More forest trust related patches

Stefan (metze) Metzmacher metze at samba.org
Wed Jul 1 18:06:15 CEST 2015


Hi Andrew,

>>> can you have a look at my current master4-forest-ok branch?
>>>
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok

I've uploaded updated patches.

>> In 
>> s4:kdc/db-glue: implement cross forest routing by return
>> HDB_ERR_WRONG_REALM
>>
>> How does this not break enterprise principal names?
> 
> For the client side it's *only* about enterprise principal names.
> We parse the enterprise principal and replace the 'realm' variable
> which is used to lookup in the routing table.
> 
> Also note that the routing table contains information about the local
> domain/forest and has LSA_TRUST_ATTRIBUTE_WITHIN_FOREST set.
> 
> Implementing intra forest routing is a task for another day
> and there're a lot more things to be done in order to support
> multi domain forests.
> 
>> We have a test for these, did it pass on them?
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a5a83e58ca422e27385e780a62bf8fe0e1dec0f2
> 
>> Also, this feels like a function that
>> belongs in the lookup client and server code, not in the main fetch()
>> case.
> 
> We just need one central place to hook it in, because we only need it
> once per request, samba_kdc_lookup_client() is called also via
> samba_kdc_lookup_server().
> 
> I also think these are already complex enough and should only
> care about the local database. The "guard" that checks if the
> request is for us can be an independent task that comes first.
> 
>> s4:dsdb/netlogon: add support for CLDAP requests with
>> AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
>>     
>> Can we have a test for this?
> 
> I'll try to add it to the rpc.lsa test

done

>> Also, can we please have tests for the rejection of password changes
>> over LDAP
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=4d5e380d09971966434fc7cff2ceed8f91270c21
> 
>> and trust version handling in:
>>
>> s4:rpc_server/netlogon: extract and pass down the password version in
>> dcesrv_netr_ServerPasswordSet2()
>>
>> To cover with tests:
>> s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback
>> to the previous hash for trusts
>>        
>> test_CreateTrustedDomainEx_common just needs to be extended to try the
>> old password.
> 
> I'll have a look.

done

>> In:
>> s4:rpc_server/netlogon: implement
>> NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
>>     
>> please do not add entries to skip, please use knownfail.  Otherwise if
>> this had gone in first, I might have missed that when I changed the
>> winbind implementions.  Likewise, it will be wrong if we get the winbind
>> removal in first.
> 
> I'll have a look.

removed

>> For the new samba-tool domain * commands, ideally we would use the
>> python framework for testing samba-tool commands (indeed, I think there
>> is two of them...), but the blackbox tests are OK.  The advantage of the
>> python one is that it can check expected output easily.
> 
> I don't think asserting the exact output is critical.
> For the namespace commands we add new values and delete them later,
> so we can be pretty sure the commands really add them.
> 
> If you had reminded me about the python blackbox testing before,
> I would have used them.
> 
>> It is really hard to review the massive commit with the samba-tool
>> domain commands in it.  I don't have a good solution (splitting it up
>> might help, but I would rather more tests), but I just needed to say
>> that.
> 
> That applies to all kind of tests which try to cover a lot of commands.
> 
>> Finally, previously, I asked:
>>  - test the new --local-dc (special_name) handling in Credentials
>> Sadly I can't see those tests
> 
> The blackbox tests for samba-tool domain * use it in every 2nd command
> 
> TRUST_SERVER_CREDS_ARGS="--local-dc-ipaddress ${TRUST_SERVER}
> --local-dc-username ${TRUST_CREDS}"
> 
>> This is a great, impressive and massive piece of work, and I'm really
>> excited to see it.
>>
>>> I added more tests and fixed some bugs, which were found.
>>>
>>> The master4-forest-tmp branch has one more test, which is not completely
>>> finished.
>>> (the rpc.lsa test we worked on at SambaXP). I think I just need to fix
>>> memory leaks
>>> and remove code that's commented out.
>>>
>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-tmp
>>
>> I really like this.  It covers a lot of the most important code paths!

This is the current version included in the master4-forest-ok branch now
and cover even a lot more:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=18a71836f0ec8a5086f09aef87d76be7bf3aa9ab

It would be great if we can get this upstream soon.

I don't know how to test the kvno ignore thing,
I know about decode_TGS_REQ and all these tricks
and just exchanging the kvno field should be easy.
But my big problem is that this requires 2 kdcs
because we need to verify that the target kdc
accepts the ticket generated at the source kdc.
Or we need to do a lot of work to construct the ticket
ourself including the signed PAC and other very complex
crypto stuff. But I think we can do that later.

At least I'm verifiying the kvno used for the referral ticket,
it's the one with the lowest value.
If the current kvno is 0, the previous is 255,
in that case kvno 0 (NULL on the wire) is used
together with the current key. Otherwise the previous
key is used with kvno = current - 1. This happens
for one hour after the password change, then the higher kvno is
preferred.

metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff.txt.gz
Type: application/gzip
Size: 80879 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150701/e5a65519/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150701/e5a65519/attachment.pgp>


More information about the samba-technical mailing list