Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.
Hemanth Thummala
hemanth.thummala at nutanix.com
Wed Feb 6 23:27:20 UTC 2019
Hi Volker,
> Does your version support "winbind:ignore domains"? If the scan as
> such is your problem and you don't have users behind those trusts,
> that might help.
We have users behind those trusted which need to be authenticated.
I have debugged this issue and come up with a fix for this issue and attached here. This is made on top of 4-7-stable.
We are still testing different scenarios. So far, results are good.
Please let me know if you have any comments.
Mainly, I have made couple of changes to fix the issue.
- Force forest root scan irrespective of primary domain being tree root or not.
- Continue loop(by taking out the break) in rescan_forest_root_trusts() even after finding the first tree root trust.
I know that we are planning to move away from scans.
Thought of sharing it just in case if anyone looking for immediate solution.
Thanks,
Hemanth.
On 1/30/19, 11:33 AM, "Volker Lendecke" <Volker.Lendecke at SerNet.DE> wrote:
On Wed, Jan 30, 2019 at 05:36:53PM +0000, Hemanth Thummala wrote:
> Thanks Volker and Metz, for your responses.
>
> > Yes, avoiding the scan at all is the future!
> Good to know. Will be very interested to see how the trusted domain
> authentication flow will be with this change. However, we need to
> fix this issue as we got into it from the field. I am also trying to
> reproduce it locally and wanted to try with forest_root_scan(). Hope
> it will not be going into endless loop.
Does your version support "winbind:ignore domains"? If the scan as
such is your problem and you don't have users behind those trusts,
that might help.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: 0551-370000-0, mailto:kontakt at sernet.de
Gesch.F.: Dr. Johannes Loxen und Reinhild Jung
AG Göttingen: HR-B 2816 - https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sernet.de&d=DwIDAw&c=s883GpUCOChKOHiocYtGcg&r=upHhZKvLG1wGJVQsvdamubutehC8co9bx_lsVXPKCKw&m=5GWpY3Ud5nsRlXFaNSLzonl-z34FjigoqQUeAiqI3Nc&s=DEeWavdy8nzoqN4LxEvtaEdTzj9bCdohwqOupqhg-To&e=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-trusted-domain-scanning-issue.patch
Type: application/octet-stream
Size: 6691 bytes
Desc: 0001-Fix-trusted-domain-scanning-issue.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190206/b7b1e96b/0001-Fix-trusted-domain-scanning-issue.obj>
More information about the samba-technical
mailing list