More forest trust related patches

Stefan (metze) Metzmacher metze at samba.org
Tue Feb 10 14:16:16 MST 2015 

Am 10.02.2015 um 10:05 schrieb Andrew Bartlett:
> On Tue, 2015-02-10 at 09:41 +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> there're some more patches ready in my master4-forest-ok branch.
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
>>
>> Please review and push:-)
>>
>> Thanks!
>> metze
> 
> In
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=17cfcc3b65d19c1b683d3beec84f1ec159e1bea6
> 
> why do we have:
> 
>      ok = samdb_is_pdc(state->ldb);
> +       if (!ok) {
> +               DEBUG(2, ("Password changes for domain %s are only
> allowed on a PDC.\n",
> +                         domain));
> +               TALLOC_FREE(tmp_ctx);
> +               ldb_transaction_cancel(state->ldb);
> +               return false;
> +       }

Because only the PDC should change the trust password,
the caller should also check and not try at all it's not running on the PDC.
If more than one DC changes the password (maybe against multiple other
DCs in the remote
domain) we're very likely to break the trust.

> Also, I would really like some tests along the lines of what I just did
> in krb5.kdc to:
>  - set a trust password (both ascii and binary) over LSA
>  - connect as that trust over NETLOGON
>  - get a ticket to that trust from the KDC
>  - process that ticket and verify that we can decrypt it. 
> 
> That would give us the certainty that we are getting this UTF16-MUNGED
> stuff and other KDC parts right.

I don't see how this is any different from a workstation trust.

I'm currently working on blackbox tests using trusts between
two dc environments.

https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest
has all the work in progress, but I need to squash them a lot...

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150210/9a670faa/attachment.pgp>

More information about the samba-technical mailing list