[PATCH] Can't authenticate user from child-domain of trusted forest

Stefan Metzmacher metze at samba.org
Wed Nov 29 12:20:06 UTC 2017 

Am 29.11.2017 um 12:46 schrieb Stefan Metzmacher via samba-technical:
> Am 29.11.2017 um 11:30 schrieb Ralph Böhme:
>> Hi Volker,
>>
>> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
>>> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
>>>> auth still fails because add_trusted_domain() will only be called in the domain
>>>> child, but not in the parent where we call find_domain_from_name_noinit().
>>>
>>> What about that one?
>>
>> what about this one? The first three patches are meant to fix wbinfo -m
>> --verbose output and don't affect anything else. The current code would denote
>> the added-on-the-fly domains as trust-type "Forest", transitive, in- and outgoing.
>>
>> With those three wbinfo -m --verbose looks like this:
>>
>> $ bin/wbinfo -m --verbose
>> Domain Name     DNS Domain            Trust Type  Transitive  In   Out
>> BUILTIN                               None        No          No   No
>> TITAN                                 None        No          No   No
>> WDOM2           wdom2.site            None        No          Yes  Yes
>> WDOM1           wdom1.site            Forest      Yes         Yes  Yes
>> WDOM3           wdom3.site            Forest      Yes         No   Yes
>> SUBDOM21        subdom21.wdom2.site   In-Forest   Yes         Yes  Yes
>> SUBDOM11                              None        No          No   No
>>
>> SUBDOM11 was added on-the-fly after a successfull auth.
>>
>> Fixes something different then the original bug, so I still believe we need my
>> initial patchset and eventually something like a add-domain-on-the-fly patchset.
>>
>> How shall we proceed? You and metze are more familiar with this stuff.
> 
> I'm not so happy with trust_is_inbound() and trust_is_outbound()
> If you ask a Windows DC for NETR_TRUST_FLAG_IN_FOREST you get all
> domains in the forest, but only the direct trusts have
> NETR_TRUST_FLAG_INBOUND and NETR_TRUST_FLAG_OUTBOUND.
> Others, which are more than one hop away only have the
> NETR_TRUST_FLAG_IN_FOREST flag.
> 
> Doing a useful listing for the above case is extremly difficult to get
> right. E.g. for SUBDOM11 I can't imagine what values we could possibly
> display. And there's also no good reason to even care about it. All
> that's important is that we have our trunsitive outgoing workstation
> trust to our primary domain, as that's the only direct trust a domain
> member has.

I think the actual correct listing for wbinfo -m --verbose would be
somthing like:

Domain Name     DNS Domain            Trust Type  Transitive  In   Out
BUILTIN                               Local       No          No   No
TITAN                                 Local       No          No   No
WDOM2           wdom2.site            Workstation Yes         No  Yes

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171129/61890f87/signature.sig>

More information about the samba-technical mailing list