[PATCH] Can't authenticate user from child-domain of trusted forest

Stefan Metzmacher metze at samba.org
Wed Nov 29 11:46:49 UTC 2017 

Am 29.11.2017 um 11:30 schrieb Ralph Böhme:
> Hi Volker,
> 
> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
>> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
>>> auth still fails because add_trusted_domain() will only be called in the domain
>>> child, but not in the parent where we call find_domain_from_name_noinit().
>>
>> What about that one?
> 
> what about this one? The first three patches are meant to fix wbinfo -m
> --verbose output and don't affect anything else. The current code would denote
> the added-on-the-fly domains as trust-type "Forest", transitive, in- and outgoing.
> 
> With those three wbinfo -m --verbose looks like this:
> 
> $ bin/wbinfo -m --verbose
> Domain Name     DNS Domain            Trust Type  Transitive  In   Out
> BUILTIN                               None        No          No   No
> TITAN                                 None        No          No   No
> WDOM2           wdom2.site            None        No          Yes  Yes
> WDOM1           wdom1.site            Forest      Yes         Yes  Yes
> WDOM3           wdom3.site            Forest      Yes         No   Yes
> SUBDOM21        subdom21.wdom2.site   In-Forest   Yes         Yes  Yes
> SUBDOM11                              None        No          No   No
> 
> SUBDOM11 was added on-the-fly after a successfull auth.
> 
> Fixes something different then the original bug, so I still believe we need my
> initial patchset and eventually something like a add-domain-on-the-fly patchset.
> 
> How shall we proceed? You and metze are more familiar with this stuff.

I'm not so happy with trust_is_inbound() and trust_is_outbound()
If you ask a Windows DC for NETR_TRUST_FLAG_IN_FOREST you get all
domains in the forest, but only the direct trusts have
NETR_TRUST_FLAG_INBOUND and NETR_TRUST_FLAG_OUTBOUND.
Others, which are more than one hop away only have the
NETR_TRUST_FLAG_IN_FOREST flag.

Doing a useful listing for the above case is extremly difficult to get
right. E.g. for SUBDOM11 I can't imagine what values we could possibly
display. And there's also no good reason to even care about it. All
that's important is that we have our trunsitive outgoing workstation
trust to our primary domain, as that's the only direct trust a domain
member has.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171129/b12a5898/signature.sig>

More information about the samba-technical mailing list