winbindd, trusted domains and set_dc_type_and_flags_connect()

Andrew Bartlett abartlet at samba.org
Wed Oct 8 12:59:40 MDT 2014


On Wed, 2014-10-08 at 19:17 +0200, Michael Adam wrote:
> Hi Andrew,
> 
> there is again a failed samba4.winbind.struct(s3member:local)
> test:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> [1433/1686 in 1h24m26s] samba4.winbind.struct(s3member:local)
> Running WINBINDD_DOMAIN_INFO (struct based)
> DOMAIN 'BUILTIN' => '' [ ] [S-1-5-32]
> DOMAIN 'LOCALADMEMBER' => '' [ ] [S-1-5-21-4220450500-1559905079-3194700717]
> DOMAIN 'SAMBADOMAIN' => 'samba.example.com' [ PR AD NA ] [S-1-5-21-3441848703-3607576563-2008146182]
> DOMAIN 'torturedom10' => 'samba.example.com' [ AD NA ] [S-1-5-21-97398-379795-10010]
> UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
> REASON: _StringException: _StringException: ../source4/torture/winbind/struct_based.c:469: rep.data.domain_info.alt_name was samba.example.com, expected : DNS domain name doesn't match
> 
> FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Can it be that your patch to winbindd_cm may have missed one
> case, namely when lsa_info->dns.dns_domain.string is != NULL,
> but domain->alt_name is NULL. Then domain->alt_name is overwritten
> by what is handed in as lsa_info->dns.dns_domain.string.
> 
> Not quite certain, but in that case,
> attached patch might be the fix

Indeed. The trouble is that I was trying to allow us to upgrade from a
NT4-only trust record in a samba classic domain when talking to a full
AD DC.  

That said, I'm becoming more and more convinced that the whole idea of
set_dc_type_and_flags_connect is wrong, and we should be changing it to
a series of assertions, that fail the connection, and instead always
rely on someone else (or secrets.tdb) to tell us in a trustworthy
fashion about the domain.

For this particular issue, and any case where we have a trust, but don't
know the SID (which seems to me like a broken trust, and wouldn't allow
SID validation anyway), if we must support it we should use a set of
initialization flags, so we know if it is really NULL, or really
unknown.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list