selftest system.

On the patch, I suspect the layer at which the session key is being
truncated is incorrect - we should be truncating it when it is imported
into the dce/rpc stack, otherwise this will just fail on another call,
like SAMR password setting. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list