[PATCH][WIP] AD Subdomain support for Samba 4.2?

[Andrew Bartlett]

On Mon, 2014-08-11 at 17:50 +1200, Andrew Bartlett wrote:
> OK, so now I have your attention :-)
> 
> I'm making very good progress on the subdomain code, and it can be seen
> at
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/subdomain
> 
> The patch series is still a work in progress, but I'm trying to make it
> tidy enough for folks to reasonably look at.  Thoughts, comments and if
> you feel like it, review (but not push, I'll collect them up and push
> them once I'm happy with the series), most welcome.
> 
> The TODO Items that I see are:
>  - sort out what rules windows uses to decide permission to call
> DsReplicaUpdateRefs as our current code doesn't work well cross-domain.
> I think we probably just need to rely on the PAC and membership of the
> right groups.
>  - connect the trusted domain passwords in sam.ldb with the
> pdb_samba_dsdb code.  This does not look hard, and should then allow
> winbindd to handle the NTLM forwarding.
>  - Do not create in provision the groups that "only exist at the forest
> root".
> 
> No doubt there will be much more work beyond that, and in reality this
> might be a Samba 4.3 feature, but much can change with a little help.  
> 
> I'm mostly testing in 'make test' right now, but have done some very
> limited join testing Samba as a subdomain of Windows 2008R2.  Testing
> other combinations would be very welcome. 
> 
> Please help out if you can!

Just a quick note to say that with my subdomain-wip branch, I've
successfully authenticated to Samba using a NTLM password in a trusted,
parent domain.  

I've also done this while enforcing SMB Signing on the winbindd
connections.  I'll clean up the patches this week, and look to how we
can get this functionality into Samba 4.2.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba