[PATCH] Subdomain and trusted domain patches for master

Andrew Bartlett abartlet at samba.org
Thu Aug 21 14:44:57 MDT 2014

On Thu, 2014-08-21 at 08:51 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >> the mayor thing I'm missing in your patches is the usage of
> >> Correct 'domainsid' in source4/dsdb/samdb/ldb_modules/descriptor.c
> >> get_sd_unpacked().
> >>
> >> For the Applications partitions (dns) there's a msDS-SDReferenceDomain
> >> attribute on the crossRef object.
> > 
> > Metze,
> > 
> > I'm sorry, but I've tried to understand what you mean by this, but I'm
> > still lost.  Could you re-express it?
> When we create an object (ldb_add()) we need to construct a
> nTSecurityDescriptor value. This nTSecurityDescriptor
> construction takes the sddl definition from the schema,
> the conversion from sddl to a binary security_descriptor
> requieres a 'domainsid' as argument. Currently we always use
> samdb_domain_sid(ldb), which is ok if we only have one domain
> in the forest.
> On a domain controller of a subdomain we need to find the correct
> 'domainsid' value for the current partition.
> For domain partitions we need to use the sid of the domain.
> For config and schema we need to use the sid of the forest root domain.
> For all other (application) partitions we need to look at the
> sid component of the extended dn in the msDS-SDReferenceDomain attribute.
> The the question was, are you aware of this as it is currently not in
> any of your patches?

The actual partition is created on the DC that will hold it long-term,
so only one SID is relevant here.  The config and schema partitions are
only ever created by the forest root when the forest root is created
standalone, and subdomains are created locally then replicated in to
replace the uninstantiated stub we create on the forest root.

The other relevant factor is the ACL on the crossRef object, which up to
now we have let be the default, and was the cause of the admin_session
patch.  Instead, we need to, like the TODO comment suggests, set a SD
for the DsAddEntry call.  This will then allow the subdomain to
(locally) update it's own crossRef object, and allow us to drop the
patch you correctly objected to.

I think what you are getting at is that when creating a normal object in
the read-write configuration partition, replicated to a subdomain and
created on a DC in that subdomain, that we need to use the correct SID.
I've not done anything special here, and I guess we need tests for that.

There is indeed much to do - subdomains will have many, many, of these
corner cases.  I'm just glad to be starting, because my previous
approach of 'it's a 6-12 developer-month effort' was just depressing and
just meant we never started.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list