validation of msDS-TrustForestTrustInfo

Stefan Metzmacher metze at samba.org
Tue Feb 16 13:07:46 UTC 2016 

Hi Alexander,
> any comments?
> 
> The example.com <-> ipa.example.com and ad.example.com <-> example.com
> scenarios work fine between AD and FreeIPA in production, only Samba AD
> implementation at fault here.

Can you file a bug and add more details.

I need the output of:

samba-tool domain trust namespaces
samba-tool domain trust show $OTHERDOMAIN
samba-tool domain trust namespaces $OTHERDOMAIN

And all these commands against all servers in all cases(at least Windows
and Samba)
You may need to use the '--local-dc-*' options to run against remote
servers.

Thanks!
metze

> On Wed, 10 Feb 2016, Alexander Bokovoy wrote:
>> Hi,
>>
>> I think current implementation of msDS-TrustForestTrustInfo validation
>> is incorrect with regards to rules of identifying namespace collisions.
>>
>> Right now Samba AD automatically disables the TLN of a trusted forest
>> example.com if it is itself is installed in a subordinate of
>> example.com, e.g. samba.example.com.
>>
>> MS-ADTS 6.1.6.9.3.2 is used to define the logic for validation. Namely,
>> rules 3 and 4 are relevant here:
>> ---------------------------------
>> 3. Each FQDN corresponding to a domain in a trusted forest is unique
>> among all TDOs and among all of the FQDNs and TLNs listed within the
>> ForestTrustData Records. If not, the Record MUST have the SDC bit in the
>> Record Flags.
>>
>> 4. Each FQDN for each domain in the trusted forest does not correspond
>> to any FQDNs within the domains from the local forest. If not, the
>> Record MUST have the SDC bit in the Record Flags.
>> ---------------------------------
>>
>> Additionally, following rules for namespace collision are relevant as well:
>> ---------------------------------
>> The rules for determining whether namespaces collide for
>> ForestTrustTopLevelName Records are as follows:
>>
>> 1. Each TLN corresponding to a domain in a trusted forest is unique
>> among all TDOs, and among all of the FQDNs and TLNs listed within the
>> Forest Trust Data records. If not, the conflicting Record has the TDC
>> bit in the Record Flags. For the sake of consistency, since the two TLNs
>> are equal, the first TLN Record that is read is authoritative, and
>> subsequent conflicting Records are disabled.
>>
>> 2. Each TLN for each domain in the trusted forest does not correspond to
>> any FQDNs within the domains from the local forest. If not, the Record
>> has the TDC bit in the Record Flags.
>> ----------------------------------
>>
>> As result, the conflicts between the trusted and trusting forests need
>> to be resolved on pure FQDN comparison basis rather than taking subordination
>> into account while self-consistency of the trusted domain object's trust
>> information should be fully checked for subordination.
>>
>> -- 
>> / Alexander Bokovoy
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160216/20df2acd/signature.sig>

More information about the samba-technical mailing list