More forest trust related patches

Andrew Bartlett abartlet at
Tue Apr 14 23:00:02 MDT 2015

On Sun, 2015-04-12 at 21:38 +0200, Stefan (metze) Metzmacher wrote:
> Hi,
> I moved a lot more stuff to the -ok branch (Note I also changed fixed some
> of the dsdb_trust_* helper functions compared to the last patchset!)
> It passed autobuild a few times and it's ready for master from my site.
> Note that samba-tool domain trust create needs to generate a true
> utf8 based password if --no-aes-keys is given, this is required
> because our kerberos client code can't handle random utf16munged passwords
> for arcfour-hmac-md5 pre-auth yet.
> However there're a few TODO's in the remaining patches.
> It's mainly related to bug #11130, where we should allow
> The same applies also for trust accounts (I guess it's just based on the
> '$').
> It's allowed as a client and also as a service principal.
> I added some tests for it and hacked a mostly working (but ugly
> implementation),
> Andrew maybe you can work out a better fix :-)
> Note that winbindd uses MYDOMAIN at OTHERREALM for kinit and generates some
> warnings
> without the fix for bug #11130, but it still work fine.
> Please review and push the -ok patches.

This is really, really good.  The only concern I still have is around
testing.  We need tests that 
- walk over all the new samba-tool domain commands.  That is important
because otherwise we won't even notice if we break them when trying
python3 upgrades, or other sweeping changes. 
- specifically test for the referral shown by behaviour
HDB_ERR_WRONG_REALM.  This is important because we will soon need to
update Heimdal, and folks like Debian combine Samba with untested
upstream versions. 
 - test for (the ban on) changing the trust password over LDAP
 - test for listing local groups on the AD DC
 - test different KVNO values on trusts
 - test the new --local-dc (special_name) handling in Credentials

I realise that some of this is tested in integration tests, but I'm
starting to insist on unit tests (like the great work on the $ removal
stuff) for KDC changes.  The other issue with the integration tests is
that a number of tests (validation, namespaces) are being done in the
environment creation, when these should be done as distinct unit tests. 

I do realise I'm asking for a lot of work, and I'm happy to help on
this, either between now and SambaXP, or at SambaXP, so we get this done


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list