validation of msDS-TrustForestTrustInfo

Alexander Bokovoy ab at samba.org
Tue Feb 16 10:02:27 UTC 2016 

Hi Metze,

any comments?

The example.com <-> ipa.example.com and ad.example.com <-> example.com
scenarios work fine between AD and FreeIPA in production, only Samba AD
implementation at fault here.

On Wed, 10 Feb 2016, Alexander Bokovoy wrote:
> Hi,
> 
> I think current implementation of msDS-TrustForestTrustInfo validation
> is incorrect with regards to rules of identifying namespace collisions.
> 
> Right now Samba AD automatically disables the TLN of a trusted forest
> example.com if it is itself is installed in a subordinate of
> example.com, e.g. samba.example.com.
> 
> MS-ADTS 6.1.6.9.3.2 is used to define the logic for validation. Namely,
> rules 3 and 4 are relevant here:
> ---------------------------------
> 3. Each FQDN corresponding to a domain in a trusted forest is unique
> among all TDOs and among all of the FQDNs and TLNs listed within the
> ForestTrustData Records. If not, the Record MUST have the SDC bit in the
> Record Flags.
> 
> 4. Each FQDN for each domain in the trusted forest does not correspond
> to any FQDNs within the domains from the local forest. If not, the
> Record MUST have the SDC bit in the Record Flags.
> ---------------------------------
> 
> Additionally, following rules for namespace collision are relevant as well:
> ---------------------------------
> The rules for determining whether namespaces collide for
> ForestTrustTopLevelName Records are as follows:
> 
> 1. Each TLN corresponding to a domain in a trusted forest is unique
> among all TDOs, and among all of the FQDNs and TLNs listed within the
> Forest Trust Data records. If not, the conflicting Record has the TDC
> bit in the Record Flags. For the sake of consistency, since the two TLNs
> are equal, the first TLN Record that is read is authoritative, and
> subsequent conflicting Records are disabled.
> 
> 2. Each TLN for each domain in the trusted forest does not correspond to
> any FQDNs within the domains from the local forest. If not, the Record
> has the TDC bit in the Record Flags.
> ----------------------------------
> 
> As result, the conflicts between the trusted and trusting forests need
> to be resolved on pure FQDN comparison basis rather than taking subordination
> into account while self-consistency of the trusted domain object's trust
> information should be fully checked for subordination.
> 
> -- 
> / Alexander Bokovoy
> 

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list