[PATCH] DNS and Subdomain patches

Stefan (metze) Metzmacher metze at samba.org
Wed Sep 3 18:08:07 MDT 2014

Hi Andrew,

>>>> Except for SAMR (which we should avoid as much as we can) we should only
>>>> ever contact
>>>> directly trusted domains and allow the remote dc forward netlogon and
>>>> lsa requests.
>>>> In addition to NETLOGON and LSA we could have a drsuapi connection
>>>> (using krb5)
>>>> for our own domain and other direct trusts.
>>>> Windows seems to forward LSA Lookup calls as DsCrackNames calls
>>>> (maybe only to GC servers).
>>> So, with lots of work to do and a larger refactor of winbindd proposed
>>> above, how do you suggest we proceed?  Are you able to work on some of
>>> this?
>> Only small fixes here and there, sorry.
> Then can we proceed broadly as I propose, and move towards this as time
> and resources are available?  Otherwise, I'm a bit stuck - this effort
> so far has worked because the changes have shown to be largely
> incremental, rather than revolutionary. 

These are the important changes:

>> I think instead of using the machine account for smb authentication
>> against domain controllers of another domain, we should try to use
>> ncacn_ip_tcp, as windows does for netlogon connections.
>> Falling back to anonymous smb connections for ncacn_np.

We should rename cm_connect_netlogon() to cm_connect_netlogon_transport()
and pass enum dcerpc_transport_t.

Then implement cm_connect_netlogon() similar to cm_connect_lsat()
and try NCACN_IP_TCP first if it's an ad domain.

>> At the DCERPC layer we should do a fallback to anonymous
>> only if we have winbind sealed pipes = no and require strong key = no.

We just need to check this before cli_rpc_pipe_open_noauth()
in cm_connect_*().

These changes should be relatively small
and the rest can be future improvement.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140904/4e3f1377/attachment.pgp>

More information about the samba-technical mailing list