Implement lsaRQueryForestTrustInformation in source3

Alexander Bokovoy ab at
Tue May 28 09:03:55 UTC 2019


while working on fixing FreeIPA ipasam module to allow establishing
forest trust with a shared secret from Windows side, I stumbled upon the
difference we have in lsaRQueryForestTrustInformation handling between
Samba AD DC and smbd.

Windows asks for lsaRQueryForestTrustInformation to retrieve details
about a trust. We have implementation for lsaRSetForestTrustInformation
in source3/rpc_server/lsa/srv_lsa_nt.c. However,
lsaRQueryForestTrustInformation is a stub:

NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
                                              struct lsa_lsaRQueryForestTrustInformation *r)
        p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;

lsaRSetForestTrustInformation() was implemented as a part of the commit
d638f4a3b824 by Sumit Bose. It depends on a PASSDB module that
implements enum_trusted_domains() helper. We have a single in-tree PASSDB
module that implement it: pdb_dsdb (Samba AD DC). Also, ipasam
implements it. Another in-tree PASSDB module, pdb_ldap, implements
enum_trusteddoms() which can be abstracted out to implement
enum_trusted_domains() -- in ipasam we actually implement
enum_trusteddoms() on top of enum_trusted_domains, so the storage is the

As a result, we can reuse the code from pdb_ldap/ipasam to implement
remaining part for lsaRQueryForestTrustInformation without any trouble.
This would mostly benefit FreeIPA because in order to be able to
establish trust to such smbd instance, one needs more than just smbd.
For Samba AD DC actual LSA RPC server end point is implemented in
source4, thus the code in source3/rpc_server/lsa/ did not matter for

However, this would complete a missing functionality and if I'll add
the same code to pdb_ldap and pdb_tdbsam, we can actually test LSA RPC
lsaRQueryForestTrustInformation in the test suite.

Is anyone against this plan?

/ Alexander Bokovoy

More information about the samba-technical mailing list