winbindd, trusted domains and set_dc_type_and_flags_connect()
Andrew Bartlett
abartlet at samba.org
Thu Oct 16 02:33:52 MDT 2014
On Thu, 2014-10-09 at 07:59 +1300, Andrew Bartlett wrote:
> On Wed, 2014-10-08 at 19:17 +0200, Michael Adam wrote:
> > Hi Andrew,
> >
> > there is again a failed samba4.winbind.struct(s3member:local)
> > test:
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > [1433/1686 in 1h24m26s] samba4.winbind.struct(s3member:local)
> > Running WINBINDD_DOMAIN_INFO (struct based)
> > DOMAIN 'BUILTIN' => '' [ ] [S-1-5-32]
> > DOMAIN 'LOCALADMEMBER' => '' [ ] [S-1-5-21-4220450500-1559905079-3194700717]
> > DOMAIN 'SAMBADOMAIN' => 'samba.example.com' [ PR AD NA ] [S-1-5-21-3441848703-3607576563-2008146182]
> > DOMAIN 'torturedom10' => 'samba.example.com' [ AD NA ] [S-1-5-21-97398-379795-10010]
> > UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
> > REASON: _StringException: _StringException: ../source4/torture/winbind/struct_based.c:469: rep.data.domain_info.alt_name was samba.example.com, expected : DNS domain name doesn't match
> >
> > FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Can it be that your patch to winbindd_cm may have missed one
> > case, namely when lsa_info->dns.dns_domain.string is != NULL,
> > but domain->alt_name is NULL. Then domain->alt_name is overwritten
> > by what is handed in as lsa_info->dns.dns_domain.string.
> >
> > Not quite certain, but in that case,
> > attached patch might be the fix
>
> Indeed. The trouble is that I was trying to allow us to upgrade from a
> NT4-only trust record in a samba classic domain when talking to a full
> AD DC.
>
> That said, I'm becoming more and more convinced that the whole idea of
> set_dc_type_and_flags_connect is wrong, and we should be changing it to
> a series of assertions, that fail the connection, and instead always
> rely on someone else (or secrets.tdb) to tell us in a trustworthy
> fashion about the domain.
>
> For this particular issue, and any case where we have a trust, but don't
> know the SID (which seems to me like a broken trust, and wouldn't allow
> SID validation anyway), if we must support it we should use a set of
> initialization flags, so we know if it is really NULL, or really
> unknown.
On reflection, we could at least start with this patch, but conditional
on our primary domain not being AD.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list