[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

github at samba.org github at samba.org
Mon Feb 26 10:53:35 UTC 2018


There is an updated pull request by abbra against master on the Samba Samba Github repository

https://github.com/abbra/samba smb2-trust
https://github.com/samba-team/samba/pull/134

samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
Two patches from this pull request attempt to fix compatibilities to Windows Server 1709 and FreeIPA.

FreeIPA does not implement netr_DsRGetDCNameEx2() in a way that can be used by `samba-tool`, so a DC search fails when running `samba-tool domain trust create`. Insteda, use netr_DsRGetDCNameEx2() with a remote server name to call own DC. This should cause our own DC to use CLDAP discovery which is supported by FreeIPA.

Windows Server 1709 disabled SMB1 by default, so one has to set `client ipc min protocol = SMB2` to get trust established. While this is a proper fix going forward, it makes sense to default to SMB2 internally when establishing LSA and Netlogon RPC connections even if `smb.conf` lacks the correct option and fall back to an older protocol only if smb2 fails. This is an approach already used by FreeIPA DC for few years.

Submitting via github to get a test build run.

A patch file from https://github.com/samba-team/samba/pull/134.patch is attached
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: github-pr-smb2-trust-134.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180226/80d3d01c/github-pr-smb2-trust-134.patch>


More information about the samba-technical mailing list