winbindd, trusted domains and set_dc_type_and_flags_connect()

Andrew Bartlett abartlet at
Wed Oct 8 12:59:40 MDT 2014

On Wed, 2014-10-08 at 19:17 +0200, Michael Adam wrote:
> Hi Andrew,
> there is again a failed samba4.winbind.struct(s3member:local)
> test:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> [1433/1686 in 1h24m26s] samba4.winbind.struct(s3member:local)
> Running WINBINDD_DOMAIN_INFO (struct based)
> DOMAIN 'BUILTIN' => '' [ ] [S-1-5-32]
> DOMAIN 'LOCALADMEMBER' => '' [ ] [S-1-5-21-4220450500-1559905079-3194700717]
> DOMAIN 'SAMBADOMAIN' => '' [ PR AD NA ] [S-1-5-21-3441848703-3607576563-2008146182]
> DOMAIN 'torturedom10' => '' [ AD NA ] [S-1-5-21-97398-379795-10010]
> UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
> REASON: _StringException: _StringException: ../source4/torture/winbind/struct_based.c:469: was, expected : DNS domain name doesn't match
> FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Can it be that your patch to winbindd_cm may have missed one
> case, namely when lsa_info->dns.dns_domain.string is != NULL,
> but domain->alt_name is NULL. Then domain->alt_name is overwritten
> by what is handed in as lsa_info->dns.dns_domain.string.
> Not quite certain, but in that case,
> attached patch might be the fix

Indeed. The trouble is that I was trying to allow us to upgrade from a
NT4-only trust record in a samba classic domain when talking to a full
AD DC.  

That said, I'm becoming more and more convinced that the whole idea of
set_dc_type_and_flags_connect is wrong, and we should be changing it to
a series of assertions, that fail the connection, and instead always
rely on someone else (or secrets.tdb) to tell us in a trustworthy
fashion about the domain.

For this particular issue, and any case where we have a trust, but don't
know the SID (which seems to me like a broken trust, and wouldn't allow
SID validation anyway), if we must support it we should use a set of
initialization flags, so we know if it is really NULL, or really

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list