More forest trust related patches
Andrew Bartlett
abartlet at samba.org
Mon Apr 13 01:29:38 MDT 2015
On Sun, 2015-04-12 at 21:38 +0200, Stefan (metze) Metzmacher wrote:
> Hi,
>
> I moved a lot more stuff to the -ok branch (Note I also changed fixed some
> of the dsdb_trust_* helper functions compared to the last patchset!)
>
> It passed autobuild a few times and it's ready for master from my site.
>
> Note that samba-tool domain trust create needs to generate a true
> utf8 based password if --no-aes-keys is given, this is required
> because our kerberos client code can't handle random utf16munged passwords
> for arcfour-hmac-md5 pre-auth yet.
Indeed.
> However there're a few TODO's in the remaining patches.
> It's mainly related to bug #11130, where we should allow
> COMPUTERNAME at REALM and map it to COMPUTERNAME$@REALM.
> The same applies also for trust accounts (I guess it's just based on the
> '$').
> It's allowed as a client and also as a service principal.
> I added some tests for it and hacked a mostly working (but ugly
> implementation),
> Andrew maybe you can work out a better fix :-)
I'm really curious as to if this is related to samAccountName, or
perhaps CN or dnsHostName as attributes. I guess I need to do more
testing.
> Note that winbindd uses MYDOMAIN at OTHERREALM for kinit and generates some
> warnings
> without the fix for bug #11130, but it still work fine.
>
> Please review and push the -ok patches.
I'll take a look.
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list