[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC
Stefan (metze) Metzmacher
metze at samba.org
Wed Dec 11 11:36:13 MST 2013
Am 11.12.2013 05:22, schrieb Andrew Bartlett:
> I've been trying to sort out our handling of trusted domains when we are
> a DC in the source3 winbindd code. This came up for a client, but is
> also critical to the move to use the source3 winbindd for the AD DC.
> I was intrigued by your patch
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=77f38b1b904609e75fec99b0ac20d0a5a1df1e58 because it removes the call to is_dc_trusted_domain_situation()
> The reason I'm interested is that anonymous connections prevent both us
> enforcing smb singing, and will fail to a DC that has the equivalent of
> our "restrict anonymous = 2" set.
> The change appears to date back to:
> commit a493c7baac311e9ac0a560e4412d07df150f4407
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 15:39:36 2007 +0100
> Streamline and fix logic of cm_prepare_connection().
> Do not attempt to do a session setup when in a trusted domain
> situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
> Use get_trust_pw_clear to get machine trust account.
> Only call this when the results is really used.
> Use the proper domain and account name for session setup.
> (This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)
> Sadly, Michael is totally correct, we can't use the domain trust account
> like this. For a two-way trust, what we need to do is use our own
> machine trust account. Sadly in master, you can't 'net rpc join'
> against yourself as a classic domain controller.
> The attached patch series takes metze's patch, and reworks it so that it
> works in the classic DC trusting AD mode, using an authenticated and
> signed connection.
> Naturally, the difficult part we need to first verify is if the other
> domain trusts *us* as otherwise we need to fall back to anonymous (but
> there are other issues with one-way trusts anyway).
> What do you think of this approach?
I'd like to do some testing with windows first, using our own machine
and relying on a 2 way trust is ugly, we should only do it if windows
also does it.
Can you do some captures of windows to windows trusts?
More information about the samba-technical