[PATCH] PASSDB: add support for enumerating UPN suffixes

Alexander Bokovoy ab at samba.org
Wed Apr 3 08:37:42 MDT 2013


Hi,

at
https://git.samba.org/?p=ab/samba.git/.git;a=shortlog;h=refs/heads/s3-passdbplease
find set of patches to add support to enumerate UPN suffixes
associated with a forest smbd is serving.

This is needed for the cases like FreeIPA cross-realm forest trusts where
additional DNS domains may be associated with the realm. The patchset
exposes additional DNS domains to a requester (AD DC) via
netr_GetForestTrustInformation and netr_DsRGetForestTrustInformation. In
the latter case this is done only for a condition when trusted_domain_name
is NULL, as described in MS-NRPC and in source4/torture/rpc/netlogon.c.

FreeIPA's implementation for pdb_enum_upn_suffixes() is here:
http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4

Here is a screenshot of how it looks like from a Windows Server 2012 side:
http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png

Note that suffixes are disabled by default when imported, this is normal
Windows behavior.

In order to implement same for  Samba AD DC code we would need to define
some schema and tree location to store the suffixes. In FreeIPA case we use
domainRelatedObject object class and associatedDomain attribute to store
list of domains. These are standard LDAP object class and attribute and
they could be reused.

Same applies to ldapsam module, we need to define where and how store the
suffixes.

Currently source4/torture/rpc/forest_trust.c expects in
test_validate_trust() that only primary domain's DNS name is returned by
netr_GetForestTrustInformation(). This will need to change when support for
UPN suffixes is added in Samba AD DC code.

pdb_set_upn_suffixes() was added from a perspective of making possible to
modify the suffixes from 'net' utility.
-- 
/ Alexander Bokovoy


More information about the samba-technical mailing list