More forest trust related patches

Stefan (metze) Metzmacher metze at samba.org
Wed Jun 24 01:16:21 MDT 2015 

Am 24.06.2015 um 02:30 schrieb Andrew Bartlett:
> On Wed, 2015-06-24 at 00:40 +0200, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>
>> can you have a look at my current master4-forest-ok branch?
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> 
> In 
> s4:kdc/db-glue: implement cross forest routing by return
> HDB_ERR_WRONG_REALM
> 
> How does this not break enterprise principal names?

For the client side it's *only* about enterprise principal names.
We parse the enterprise principal and replace the 'realm' variable
which is used to lookup in the routing table.

Also note that the routing table contains information about the local
domain/forest and has LSA_TRUST_ATTRIBUTE_WITHIN_FOREST set.

Implementing intra forest routing is a task for another day
and there're a lot more things to be done in order to support
multi domain forests.

> We have a test for these, did it pass on them?

https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=a5a83e58ca422e27385e780a62bf8fe0e1dec0f2

> Also, this feels like a function that
> belongs in the lookup client and server code, not in the main fetch()
> case.

We just need one central place to hook it in, because we only need it
once per request, samba_kdc_lookup_client() is called also via
samba_kdc_lookup_server().

I also think these are already complex enough and should only
care about the local database. The "guard" that checks if the
request is for us can be an independent task that comes first.

> s4:dsdb/netlogon: add support for CLDAP requests with
> AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
>     
> Can we have a test for this?

I'll try to add it to the rpc.lsa test

> Also, can we please have tests for the rejection of password changes
> over LDAP

https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=4d5e380d09971966434fc7cff2ceed8f91270c21

> and trust version handling in:
> 
> s4:rpc_server/netlogon: extract and pass down the password version in
> dcesrv_netr_ServerPasswordSet2()
> 
> To cover with tests:
> s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback
> to the previous hash for trusts
>        
> test_CreateTrustedDomainEx_common just needs to be extended to try the
> old password.

I'll have a look.

> In:
> s4:rpc_server/netlogon: implement
> NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
>     
> please do not add entries to skip, please use knownfail.  Otherwise if
> this had gone in first, I might have missed that when I changed the
> winbind implementions.  Likewise, it will be wrong if we get the winbind
> removal in first.

I'll have a look.

> For the new samba-tool domain * commands, ideally we would use the
> python framework for testing samba-tool commands (indeed, I think there
> is two of them...), but the blackbox tests are OK.  The advantage of the
> python one is that it can check expected output easily.

I don't think asserting the exact output is critical.
For the namespace commands we add new values and delete them later,
so we can be pretty sure the commands really add them.

If you had reminded me about the python blackbox testing before,
I would have used them.

> It is really hard to review the massive commit with the samba-tool
> domain commands in it.  I don't have a good solution (splitting it up
> might help, but I would rather more tests), but I just needed to say
> that.

That applies to all kind of tests which try to cover a lot of commands.

> Finally, previously, I asked:
>  - test the new --local-dc (special_name) handling in Credentials
> Sadly I can't see those tests

The blackbox tests for samba-tool domain * use it in every 2nd command

TRUST_SERVER_CREDS_ARGS="--local-dc-ipaddress ${TRUST_SERVER}
--local-dc-username ${TRUST_CREDS}"

> This is a great, impressive and massive piece of work, and I'm really
> excited to see it.
> 
>> I added more tests and fixed some bugs, which were found.
>>
>> The master4-forest-tmp branch has one more test, which is not completely
>> finished.
>> (the rpc.lsa test we worked on at SambaXP). I think I just need to fix
>> memory leaks
>> and remove code that's commented out.
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-tmp
> 
> I really like this.  It covers a lot of the most important code paths!
> 
> I would like to have this test also cover the UTF16-MUNGED case, but I
> realise that is probably asking a bit much. 

Yes, we first need to fix all layers to code with it on the client side
(the kinit code path), but that's a generic problem not related to
(forest) trusts.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150624/ecd6754a/attachment.pgp>

More information about the samba-technical mailing list