[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC

Andrew Bartlett abartlet at samba.org
Tue Dec 10 21:22:07 MST 2013 

Metze,

I've been trying to sort out our handling of trusted domains when we are
a DC in the source3 winbindd code.  This came up for a client, but is
also critical to the move to use the source3 winbindd for the AD DC.

I was intrigued by your patch
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=77f38b1b904609e75fec99b0ac20d0a5a1df1e58 because it removes the call to is_dc_trusted_domain_situation()

The reason I'm interested is that anonymous connections prevent both us
enforcing smb singing, and will fail to a DC that has the equivalent of
our "restrict anonymous = 2" set. 

The change appears to date back to:

commit a493c7baac311e9ac0a560e4412d07df150f4407
Author: Michael Adam <obnox at samba.org>
Date:   Tue Dec 11 15:39:36 2007 +0100

    Streamline and fix logic of cm_prepare_connection().
    
    Do not attempt to do a session setup when in a trusted domain
    situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
    
    Use get_trust_pw_clear to get machine trust account.
    Only call this when the results is really used.
    Use the proper domain and account name for session setup.
    
    Michael
    (This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)

Sadly, Michael is totally correct, we can't use the domain trust account
like this.  For a two-way trust, what we need to do is use our own
machine trust account.  Sadly in master, you can't 'net rpc join'
against yourself as a classic domain controller.

The attached patch series takes metze's patch, and reworks it so that it
works in the classic DC trusting AD mode, using an authenticated and
signed connection.

Naturally, the difficult part we need to first verify is if the other
domain trusts *us* as otherwise we need to fall back to anonymous (but
there are other issues with one-way trusts anyway). 

What do you think of this approach?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-winbindd-split-NETLOGON-from-normal-authentication.patch
Type: text/x-patch
Size: 4460 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-auth-Allow-domain-join-to-itself-when-we-are-a-PDC.patch
Type: text/x-patch
Size: 916 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-winbindd-Force-authentication-if-we-detect-SPNEGO-ex.patch
Type: text/x-patch
Size: 2479 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-winbindd-Use-own-machine-account-to-connect-to-trust.patch
Type: text/x-patch
Size: 2821 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Allow-net-rpc-join-against-ourself-to-get-a-machine-.patch
Type: text/x-patch
Size: 1042 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s3-winbindd-Require-SMB-signing-by-default-to-disrup.patch
Type: text/x-patch
Size: 2669 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-winbindd_cm-credentials.patch
Type: text/x-patch
Size: 21736 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-TODO-runtime-tests-of-toggling-s3-passdb-add-pdb_get.patch
Type: text/x-patch
Size: 14967 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131211/5c04c67c/attachment-0007.bin>

More information about the samba-technical mailing list