Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.

Hemanth Thummala hemanth.thummala at nutanix.com
Mon Jan 28 23:24:13 UTC 2019 

Hello All,

We were debugging an issue related to trusted domain scan. Samba file server is joined to a domain which is a tree root in the forest, but not the forest root. We have few forest trusts established at forest root level. When we try to scan the trusted domains, we were able to get all the domains with in the forest of our primary domain but nothing from other forests.

Looking at the rescan_trsusted_domains(), I think there is some issue with the way we check if a domain is forest root.

bool domain_is_forest_root(const struct winbindd_domain *domain)
{
  const uint32_t fr_flags =
    (NETR_TRUST_FLAG_TREEROOT|NETR_TRUST_FLAG_IN_FOREST);

  return ((domain->domain_flags & fr_flags) == fr_flags);
}

I have observed that these two flags are always enabled on any domain which is a tree root. Hence, I don’t think this condition is deterministic for forest root. And next thing we have in trustdom_list_done() is this..


if (state->domain->primary) {

    /* If this is our primary domain and we are not in the

       forest root, we have to scan the root trusts first */



    if (!domain_is_forest_root(state->domain))

      rescan_forest_root_trusts();

    else

      rescan_forest_trusts(); ==> we end up doing the forest scan instead of rescan_forest_root_trusts().



  } else if (domain_is_forest_root(state->domain)) {

    /* Once we have done root forest trust search, we can

       go on to search the trusted forests */



    rescan_forest_trusts();

  }

But rescan_forest_trusts() assumes that we have the domains connected over forest trust which expect to have the following conditions met.


if ( (flags & NETR_TRUST_FLAG_INBOUND) &&

         (type == LSA_TRUST_TYPE_UPLEVEL) &&

         (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )

    {

  add_trusted_domain(..)



}



LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE is enabled only for those domains which are directly connected over forest trust. Since, we didn’t have any of those trusts since first trusted domain scan was not done using forest root. Hence, we end up missing all the trusted domains from the remote forests.



Looks like(from: https://msdn.microsoft.com/en-us/library/cc237254.aspx)  there is no specific flag/attribute which can tell if a domain is a forest root. In this case, I assume that only option is to do rescan_forest_root_trusts() for all tree-root domains instead of doing just the rescan_forest_trusts().



Please let me know if my understanding is correct here.



Thanks,

Hemanth.

More information about the samba-technical mailing list