[PATCH] Can't authenticate user from child-domain of trusted forest
Ralph Böhme
slow at samba.org
Tue Nov 28 13:36:54 UTC 2017
On Tue, Nov 28, 2017 at 01:19:28PM +0100, Volker Lendecke wrote:
> On Tue, Nov 28, 2017 at 01:10:12PM +0100, Ralph Böhme via samba-technical wrote:
> > On Tue, Nov 28, 2017 at 01:02:13PM +0100, Volker Lendecke wrote:
> > > On Tue, Nov 28, 2017 at 12:58:22PM +0100, Ralph Böhme wrote:
> > > > auth still fails because add_trusted_domain() will only be called in the domain
> > > > child, but not in the parent where we call find_domain_from_name_noinit().
> > >
> > > Hmm. Ok. Right. We could do either of two things: Always request info3
> > > from the child and pull the information in the parent before sending
> > > it out, and secondly make it a message. Probably the first way is
> > > cleaner, it creates less hidden, secret protocol elements.
> >
> > I'm not sure the resulting struct winbind_domain is sufficiently initialized as
> > it lacks the DNS name and trust flags. Ie after an attempt to auth user from
> > previously unseed trusted domains wbinfo -m looks like this:
>
> What do we need those flags for?
Eg add_trusted_domain_from_tdc() sets domain->active_diretory based on
LSA_TRUST_TYPE_UPLEVEL. That might be relevant for idmap_rfc2307 and idmap_ad,
not sure.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list