[PATCH] DNS and Subdomain patches

Andrew Bartlett abartlet at samba.org
Tue Sep 2 00:07:40 MDT 2014 

On Mon, 2014-09-01 at 13:54 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >> I'm still working on tidying the rest up, but I expect to have it back
> >> to you tomorrow.
> > 
> > The patches that had sufficient review are in master, and the rest is in
> > my subdomain-wip tree.
> > 
> > Can you clarify to me what more you want done on the crossRef partitions
> > patch, beyond your improved API (which I'm quite happy with, and I fixed
> > to use ctx.domsid)?
> 
> The patch is fine.

Can you please push it then?

> But reading the context of this change showed a possible 2nd problem
> with the same LDAP object.
> 
> I see windows used the 'rootTrust' attribute instead of 'trustParent'.
> 
> There might be also other related problems.
> so it would be good to have a Windows 2012R2 enviroment with
> msDS-Behavior-Version=4 with the following 6 domains
> in just one forest with 'DC=rootdomain,DC=example,DC=com'
> as forestroot:
> 
> DC=rootdomain,DC=example,DC=com
> DC=rootlevel1,DC=rootdomain,DC=example,DC=com
> DC=rootlevel2,DC=rootlevel1,DC=rootdomain,DC=example,DC=com
> DC=otherdomain,DC=example,DC=com
> DC=otherlevel1,DC=otherdomain,DC=example,DC=com
> DC=otherlevel2,DC=otherlevel1,DC=otherdomain,DC=example,DC=com

I'm not sure I can promise to create 6 domains any time soon.  As each
needs a unique SID, I can't just clone them, and it becomes a total pain
to manage more than just 3 or 4 VMs...

> Then setup the same thing with samba
> and compare the objects under
> CN=Partitions,CN=Configuration,DC=rootdomain,DC=example,DC=com
> (including the nTSecurityDescriptor attribute).
> As well as "*,nTSecurityDescriptor" for the domain (and DomainDnsZones)
> partitions.

Also, can you look at the subdomain-wip branch, not as a final review,
but to let me know if I am working in the right direction?  Do you have
any comments on the approach taken in the patch?  Is the idea to use smb
signing in winbindd reasonable?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list