[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC

Andrew Bartlett abartlet at samba.org
Wed Dec 11 11:47:46 MST 2013 

On Wed, 2013-12-11 at 19:36 +0100, Stefan (metze) Metzmacher wrote:
> Am 11.12.2013 05:22, schrieb Andrew Bartlett:
> > Metze,
> > 
> > I've been trying to sort out our handling of trusted domains when we are
> > a DC in the source3 winbindd code.  This came up for a client, but is
> > also critical to the move to use the source3 winbindd for the AD DC.
> > 
> > I was intrigued by your patch
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=77f38b1b904609e75fec99b0ac20d0a5a1df1e58 because it removes the call to is_dc_trusted_domain_situation()
> > 
> > The reason I'm interested is that anonymous connections prevent both us
> > enforcing smb singing, and will fail to a DC that has the equivalent of
> > our "restrict anonymous = 2" set. 
> > 
> > The change appears to date back to:
> > 
> > commit a493c7baac311e9ac0a560e4412d07df150f4407
> > Author: Michael Adam <obnox at samba.org>
> > Date:   Tue Dec 11 15:39:36 2007 +0100
> > 
> >     Streamline and fix logic of cm_prepare_connection().
> >     
> >     Do not attempt to do a session setup when in a trusted domain
> >     situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
> >     
> >     Use get_trust_pw_clear to get machine trust account.
> >     Only call this when the results is really used.
> >     Use the proper domain and account name for session setup.
> >     
> >     Michael
> >     (This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)
> > 
> > Sadly, Michael is totally correct, we can't use the domain trust account
> > like this.  For a two-way trust, what we need to do is use our own
> > machine trust account.  Sadly in master, you can't 'net rpc join'
> > against yourself as a classic domain controller.
> > 
> > The attached patch series takes metze's patch, and reworks it so that it
> > works in the classic DC trusting AD mode, using an authenticated and
> > signed connection.
> > 
> > Naturally, the difficult part we need to first verify is if the other
> > domain trusts *us* as otherwise we need to fall back to anonymous (but
> > there are other issues with one-way trusts anyway). 
> > 
> > What do you think of this approach?
> 
> I'd like to do some testing with windows first, using our own machine
> account
> and relying on a 2 way trust is ugly, we should only do it if windows
> also does it.

The testing was with Windows 2008.  I don't see we have any other option
other than to rely on the two-way trust, if we want authentication, and
without authentication we are vulnerable to all sorts of MITM attacks,
as well as to restrict anonymous issues.  

Certainly we need to at least use the stored username/password (which is
what Samba 3.6 did, somehow).

> Can you do some captures of windows to windows trusts?

We can make fair comparisons with AD <-> AD trusts, but Windows NT4 <->
AD doesn't exist as a modal for comparison any more. 

I will note that the Windows connection back to Samba classic is
anonymous, and to avoid deadlocks we need to do the same when not
talking to an Active Directory domain. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list