Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.
hemanth.thummala at nutanix.com
Wed Jan 30 17:36:53 UTC 2019
Thanks Volker and Metz, for your responses.
> Yes, avoiding the scan at all is the future!
Good to know. Will be very interested to see how the trusted domain authentication flow will be with this change. However, we need to fix this issue as we got into it from the field. I am also trying to reproduce it locally and wanted to try with forest_root_scan(). Hope it will not be going into endless loop.
@Stefan Metzmacher, We have this patch applied already on our stack.
On 1/30/19, 1:46 AM, "Stefan Metzmacher" <metze at samba.org> wrote:
>> We were debugging an issue related to trusted domain scan. Samba
>> file server is joined to a domain which is a tree root in the
>> forest, but not the forest root. We have few forest trusts
>> established at forest root level. When we try to scan the trusted
>> domains, we were able to get all the domains with in the forest of
>> our primary domain but nothing from other forests.
> The fact alone that we scan trusted domains is a bug. This bug is on
> it's way to be fixed. There have been some significant fixes in
> winbind remove this dependency. In Samba 4.8 you have the "winbind
> scan trusted domains" option which will be defaulted to "no" soon.
> Please try with 4.8 and setting that to off. Your case might be a very
> good testcase for this option, and we will deeply look at the bugs you
> see when setting it to "no".
Yes, avoiding the scan at all is the future!
I'm not 100% it's related but you may want to look at
Author: Stefan Metzmacher <metze at samba.org>
AuthorDate: Thu Mar 2 08:13:57 2017 +0100
Commit: Stefan Metzmacher <metze at samba.org>
CommitDate: Mon Mar 6 19:40:23 2017 +0100
s3:winbindd: fix endless forest trust scan
Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
disabled the enumeration of trusts in other forests.
The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.
Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
ability to enumerate trusts of other forests again, in order to
Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Mar 2 17:53:14 CET 2017 on sn-devel-144
(cherry picked from commit f9aaddcdd8f9ea648c9c5ea804f56ee3ff6c4c67)
More information about the samba-technical