[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

Stefan Metzmacher metze at samba.org
Tue Feb 27 12:58:01 UTC 2018

Hi Alexander,

I've created https://bugzilla.samba.org/show_bug.cgi?id=13308 for this
and will review it now.


Am 26.02.2018 um 14:39 schrieb Alexander Bokovoy via samba-technical:
> On ma, 26 helmi 2018, Github bot account via samba-technical wrote:
>> There is an updated pull request by abbra against master on the Samba Samba Github repository
>> https://github.com/abbra/samba smb2-trust
>> https://github.com/samba-team/samba/pull/134
>> samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
>> Two patches from this pull request attempt to fix compatibilities to
>> Windows Server 1709 and FreeIPA.
>> FreeIPA does not implement netr_DsRGetDCNameEx2() in a way that can be
>> used by `samba-tool`, so a DC search fails when running `samba-tool
>> domain trust create`. Insteda, use netr_DsRGetDCNameEx2() with a
>> remote server name to call own DC. This should cause our own DC to use
>> CLDAP discovery which is supported by FreeIPA.
>> Windows Server 1709 disabled SMB1 by default, so one has to set
>> `client ipc min protocol = SMB2` to get trust established. While this
>> is a proper fix going forward, it makes sense to default to SMB2
>> internally when establishing LSA and Netlogon RPC connections even if
>> `smb.conf` lacks the correct option and fall back to an older protocol
>> only if smb2 fails. This is an approach already used by FreeIPA DC for
>> few years.
>> Submitting via github to get a test build run.
> Travis CI build succeeded, so please review.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180227/094df396/signature.sig>

More information about the samba-technical mailing list