More forest trust related patches

Andrew Bartlett abartlet at
Tue Jun 23 18:30:53 MDT 2015

On Wed, 2015-06-24 at 00:40 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> can you have a look at my current master4-forest-ok branch?

s4:kdc/db-glue: implement cross forest routing by return

How does this not break enterprise principal names?  We have a test for
these, did it pass on them?  Also, this feels like a function that
belongs in the lookup client and server code, not in the main fetch()


s4:dsdb/netlogon: add support for CLDAP requests with
AAC=0x00000400(ACB_AUTOLOCK) and user=""
Can we have a test for this?

Also, can we please have tests for the rejection of password changes
over LDAP and trust version handling in:

s4:rpc_server/netlogon: extract and pass down the password version in

To cover with tests:
s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback
to the previous hash for trusts
test_CreateTrustedDomainEx_common just needs to be extended to try the
old password.

s4:rpc_server/netlogon: implement
please do not add entries to skip, please use knownfail.  Otherwise if
this had gone in first, I might have missed that when I changed the
winbind implementions.  Likewise, it will be wrong if we get the winbind
removal in first.

For the new samba-tool domain * commands, ideally we would use the
python framework for testing samba-tool commands (indeed, I think there
is two of them...), but the blackbox tests are OK.  The advantage of the
python one is that it can check expected output easily.

It is really hard to review the massive commit with the samba-tool
domain commands in it.  I don't have a good solution (splitting it up
might help, but I would rather more tests), but I just needed to say

Finally, previously, I asked:
 - test the new --local-dc (special_name) handling in Credentials
Sadly I can't see those tests

This is a great, impressive and massive piece of work, and I'm really
excited to see it.

> I added more tests and fixed some bugs, which were found.
> The master4-forest-tmp branch has one more test, which is not completely
> finished.
> (the rpc.lsa test we worked on at SambaXP). I think I just need to fix
> memory leaks
> and remove code that's commented out.

I really like this.  It covers a lot of the most important code paths!

I would like to have this test also cover the UTF16-MUNGED case, but I
realise that is probably asking a bit much. 

> So what's left to do before we can push it to master?
> I can try to add a test regarding the kvno number checking, if it turns out
> to be doable without too much work. But even without such a test I think
> it's pretty clear that the following commit is a required improvement
> compared to the current broken state. See

I've given you a pile of work above (sorry), but after that I think we
are ready. 

Sorry to have taken so long to give you this feedback,

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list