master4-forest-ok branch

Andrew Bartlett abartlet at samba.org
Fri Dec 19 02:43:21 MST 2014 

On Fri, 2014-12-19 at 00:43 +0100, Stefan (metze) Metzmacher wrote:

> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> has everything...
> 
> > Some small notes:
> >  - In the new trusted domain cli_credentials code, you don't need a new
> > lp_ctx, use the one on the dsdb private state pointer. 
> 
> fixed.
> 
> >  - The RODC already checks locally first, and falls back to a remote
> > NETLOGON call if we get NOT_IMPLEMENTED as the reply, so the TODO isn't
> > required
> 
> Ah, ok the winbindd_dual_auth_passdb() calls...

Yes (you still have the TODO :-)

> >  - How can we test all this?  We really need to start a 2nd forest in
> > make test.
> 
> I'm working on this next, first I need something like 'samba-tool domain
> trust add'
> 
> > BTW, if you get all this going, subdomains are not far off either - most
> > of the problems are exactly the same. 
> 
> Yes, similar.

So, as long as you have tested these in some way, I'm happy for you to
mark the commits currently in master4-forest-ok Reviewed-by: Andrew
Bartlett <abartlet at samba.org>.  I'm looking forward to the automated
tests.  A little of what I have in my random subdomain-wip branches will
help (that starts the subdomain environment), so we really should sort
those out again in the new year.  The handling of the DNS partitions
ACLs was one of the few serious blockers - remember it actually worked
at Microsoft!

Naturally, please finish you discussion with Ralf and others on the
waf/build changes.

Finally, I'm assuming the use of the domain$ account with Kerberos is
due to one-way trusts?  Does it really work like that?  Otherwise, I
would have expected us to use our own machine account, and obtained a
cross-realm ticket with that.

Thank you very much for all your work on this,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list