[PATCH] DNS and Subdomain patches
abartlet at samba.org
Wed Sep 3 20:33:43 MDT 2014
On Thu, 2014-09-04 at 02:08 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >>>> Except for SAMR (which we should avoid as much as we can) we should only
> >>>> ever contact
> >>>> directly trusted domains and allow the remote dc forward netlogon and
> >>>> lsa requests.
> >>>> In addition to NETLOGON and LSA we could have a drsuapi connection
> >>>> (using krb5)
> >>>> for our own domain and other direct trusts.
> >>>> Windows seems to forward LSA Lookup calls as DsCrackNames calls
> >>>> (maybe only to GC servers).
> >>> So, with lots of work to do and a larger refactor of winbindd proposed
> >>> above, how do you suggest we proceed? Are you able to work on some of
> >>> this?
> >> Only small fixes here and there, sorry.
> > Then can we proceed broadly as I propose, and move towards this as time
> > and resources are available? Otherwise, I'm a bit stuck - this effort
> > so far has worked because the changes have shown to be largely
> > incremental, rather than revolutionary.
> These are the important changes:
> >> I think instead of using the machine account for smb authentication
> >> against domain controllers of another domain, we should try to use
> >> ncacn_ip_tcp, as windows does for netlogon connections.
> >> Falling back to anonymous smb connections for ncacn_np.
> We should rename cm_connect_netlogon() to cm_connect_netlogon_transport()
> and pass enum dcerpc_transport_t.
> Then implement cm_connect_netlogon() similar to cm_connect_lsat()
> and try NCACN_IP_TCP first if it's an ad domain.
> >> At the DCERPC layer we should do a fallback to anonymous
> >> only if we have winbind sealed pipes = no and require strong key = no.
> We just need to check this before cli_rpc_pipe_open_noauth()
> in cm_connect_*().
> These changes should be relatively small
> and the rest can be future improvement.
Thanks for describing a practical way forward,
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical