One way trusts...
Andreas Schneider
asn at samba.org
Tue Dec 16 04:03:58 MST 2014
On Tuesday 16 December 2014 10:53:03 Stefan Metzmacher wrote:
> Hi Andrew,
>
> I'm currently testing our winbindd code (in v4-2-test/master)
> with one way trusts. From our point the trust is outgoing only.
> So we have a trust account S4xDOM$ in domain W2012R2-L4.BASE in the
> other domain.
>
> The Samba DC is called ub1204-161 (we also have ub1204-160).
> The Windows DC is called w2012r2-183.
>
> The current bahavior is that we just fail to get the cross-realm
> TGT, see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-machine-fail-01.pcap.gz
> frames 68/69.
>
> With the following hack:
>
> --- a/source3/winbindd/winbindd_cm.c
> +++ b/source3/winbindd/winbindd_cm.c
> @@ -905,6 +905,10 @@ static NTSTATUS get_trust_credentials(struct
> winbindd_domain *domain,
>
> /* If we are a DC and this is not our own domain */
>
> + if (domain->active_directory) {
> + netlogon = true;
> + }
> +
> if (IS_DC && netlogon) {
> creds_domain = domain;
> } else {
>
> we get a TGT as S4xDOM$@W2012R2-L4.BASE and everything works fine,
> see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-trust-ok-01.pcap.gz
> frames 42/43 and 57/58 followed by a SMB2 session setup in 64/66.
>
> With the following addtitional hack to force ntlmssp:
>
> @@ -934,6 +938,8 @@ static NTSTATUS get_trust_credentials(struct
> winbindd_domain *domain,
> cli_credentials_set_kerberos_state(creds,
> CRED_DONT_USE_KERBEROS);
> }
> + cli_credentials_set_kerberos_state(creds,
> + CRED_DONT_USE_KERBEROS);
>
> if (creds_domain != domain) {
> /*
>
> we fail in the session setup, which is the case you want to avoid by using
> the machine account instead of the trust account.
> See s4xdom-161-v4-2-w2012r2-l4-one-way-ntlmssp-trust-fail-01.pcap.gz in
> frame 24.
>
> I think for active directory domains we should always use krb5 with the
> trust account
> and for non ad domains we use the machine account if the trust is also
> incoming
> otherwise use fallback to anonymous.
Is this also related to https://bugzilla.samba.org/show_bug.cgi?id=8630
> metze
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141216/db0bb464/attachment.pgp>
More information about the samba-technical
mailing list