[PATCH] DNS and Subdomain patches

Andrew Bartlett abartlet at samba.org
Wed Sep 3 20:33:43 MDT 2014 

On Thu, 2014-09-04 at 02:08 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >>>> Except for SAMR (which we should avoid as much as we can) we should only
> >>>> ever contact
> >>>> directly trusted domains and allow the remote dc forward netlogon and
> >>>> lsa requests.
> >>>>
> >>>> In addition to NETLOGON and LSA we could have a drsuapi connection
> >>>> (using krb5)
> >>>> for our own domain and other direct trusts.
> >>>> Windows seems to forward LSA Lookup calls as DsCrackNames calls
> >>>> (maybe only to GC servers).
> >>>
> >>> So, with lots of work to do and a larger refactor of winbindd proposed
> >>> above, how do you suggest we proceed?  Are you able to work on some of
> >>> this?
> >>
> >> Only small fixes here and there, sorry.
> > 
> > Then can we proceed broadly as I propose, and move towards this as time
> > and resources are available?  Otherwise, I'm a bit stuck - this effort
> > so far has worked because the changes have shown to be largely
> > incremental, rather than revolutionary. 
> 
> These are the important changes:
> 
> >> I think instead of using the machine account for smb authentication
> >> against domain controllers of another domain, we should try to use
> >> ncacn_ip_tcp, as windows does for netlogon connections.
> >> Falling back to anonymous smb connections for ncacn_np.
> 
> We should rename cm_connect_netlogon() to cm_connect_netlogon_transport()
> and pass enum dcerpc_transport_t.
> 
> Then implement cm_connect_netlogon() similar to cm_connect_lsat()
> and try NCACN_IP_TCP first if it's an ad domain.

OK.

> >> At the DCERPC layer we should do a fallback to anonymous
> >> only if we have winbind sealed pipes = no and require strong key = no.
> 
> We just need to check this before cli_rpc_pipe_open_noauth()
> in cm_connect_*().

OK.

> These changes should be relatively small
> and the rest can be future improvement.

Thanks for describing a practical way forward,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list