[PR PATCH] [Updated] samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

Stefan Metzmacher metze at samba.org
Thu Mar 1 09:18:20 UTC 2018

Am 01.03.2018 um 08:54 schrieb Alexander Bokovoy via samba-technical:
> On to, 01 maalis 2018, Stefan Metzmacher via samba-technical wrote:
>> Hi Alexander,
>>>> As we only use remote_netlogon_info.dc_unc can we
>>>> add get_netlogon_dc_unc() that falls back to netr_GetDcName()
>>>> against the remote dc.
>>>> That would also help if we try to implement trusts against
>>>> an NT4 style domain.
>>> Makes sense. Updated patches attached.
>> Thanks much better:-)!
>> Is that tested against FreeIPA?
> Not yet, in my plans for today as I'm trying to figure out what else we
> are missing in TDO salt principals.

The salt principal for the BLA$ user object is wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180301/23954dba/signature.sig>

More information about the samba-technical mailing list