13308 – samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

Bug 13308 - samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA

Summary: samba-tool domain trust: fix trust compatibility to Windows Server 1709 and F...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.0rc2
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	4.9
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-27 12:56 UTC by Stefan Metzmacher
Modified:	2018-08-23 07:57 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Patches for v4-9-test (52.24 KB, patch) 2018-07-26 09:19 UTC, Stefan Metzmacher	ab: review+	Details
Patches for v4-8-test (52.23 KB, patch) 2018-07-26 10:11 UTC, Stefan Metzmacher	ab: review+	Details
Patches for v4-7-test (52.24 KB, patch) 2018-07-26 10:12 UTC, Stefan Metzmacher	ab: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2018-02-27 12:56:58 UTC

samba-tool domain trust: fix trust compatibility to Windows Server 1709 and FreeIPA
Two patches from this pull request attempt to fix compatibilities to Windows Server 1709 and FreeIPA.

FreeIPA does not implement netr_DsRGetDCNameEx2() in a way that can be used by `samba-tool`, so a DC search fails when running `samba-tool domain trust create`. Insteda, use netr_DsRGetDCNameEx2() with a remote server name to call own DC. This should cause our own DC to use CLDAP discovery which is supported by FreeIPA.

Windows Server 1709 disabled SMB1 by default, so one has to set `client ipc min protocol = SMB2` to get trust established. While this is a proper fix going forward, it makes sense to default to SMB2 internally when establishing LSA and Netlogon RPC connections even if `smb.conf` lacks the correct option and fall back to an older protocol only if smb2 fails. This is an approach already used by FreeIPA DC for few years.

Comment 1 Stefan Metzmacher 2018-07-26 09:19:39 UTC

Created attachment 14338 [details]
Patches for v4-9-test

Comment 2 Alexander Bokovoy 2018-07-26 09:41:56 UTC

Comment on attachment 14338 [details]
Patches for v4-9-test

LGTM. This patchset does not include FreeIPA parts as they are addressed by c390728819e73cefbf02e0d52d22805930f4c45b in bug https://bugzilla.samba.org/show_bug.cgi?id=13538

Comment 3 Stefan Metzmacher 2018-07-26 10:11:37 UTC

Created attachment 14339 [details]
Patches for v4-8-test

Comment 4 Stefan Metzmacher 2018-07-26 10:12:18 UTC

Created attachment 14340 [details]
Patches for v4-7-test

Comment 5 Alexander Bokovoy 2018-07-26 10:40:31 UTC

Comment on attachment 14339 [details]
Patches for v4-8-test

LGTM.

Comment 6 Alexander Bokovoy 2018-07-26 10:41:11 UTC

Comment on attachment 14340 [details]
Patches for v4-7-test

LGTM.

Comment 7 Karolin Seeger 2018-07-28 03:51:49 UTC

Pushed to autobuild-v4-{9,8,7}-test.

Comment 8 Alexander Bokovoy 2018-08-13 13:44:17 UTC

Karolin, I do not see these patches in v4-8-test.

Comment 9 Karolin Seeger 2018-08-14 06:58:36 UTC

(In reply to Alexander Bokovoy from comment #8)
4b3ac377a

autobuild failed and was restarted yesterday.
Pushed now.

Comment 10 Karolin Seeger 2018-08-23 07:57:15 UTC

Pushed to all branches.
Closing out bug report.

Thanks!