Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.

Hemanth Thummala hemanth.thummala at nutanix.com
Wed Feb 6 23:27:20 UTC 2019 

Hi Volker,

> Does your version support "winbind:ignore domains"? If the scan as
>    such is your problem and you don't have users behind those trusts,
>    that might help.

We have users behind those trusted which need to be authenticated. 

I have debugged this issue and come up with a fix for this issue and attached here. This is made on top of 4-7-stable. 
We are still testing different scenarios. So far, results are good. 

Please let me know if you have any comments. 

Mainly, I have made couple of changes to fix the issue.
- Force forest root scan irrespective of primary domain being tree root or not.
- Continue loop(by taking out the break) in rescan_forest_root_trusts() even after finding the first tree root trust.
 
I know that we are planning to move away from scans.
Thought of sharing it just in case if anyone looking for immediate solution.

Thanks,
Hemanth.

On 1/30/19, 11:33 AM, "Volker Lendecke" <Volker.Lendecke at SerNet.DE> wrote:

    On Wed, Jan 30, 2019 at 05:36:53PM +0000, Hemanth Thummala wrote:
    > Thanks Volker and Metz, for your responses.
    > 
    > > Yes, avoiding the scan at all is the future!
    > Good to know. Will be very interested to see how the trusted domain
    > authentication flow will be with this change. However, we need to
    > fix this issue as we got into it from the field. I am also trying to
    > reproduce it locally and wanted to try with forest_root_scan(). Hope
    > it will not be going into endless loop.
    
    Does your version support "winbind:ignore domains"? If the scan as
    such is your problem and you don't have users behind those trusts,
    that might help.
    
    Volker
    
    -- 
    SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
    phone: 0551-370000-0, mailto:kontakt at sernet.de
    Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
    AG Göttingen: HR-B 2816 - https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sernet.de&d=DwIDAw&c=s883GpUCOChKOHiocYtGcg&r=upHhZKvLG1wGJVQsvdamubutehC8co9bx_lsVXPKCKw&m=5GWpY3Ud5nsRlXFaNSLzonl-z34FjigoqQUeAiqI3Nc&s=DEeWavdy8nzoqN4LxEvtaEdTzj9bCdohwqOupqhg-To&e=
    

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-trusted-domain-scanning-issue.patch
Type: application/octet-stream
Size: 6691 bytes
Desc: 0001-Fix-trusted-domain-scanning-issue.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190206/b7b1e96b/0001-Fix-trusted-domain-scanning-issue.obj>

More information about the samba-technical mailing list