One way trusts...

Stefan (metze) Metzmacher metze at samba.org
Tue Dec 16 04:05:51 MST 2014 

Am 16.12.2014 um 12:03 schrieb Andreas Schneider:
> On Tuesday 16 December 2014 10:53:03 Stefan  Metzmacher wrote:
>> Hi Andrew,
>>
>> I'm currently testing our winbindd code (in v4-2-test/master)
>> with one way trusts. From our point the trust is outgoing only.
>> So we have a trust account S4xDOM$ in domain W2012R2-L4.BASE in the
>> other domain.
>>
>> The Samba DC is called ub1204-161 (we also have ub1204-160).
>> The Windows DC is called w2012r2-183.
>>
>> The current bahavior is that we just fail to get the cross-realm
>> TGT, see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-machine-fail-01.pcap.gz
>> frames 68/69.
>>
>> With the following hack:
>>
>> --- a/source3/winbindd/winbindd_cm.c
>> +++ b/source3/winbindd/winbindd_cm.c
>> @@ -905,6 +905,10 @@ static NTSTATUS get_trust_credentials(struct
>> winbindd_domain *domain,
>>
>>         /* If we are a DC and this is not our own domain */
>>
>> +       if (domain->active_directory) {
>> +       netlogon = true;
>> +       }
>> +
>>         if (IS_DC && netlogon) {
>>                 creds_domain = domain;
>>         } else {
>>
>> we get a TGT as S4xDOM$@W2012R2-L4.BASE and everything works fine,
>> see s4xdom-161-v4-2-w2012r2-l4-one-way-krb5-trust-ok-01.pcap.gz
>> frames 42/43 and 57/58 followed by a SMB2 session setup in 64/66.
>>
>> With the following addtitional hack to force ntlmssp:
>>
>> @@ -934,6 +938,8 @@ static NTSTATUS get_trust_credentials(struct
>> winbindd_domain *domain,
>>                 cli_credentials_set_kerberos_state(creds,
>>                                                    CRED_DONT_USE_KERBEROS);
>>         }
>> +             cli_credentials_set_kerberos_state(creds,
>> +                                                CRED_DONT_USE_KERBEROS);
>>
>>         if (creds_domain != domain) {
>>                 /*
>>
>> we fail in the session setup, which is the case you want to avoid by using
>> the machine account instead of the trust account.
>> See s4xdom-161-v4-2-w2012r2-l4-one-way-ntlmssp-trust-fail-01.pcap.gz in
>> frame 24.
>>
>> I think for active directory domains we should always use krb5 with the
>> trust account
>> and for non ad domains we use the machine account if the trust is also
>> incoming
>> otherwise use fallback to anonymous.
> 
> Is this also related to https://bugzilla.samba.org/show_bug.cgi?id=8630

Not completely, that is about one-way trusts while we're a domain member.
The above comments are for the case where we're a DC ourself.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141216/1f97cdb3/attachment.pgp>

More information about the samba-technical mailing list