[PATCH] DNS and Subdomain patches

Andrew Bartlett abartlet at samba.org
Tue Sep 2 00:07:40 MDT 2014

On Mon, 2014-09-01 at 13:54 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >> I'm still working on tidying the rest up, but I expect to have it back
> >> to you tomorrow.
> > 
> > The patches that had sufficient review are in master, and the rest is in
> > my subdomain-wip tree.
> > 
> > Can you clarify to me what more you want done on the crossRef partitions
> > patch, beyond your improved API (which I'm quite happy with, and I fixed
> > to use ctx.domsid)?
> The patch is fine.

Can you please push it then?

> But reading the context of this change showed a possible 2nd problem
> with the same LDAP object.
> I see windows used the 'rootTrust' attribute instead of 'trustParent'.
> There might be also other related problems.
> so it would be good to have a Windows 2012R2 enviroment with
> msDS-Behavior-Version=4 with the following 6 domains
> in just one forest with 'DC=rootdomain,DC=example,DC=com'
> as forestroot:
> DC=rootdomain,DC=example,DC=com
> DC=rootlevel1,DC=rootdomain,DC=example,DC=com
> DC=rootlevel2,DC=rootlevel1,DC=rootdomain,DC=example,DC=com
> DC=otherdomain,DC=example,DC=com
> DC=otherlevel1,DC=otherdomain,DC=example,DC=com
> DC=otherlevel2,DC=otherlevel1,DC=otherdomain,DC=example,DC=com

I'm not sure I can promise to create 6 domains any time soon.  As each
needs a unique SID, I can't just clone them, and it becomes a total pain
to manage more than just 3 or 4 VMs...

> Then setup the same thing with samba
> and compare the objects under
> CN=Partitions,CN=Configuration,DC=rootdomain,DC=example,DC=com
> (including the nTSecurityDescriptor attribute).
> As well as "*,nTSecurityDescriptor" for the domain (and DomainDnsZones)
> partitions.

Also, can you look at the subdomain-wip branch, not as a final review,
but to let me know if I am working in the right direction?  Do you have
any comments on the approach taken in the patch?  Is the idea to use smb
signing in winbindd reasonable?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list