[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
Alexander Bokovoy
ab at samba.org
Mon Feb 26 13:39:32 UTC 2018
On ma, 26 helmi 2018, Github bot account via samba-technical wrote:
> There is an updated pull request by abbra against master on the Samba Samba Github repository
>
> https://github.com/abbra/samba smb2-trust
> https://github.com/samba-team/samba/pull/134
>
> samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
> Two patches from this pull request attempt to fix compatibilities to
> Windows Server 1709 and FreeIPA.
>
> FreeIPA does not implement netr_DsRGetDCNameEx2() in a way that can be
> used by `samba-tool`, so a DC search fails when running `samba-tool
> domain trust create`. Insteda, use netr_DsRGetDCNameEx2() with a
> remote server name to call own DC. This should cause our own DC to use
> CLDAP discovery which is supported by FreeIPA.
>
> Windows Server 1709 disabled SMB1 by default, so one has to set
> `client ipc min protocol = SMB2` to get trust established. While this
> is a proper fix going forward, it makes sense to default to SMB2
> internally when establishing LSA and Netlogon RPC connections even if
> `smb.conf` lacks the correct option and fall back to an older protocol
> only if smb2 fails. This is an approach already used by FreeIPA DC for
> few years.
>
> Submitting via github to get a test build run.
Travis CI build succeeded, so please review.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list