[PATCH] DNS and Subdomain patches
Stefan (metze) Metzmacher
metze at samba.org
Wed Sep 3 18:08:07 MDT 2014
>>>> Except for SAMR (which we should avoid as much as we can) we should only
>>>> ever contact
>>>> directly trusted domains and allow the remote dc forward netlogon and
>>>> lsa requests.
>>>> In addition to NETLOGON and LSA we could have a drsuapi connection
>>>> (using krb5)
>>>> for our own domain and other direct trusts.
>>>> Windows seems to forward LSA Lookup calls as DsCrackNames calls
>>>> (maybe only to GC servers).
>>> So, with lots of work to do and a larger refactor of winbindd proposed
>>> above, how do you suggest we proceed? Are you able to work on some of
>> Only small fixes here and there, sorry.
> Then can we proceed broadly as I propose, and move towards this as time
> and resources are available? Otherwise, I'm a bit stuck - this effort
> so far has worked because the changes have shown to be largely
> incremental, rather than revolutionary.
These are the important changes:
>> I think instead of using the machine account for smb authentication
>> against domain controllers of another domain, we should try to use
>> ncacn_ip_tcp, as windows does for netlogon connections.
>> Falling back to anonymous smb connections for ncacn_np.
We should rename cm_connect_netlogon() to cm_connect_netlogon_transport()
and pass enum dcerpc_transport_t.
Then implement cm_connect_netlogon() similar to cm_connect_lsat()
and try NCACN_IP_TCP first if it's an ad domain.
>> At the DCERPC layer we should do a fallback to anonymous
>> only if we have winbind sealed pipes = no and require strong key = no.
We just need to check this before cli_rpc_pipe_open_noauth()
These changes should be relatively small
and the rest can be future improvement.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the samba-technical