[PATCH] Can't authenticate user from child-domain of trusted forest
metze at samba.org
Wed Nov 29 11:46:49 UTC 2017
Am 29.11.2017 um 11:30 schrieb Ralph Böhme:
> Hi Volker,
> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
>> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
>>> auth still fails because add_trusted_domain() will only be called in the domain
>>> child, but not in the parent where we call find_domain_from_name_noinit().
>> What about that one?
> what about this one? The first three patches are meant to fix wbinfo -m
> --verbose output and don't affect anything else. The current code would denote
> the added-on-the-fly domains as trust-type "Forest", transitive, in- and outgoing.
> With those three wbinfo -m --verbose looks like this:
> $ bin/wbinfo -m --verbose
> Domain Name DNS Domain Trust Type Transitive In Out
> BUILTIN None No No No
> TITAN None No No No
> WDOM2 wdom2.site None No Yes Yes
> WDOM1 wdom1.site Forest Yes Yes Yes
> WDOM3 wdom3.site Forest Yes No Yes
> SUBDOM21 subdom21.wdom2.site In-Forest Yes Yes Yes
> SUBDOM11 None No No No
> SUBDOM11 was added on-the-fly after a successfull auth.
> Fixes something different then the original bug, so I still believe we need my
> initial patchset and eventually something like a add-domain-on-the-fly patchset.
> How shall we proceed? You and metze are more familiar with this stuff.
I'm not so happy with trust_is_inbound() and trust_is_outbound()
If you ask a Windows DC for NETR_TRUST_FLAG_IN_FOREST you get all
domains in the forest, but only the direct trusts have
NETR_TRUST_FLAG_INBOUND and NETR_TRUST_FLAG_OUTBOUND.
Others, which are more than one hop away only have the
Doing a useful listing for the above case is extremly difficult to get
right. E.g. for SUBDOM11 I can't imagine what values we could possibly
display. And there's also no good reason to even care about it. All
that's important is that we have our trunsitive outgoing workstation
trust to our primary domain, as that's the only direct trust a domain
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical