[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Tue Nov 28 12:10:12 UTC 2017
On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > auth still fails because add_trusted_domain() will only be called in the domain
> > child, but not in the parent where we call find_domain_from_name_noinit().
>
> Hmm. Ok. Right. We could do either of two things: Always request info3
> from the child and pull the information in the parent before sending
> it out, and secondly make it a message. Probably the first way is
> cleaner, it creates less hidden, secret protocol elements.
I'm not sure the resulting struct winbind_domain is sufficiently initialized as
it lacks the DNS name and trust flags. Ie after an attempt to auth user from
previously unseed trusted domains wbinfo -m looks like this:
$ bin/wbinfo -m --verbose
Domain Name DNS Domain Trust Type Transitive In Out
BUILTIN None Yes Yes Yes
TITAN None Yes Yes Yes
WDOM2 wdom2.site None Yes Yes Yes
WDOM1 wdom1.site Forest Yes Yes Yes
WDOM3 wdom3.site Forest Yes No Yes
SUBDOM21 subdom21.wdom2.site In-Forest Yes Yes Yes
SUBDOM11 None Yes Yes Yes
SUBDOM31 None Yes Yes Yes
I'm referring to SUBDOM11 and SUBDOM31 here. The Samba server is a member of
WDOM2. Here's the complete picture:
<https://cpaste.org/?390c7a18671a970e#Eh99bpBOsBAG9YOVHlee7BqZmTgO2vaGR9HhztZbLIY=>
Maybe it's simpler to push my patches, they fix the regression without the risk
of introducing further issues. It basically restores behaviour to before the
netlogon-creds patchset.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list