More forest trust related patches

Andrew Bartlett abartlet at samba.org
Tue Jun 23 18:30:53 MDT 2015 

On Wed, 2015-06-24 at 00:40 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> can you have a look at my current master4-forest-ok branch?
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok

In 
s4:kdc/db-glue: implement cross forest routing by return
HDB_ERR_WRONG_REALM

How does this not break enterprise principal names?  We have a test for
these, did it pass on them?  Also, this feels like a function that
belongs in the lookup client and server code, not in the main fetch()
case.

In

s4:dsdb/netlogon: add support for CLDAP requests with
AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
    
Can we have a test for this?

Also, can we please have tests for the rejection of password changes
over LDAP and trust version handling in:

s4:rpc_server/netlogon: extract and pass down the password version in
dcesrv_netr_ServerPasswordSet2()

To cover with tests:
s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback
to the previous hash for trusts
       
test_CreateTrustedDomainEx_common just needs to be extended to try the
old password.

In:
s4:rpc_server/netlogon: implement
NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
    
please do not add entries to skip, please use knownfail.  Otherwise if
this had gone in first, I might have missed that when I changed the
winbind implementions.  Likewise, it will be wrong if we get the winbind
removal in first.

For the new samba-tool domain * commands, ideally we would use the
python framework for testing samba-tool commands (indeed, I think there
is two of them...), but the blackbox tests are OK.  The advantage of the
python one is that it can check expected output easily.

It is really hard to review the massive commit with the samba-tool
domain commands in it.  I don't have a good solution (splitting it up
might help, but I would rather more tests), but I just needed to say
that.

Finally, previously, I asked:
 - test the new --local-dc (special_name) handling in Credentials
Sadly I can't see those tests

This is a great, impressive and massive piece of work, and I'm really
excited to see it.

> I added more tests and fixed some bugs, which were found.
> 
> The master4-forest-tmp branch has one more test, which is not completely
> finished.
> (the rpc.lsa test we worked on at SambaXP). I think I just need to fix
> memory leaks
> and remove code that's commented out.
> 
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-tmp

I really like this.  It covers a lot of the most important code paths!

I would like to have this test also cover the UTF16-MUNGED case, but I
realise that is probably asking a bit much. 

> So what's left to do before we can push it to master?
> 
> I can try to add a test regarding the kvno number checking, if it turns out
> to be doable without too much work. But even without such a test I think
> it's pretty clear that the following commit is a required improvement
> compared to the current broken state. See
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=bb22983ce51ae41d60ea

I've given you a pile of work above (sorry), but after that I think we
are ready. 

Sorry to have taken so long to give you this feedback,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list