validation of msDS-TrustForestTrustInfo

Alexander Bokovoy ab at samba.org
Wed Feb 10 09:29:53 UTC 2016 

Hi,

I think current implementation of msDS-TrustForestTrustInfo validation
is incorrect with regards to rules of identifying namespace collisions.

Right now Samba AD automatically disables the TLN of a trusted forest
example.com if it is itself is installed in a subordinate of
example.com, e.g. samba.example.com.

MS-ADTS 6.1.6.9.3.2 is used to define the logic for validation. Namely,
rules 3 and 4 are relevant here:
---------------------------------
3. Each FQDN corresponding to a domain in a trusted forest is unique
among all TDOs and among all of the FQDNs and TLNs listed within the
ForestTrustData Records. If not, the Record MUST have the SDC bit in the
Record Flags.

4. Each FQDN for each domain in the trusted forest does not correspond
to any FQDNs within the domains from the local forest. If not, the
Record MUST have the SDC bit in the Record Flags.
---------------------------------

Additionally, following rules for namespace collision are relevant as well:
---------------------------------
The rules for determining whether namespaces collide for
ForestTrustTopLevelName Records are as follows:

1. Each TLN corresponding to a domain in a trusted forest is unique
among all TDOs, and among all of the FQDNs and TLNs listed within the
Forest Trust Data records. If not, the conflicting Record has the TDC
bit in the Record Flags. For the sake of consistency, since the two TLNs
are equal, the first TLN Record that is read is authoritative, and
subsequent conflicting Records are disabled.

2. Each TLN for each domain in the trusted forest does not correspond to
any FQDNs within the domains from the local forest. If not, the Record
has the TDC bit in the Record Flags.
----------------------------------

As result, the conflicts between the trusted and trusting forests need
to be resolved on pure FQDN comparison basis rather than taking subordination
into account while self-consistency of the trusted domain object's trust
information should be fully checked for subordination.

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list