While s3 is in ADS member server mode, the logic of listing domain users and groups in one-way trusts is reversed

Joshua Hawkinson jhawkinson at overlandstorage.com
Fri Mar 30 17:17:50 MDT 2012


Hello Samba Team,

While evaluating the one way trust support in samba I've noticed that the user / group listing behaviors are not correct.  In a pure windows environment the trusting domain and clients thereof can enumerate users from the trusted domain; this is because users from the trusted domain actually can access resources from the trusting domain so the enumeration is necessary for ShACLS and whatnot. While a Samba server is joined to the trusting domain, it cannot enumerate users and groups from the trusted domain,  but on the other hand is the samba server joins the trusted domain samba can enumerate users from the trusting domain, which makes no sense because users from trusting domain cannot access anything from the trusted domain.  In conclusion it seems that user listing for one way trusts is broken in a fundamental way.
I'm not entirely sure that the "broken" behavior matters to the average samba user as authentication when joined to the trusting domain actually works as it should. In our product setup we utilize Winbinds ability to enumerate users to produce selectable lists for share access control, so in our implementation Winbind produces the list incorrectly no matter which domain we are joined to.  IIRC support for one way trusts was added back in samba 3.0 or 3.2, and I'm having a hard time believing that one way trusts are that uncommon.
All of that aside, I wanted to run this by the team because it seems to oddly broken for it to be out there with no detected bug reports.  Any thoughts on the matter?


Cheers
Joshua Hawkinson
Overland Storage, Inc.


More information about the samba-technical mailing list