[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC

Stefan (metze) Metzmacher metze at samba.org
Wed Dec 11 11:36:13 MST 2013


Am 11.12.2013 05:22, schrieb Andrew Bartlett:
> Metze,
> 
> I've been trying to sort out our handling of trusted domains when we are
> a DC in the source3 winbindd code.  This came up for a client, but is
> also critical to the move to use the source3 winbindd for the AD DC.
> 
> I was intrigued by your patch
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=77f38b1b904609e75fec99b0ac20d0a5a1df1e58 because it removes the call to is_dc_trusted_domain_situation()
> 
> The reason I'm interested is that anonymous connections prevent both us
> enforcing smb singing, and will fail to a DC that has the equivalent of
> our "restrict anonymous = 2" set. 
> 
> The change appears to date back to:
> 
> commit a493c7baac311e9ac0a560e4412d07df150f4407
> Author: Michael Adam <obnox at samba.org>
> Date:   Tue Dec 11 15:39:36 2007 +0100
> 
>     Streamline and fix logic of cm_prepare_connection().
>     
>     Do not attempt to do a session setup when in a trusted domain
>     situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
>     
>     Use get_trust_pw_clear to get machine trust account.
>     Only call this when the results is really used.
>     Use the proper domain and account name for session setup.
>     
>     Michael
>     (This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)
> 
> Sadly, Michael is totally correct, we can't use the domain trust account
> like this.  For a two-way trust, what we need to do is use our own
> machine trust account.  Sadly in master, you can't 'net rpc join'
> against yourself as a classic domain controller.
> 
> The attached patch series takes metze's patch, and reworks it so that it
> works in the classic DC trusting AD mode, using an authenticated and
> signed connection.
> 
> Naturally, the difficult part we need to first verify is if the other
> domain trusts *us* as otherwise we need to fall back to anonymous (but
> there are other issues with one-way trusts anyway). 
> 
> What do you think of this approach?

I'd like to do some testing with windows first, using our own machine
account
and relying on a 2 way trust is ugly, we should only do it if windows
also does it.

Can you do some captures of windows to windows trusts?

metze


More information about the samba-technical mailing list