[PATCH] Subdomain and trusted domain patches for master

Stefan (metze) Metzmacher metze at samba.org
Thu Aug 21 00:51:02 MDT 2014


Hi Andrew,

>> the mayor thing I'm missing in your patches is the usage of
>> Correct 'domainsid' in source4/dsdb/samdb/ldb_modules/descriptor.c
>> get_sd_unpacked().
>>
>> For the Applications partitions (dns) there's a msDS-SDReferenceDomain
>> attribute on the crossRef object.
> 
> Metze,
> 
> I'm sorry, but I've tried to understand what you mean by this, but I'm
> still lost.  Could you re-express it?

When we create an object (ldb_add()) we need to construct a
nTSecurityDescriptor value. This nTSecurityDescriptor
construction takes the sddl definition from the schema,
the conversion from sddl to a binary security_descriptor
requieres a 'domainsid' as argument. Currently we always use
samdb_domain_sid(ldb), which is ok if we only have one domain
in the forest.

On a domain controller of a subdomain we need to find the correct
'domainsid' value for the current partition.

For domain partitions we need to use the sid of the domain.
For config and schema we need to use the sid of the forest root domain.
For all other (application) partitions we need to look at the
sid component of the extended dn in the msDS-SDReferenceDomain attribute.

The the question was, are you aware of this as it is currently not in
any of your patches?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140821/c8f041c6/attachment.pgp>


More information about the samba-technical mailing list