More forest trust related patches

Andrew Bartlett abartlet at samba.org
Tue Feb 10 22:07:17 MST 2015 

On Tue, 2015-02-10 at 22:16 +0100, Stefan (metze) Metzmacher wrote:
> Am 10.02.2015 um 10:05 schrieb Andrew Bartlett:
> > On Tue, 2015-02-10 at 09:41 +0100, Stefan (metze) Metzmacher wrote:
> >> Hi,
> >>
> >> there're some more patches ready in my master4-forest-ok branch.
> >> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> >>
> >> Please review and push:-)
> >>
> >> Thanks!
> >> metze
> > 
> > In
> > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=17cfcc3b65d19c1b683d3beec84f1ec159e1bea6
> > 
> > why do we have:
> > 
> >      ok = samdb_is_pdc(state->ldb);
> > +       if (!ok) {
> > +               DEBUG(2, ("Password changes for domain %s are only
> > allowed on a PDC.\n",
> > +                         domain));
> > +               TALLOC_FREE(tmp_ctx);
> > +               ldb_transaction_cancel(state->ldb);
> > +               return false;
> > +       }
> 
> Because only the PDC should change the trust password,
> the caller should also check and not try at all it's not running on the PDC.
> If more than one DC changes the password (maybe against multiple other
> DCs in the remote
> domain) we're very likely to break the trust.
> 
> > Also, I would really like some tests along the lines of what I just did
> > in krb5.kdc to:
> >  - set a trust password (both ascii and binary) over LSA
> >  - connect as that trust over NETLOGON
> >  - get a ticket to that trust from the KDC
> >  - process that ticket and verify that we can decrypt it. 
> > 
> > That would give us the certainty that we are getting this UTF16-MUNGED
> > stuff and other KDC parts right.
> 
> I don't see how this is any different from a workstation trust.

It is different because the server-side store is very different, and so
far the access and use of that store isn't very well tested. 

> I'm currently working on blackbox tests using trusts between
> two dc environments.
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest
> has all the work in progress, but I need to squash them a lot...

Thanks, I'll take a look.

My concern recently working on our KDC has been that blackbox testing
doesn't trigger enough of the behaviours to be comprehensive.  That's
why I started writing specific tests.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150211/ffd3327d/attachment.pgp>

More information about the samba-technical mailing list