More forest trust related patches

Andrew Bartlett abartlet at samba.org
Tue Apr 14 23:00:02 MDT 2015 

On Sun, 2015-04-12 at 21:38 +0200, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> I moved a lot more stuff to the -ok branch (Note I also changed fixed some
> of the dsdb_trust_* helper functions compared to the last patchset!)
> 
> It passed autobuild a few times and it's ready for master from my site.
> 
> Note that samba-tool domain trust create needs to generate a true
> utf8 based password if --no-aes-keys is given, this is required
> because our kerberos client code can't handle random utf16munged passwords
> for arcfour-hmac-md5 pre-auth yet.
> 
> However there're a few TODO's in the remaining patches.
> It's mainly related to bug #11130, where we should allow
> COMPUTERNAME at REALM and map it to COMPUTERNAME$@REALM.
> The same applies also for trust accounts (I guess it's just based on the
> '$').
> It's allowed as a client and also as a service principal.
> I added some tests for it and hacked a mostly working (but ugly
> implementation),
> Andrew maybe you can work out a better fix :-)
> 
> Note that winbindd uses MYDOMAIN at OTHERREALM for kinit and generates some
> warnings
> without the fix for bug #11130, but it still work fine.
> 
> Please review and push the -ok patches.

This is really, really good.  The only concern I still have is around
testing.  We need tests that 
- walk over all the new samba-tool domain commands.  That is important
because otherwise we won't even notice if we break them when trying
python3 upgrades, or other sweeping changes. 
- specifically test for the referral shown by behaviour
HDB_ERR_WRONG_REALM.  This is important because we will soon need to
update Heimdal, and folks like Debian combine Samba with untested
upstream versions. 
 - test for (the ban on) changing the trust password over LDAP
 - test for listing local groups on the AD DC
 - test different KVNO values on trusts
 - test the new --local-dc (special_name) handling in Credentials

I realise that some of this is tested in integration tests, but I'm
starting to insist on unit tests (like the great work on the $ removal
stuff) for KDC changes.  The other issue with the integration tests is
that a number of tests (validation, namespaces) are being done in the
environment creation, when these should be done as distinct unit tests. 

I do realise I'm asking for a lot of work, and I'm happy to help on
this, either between now and SambaXP, or at SambaXP, so we get this done
right. 

Thanks!

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150415/17b490f7/attachment.pgp>

More information about the samba-technical mailing list