Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.

Stefan Metzmacher metze at samba.org
Wed Jan 30 09:45:52 UTC 2019 

Hi Hemanth,

>> We were debugging an issue related to trusted domain scan. Samba
>> file server is joined to a domain which is a tree root in the
>> forest, but not the forest root. We have few forest trusts
>> established at forest root level. When we try to scan the trusted
>> domains, we were able to get all the domains with in the forest of
>> our primary domain but nothing from other forests.
> 
> The fact alone that we scan trusted domains is a bug. This bug is on
> it's way to be fixed. There have been some significant fixes in
> winbind remove this dependency. In Samba 4.8 you have the "winbind
> scan trusted domains" option which will be defaulted to "no" soon.
> Please try with 4.8 and setting that to off. Your case might be a very
> good testcase for this option, and we will deeply look at the bugs you
> see when setting it to "no".

Yes, avoiding the scan at all is the future!

I'm not 100% it's related but you may want to look at

commit 525752e06e7e73bfe1e9e7b80ad9f11d45befe5c
Author:     Stefan Metzmacher <metze at samba.org>
AuthorDate: Thu Mar 2 08:13:57 2017 +0100
Commit:     Stefan Metzmacher <metze at samba.org>
CommitDate: Mon Mar 6 19:40:23 2017 +0100

    s3:winbindd: fix endless forest trust scan

    Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
    disabled the enumeration of trusts in other forests.

    The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
    changed the way we fill domain->domain_flags for domains
    in other forests.

    Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
    ability to enumerate trusts of other forests again, in order to
    fix https://bugzilla.samba.org/show_bug.cgi?id=11830

    Now we have the problem that multiple domains
    (even outside of our forest) are considert to be
    our forest root, as they have the following flags:
    NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605

    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Thu Mar  2 17:53:14 CET 2017 on sn-devel-144

    (cherry picked from commit f9aaddcdd8f9ea648c9c5ea804f56ee3ff6c4c67)

mezte


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190130/6e8809e2/signature.sig>

More information about the samba-technical mailing list