Implement lsaRQueryForestTrustInformation in source3

Jeremy Allison jra at
Tue May 28 18:16:36 UTC 2019

On Tue, May 28, 2019 at 12:03:55PM +0300, Alexander Bokovoy via samba-technical wrote:
> Hi,
> while working on fixing FreeIPA ipasam module to allow establishing
> forest trust with a shared secret from Windows side, I stumbled upon the
> difference we have in lsaRQueryForestTrustInformation handling between
> Samba AD DC and smbd.
> Windows asks for lsaRQueryForestTrustInformation to retrieve details
> about a trust. We have implementation for lsaRSetForestTrustInformation
> in source3/rpc_server/lsa/srv_lsa_nt.c. However,
> lsaRQueryForestTrustInformation is a stub:
> NTSTATUS _lsa_lsaRQueryForestTrustInformation(struct pipes_struct *p,
>                                               struct lsa_lsaRQueryForestTrustInformation *r)
> {
>         p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
> }
> lsaRSetForestTrustInformation() was implemented as a part of the commit
> d638f4a3b824 by Sumit Bose. It depends on a PASSDB module that
> implements enum_trusted_domains() helper. We have a single in-tree PASSDB
> module that implement it: pdb_dsdb (Samba AD DC). Also, ipasam
> implements it. Another in-tree PASSDB module, pdb_ldap, implements
> enum_trusteddoms() which can be abstracted out to implement
> enum_trusted_domains() -- in ipasam we actually implement
> enum_trusteddoms() on top of enum_trusted_domains, so the storage is the
> same.
> As a result, we can reuse the code from pdb_ldap/ipasam to implement
> remaining part for lsaRQueryForestTrustInformation without any trouble.
> This would mostly benefit FreeIPA because in order to be able to
> establish trust to such smbd instance, one needs more than just smbd.
> For Samba AD DC actual LSA RPC server end point is implemented in
> source4, thus the code in source3/rpc_server/lsa/ did not matter for
> that.
> However, this would complete a missing functionality and if I'll add
> the same code to pdb_ldap and pdb_tdbsam, we can actually test LSA RPC
> lsaRQueryForestTrustInformation in the test suite.
> Is anyone against this plan?

Sounds OK to me, but the devil, as ever, is in the details :-).

I'll reserve judgement until I see the code :-) !



More information about the samba-technical mailing list