[PATCH] Can't authenticate user from child-domain of trusted forest

Ralph Böhme slow at samba.org
Tue Nov 28 12:10:12 UTC 2017

On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > auth still fails because add_trusted_domain() will only be called in the domain
> > child, but not in the parent where we call find_domain_from_name_noinit().
> Hmm. Ok. Right. We could do either of two things: Always request info3
> from the child and pull the information in the parent before sending
> it out, and secondly make it a message. Probably the first way is
> cleaner, it creates less hidden, secret protocol elements.

I'm not sure the resulting struct winbind_domain is sufficiently initialized as
it lacks the DNS name and trust flags. Ie after an attempt to auth user from
previously unseed trusted domains wbinfo -m looks like this:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain           Trust Type  Transitive  In   Out
BUILTIN                              None        Yes         Yes  Yes
TITAN                                None        Yes         Yes  Yes
WDOM2           wdom2.site           None        Yes         Yes  Yes
WDOM1           wdom1.site           Forest      Yes         Yes  Yes
WDOM3           wdom3.site           Forest      Yes         No   Yes
SUBDOM21        subdom21.wdom2.site  In-Forest   Yes         Yes  Yes
SUBDOM11                             None        Yes         Yes  Yes
SUBDOM31                             None        Yes         Yes  Yes

I'm referring to SUBDOM11 and SUBDOM31 here. The Samba server is a member of
WDOM2. Here's the complete picture:


Maybe it's simpler to push my patches, they fix the regression without the risk
of introducing further issues. It basically restores behaviour to before the
netlogon-creds patchset.


Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

More information about the samba-technical mailing list