More forest trust related patches

Alexander Bokovoy ab at samba.org
Wed Jul 8 13:12:59 CEST 2015


On Wed, Jul 08, 2015 at 12:23:34PM +0200, Stefan (metze) Metzmacher wrote:
> Am 08.07.2015 um 10:17 schrieb Alexander Bokovoy:
> > On Wed, Jul 08, 2015 at 07:35:33AM +0200, Stefan (metze) Metzmacher wrote:
> >> Am 08.07.2015 um 03:16 schrieb Andrew Bartlett:
> >>> On Thu, 2015-07-02 at 14:58 +0200, Stefan (metze) Metzmacher wrote:
> >>>> Am 01.07.2015 um 23:18 schrieb Stefan (metze) Metzmacher:
> >>>>> Am 01.07.2015 um 18:06 schrieb Stefan (metze) Metzmacher:
> >>>>>> Hi Andrew,
> >>>>>>
> >>>>>>>>> can you have a look at my current master4-forest-ok branch?
> >>>>>>>>>
> >>>>>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
> >>>>>>>>> efs/heads/master4-forest-ok
> >>>>>>
> >>>>>> I've uploaded updated patches.
> >>>>>
> >>>>> The commit message of
> >>>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=f56effe
> >>>>> 2aae08c89858dc5f1cf1f44b1e20ada5d
> >>>>>
> >>>>> Needs to be fixed dsdb_trust_routing_tln() is now
> >>>>> dsdb_trust_routing_by_name()...
> >>>>
> >>>> Fixed in the current master4-forest-ok branch.
> >>>
> >>> I've reviewed these and they are in autobuild now!
> >>
> >> Thanks!
> >>
> >>> One last thing to look at is fixing our SamLogon server in
> >>> dcesrv_netr_LogonSamLogon_base not to set unilaterally:
> >>>
> >>> 	*r->out.authoritative = 1;
> >>>
> >>> It needs to only be set if we were the trusted domain.  Sadly this
> >>> issue will make fixing the trusted domain vs unknown name handling in
> >>> our file server harder :-(
> >>
> >> There's even much more required on the netlogon/lsa/drsuapi front.
> >>
> >> And all the sid-filtering rules are missing as well as having
> >> identities from other domains as member of (universal?) groups.
> >>
> >> But I think it's good to have the basics available in 4.3,
> >> I'll write a WHATSNEW section explaining what should work and what not.
> > There is also an issue with the content of TDO objects we create when
> > trust is established. Microsoft's protocol test suite complains they are
> > not valid. I don't have much details yet as my Samba AD VM which was
> > used for testing at IO Lab is somewhere travelling on a USB drive I
> > forgot at the lab.
> 
> That might be already be fixed with
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=816d1527c0b8bbde1d206159f5f7fef6683b02f1
> 
> But it would be good to get the detailed test results.
Yes, I've planned to do another round of tests with MSFT team later this
summer. Your commit makes total sense, of course.

-- 
/ Alexander Bokovoy


More information about the samba-technical mailing list