Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.
Stefan Metzmacher
metze at samba.org
Wed Jan 30 09:45:52 UTC 2019
Hi Hemanth,
>> We were debugging an issue related to trusted domain scan. Samba
>> file server is joined to a domain which is a tree root in the
>> forest, but not the forest root. We have few forest trusts
>> established at forest root level. When we try to scan the trusted
>> domains, we were able to get all the domains with in the forest of
>> our primary domain but nothing from other forests.
>
> The fact alone that we scan trusted domains is a bug. This bug is on
> it's way to be fixed. There have been some significant fixes in
> winbind remove this dependency. In Samba 4.8 you have the "winbind
> scan trusted domains" option which will be defaulted to "no" soon.
> Please try with 4.8 and setting that to off. Your case might be a very
> good testcase for this option, and we will deeply look at the bugs you
> see when setting it to "no".
Yes, avoiding the scan at all is the future!
I'm not 100% it's related but you may want to look at
commit 525752e06e7e73bfe1e9e7b80ad9f11d45befe5c
Author: Stefan Metzmacher <metze at samba.org>
AuthorDate: Thu Mar 2 08:13:57 2017 +0100
Commit: Stefan Metzmacher <metze at samba.org>
CommitDate: Mon Mar 6 19:40:23 2017 +0100
s3:winbindd: fix endless forest trust scan
Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
disabled the enumeration of trusts in other forests.
The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
changed the way we fill domain->domain_flags for domains
in other forests.
Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
ability to enumerate trusts of other forests again, in order to
fix https://bugzilla.samba.org/show_bug.cgi?id=11830
Now we have the problem that multiple domains
(even outside of our forest) are considert to be
our forest root, as they have the following flags:
NETR_TRUST_FLAG_TREEROOT and NETR_TRUST_FLAG_IN_FOREST.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Mar 2 17:53:14 CET 2017 on sn-devel-144
(cherry picked from commit f9aaddcdd8f9ea648c9c5ea804f56ee3ff6c4c67)
mezte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190130/6e8809e2/signature.sig>
More information about the samba-technical
mailing list