[PATCH] Can't authenticate user from child-domain of trusted forest
metze at samba.org
Wed Nov 29 12:20:06 UTC 2017
Am 29.11.2017 um 12:46 schrieb Stefan Metzmacher via samba-technical:
> Am 29.11.2017 um 11:30 schrieb Ralph Böhme:
>> Hi Volker,
>> On Tue, Nov 28, 2017 at 02:29:30PM +0100, Volker Lendecke wrote:
>>> On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
>>>> auth still fails because add_trusted_domain() will only be called in the domain
>>>> child, but not in the parent where we call find_domain_from_name_noinit().
>>> What about that one?
>> what about this one? The first three patches are meant to fix wbinfo -m
>> --verbose output and don't affect anything else. The current code would denote
>> the added-on-the-fly domains as trust-type "Forest", transitive, in- and outgoing.
>> With those three wbinfo -m --verbose looks like this:
>> $ bin/wbinfo -m --verbose
>> Domain Name DNS Domain Trust Type Transitive In Out
>> BUILTIN None No No No
>> TITAN None No No No
>> WDOM2 wdom2.site None No Yes Yes
>> WDOM1 wdom1.site Forest Yes Yes Yes
>> WDOM3 wdom3.site Forest Yes No Yes
>> SUBDOM21 subdom21.wdom2.site In-Forest Yes Yes Yes
>> SUBDOM11 None No No No
>> SUBDOM11 was added on-the-fly after a successfull auth.
>> Fixes something different then the original bug, so I still believe we need my
>> initial patchset and eventually something like a add-domain-on-the-fly patchset.
>> How shall we proceed? You and metze are more familiar with this stuff.
> I'm not so happy with trust_is_inbound() and trust_is_outbound()
> If you ask a Windows DC for NETR_TRUST_FLAG_IN_FOREST you get all
> domains in the forest, but only the direct trusts have
> NETR_TRUST_FLAG_INBOUND and NETR_TRUST_FLAG_OUTBOUND.
> Others, which are more than one hop away only have the
> NETR_TRUST_FLAG_IN_FOREST flag.
> Doing a useful listing for the above case is extremly difficult to get
> right. E.g. for SUBDOM11 I can't imagine what values we could possibly
> display. And there's also no good reason to even care about it. All
> that's important is that we have our trunsitive outgoing workstation
> trust to our primary domain, as that's the only direct trust a domain
> member has.
I think the actual correct listing for wbinfo -m --verbose would be
Domain Name DNS Domain Trust Type Transitive In Out
BUILTIN Local No No No
TITAN Local No No No
WDOM2 wdom2.site Workstation Yes No Yes
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical