Bug 7144 - Problems scanning for a subdomain in an forest trust
Problems scanning for a subdomain in an forest trust
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: Winbind
3.5.0rc2
All Solaris
: P3 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-17 07:05 UTC by Ralf Schwiete
Modified: 2013-07-25 18:49 UTC (History)
2 users (show)

See Also:


Attachments
may fix the foresttrust-problem (1.80 KB, application/octet-stream)
2010-02-17 07:10 UTC, Ralf Schwiete
no flags Details
may fix the foresttrust-problem (1.80 KB, patch)
2010-02-17 07:10 UTC, Ralf Schwiete
no flags Details
winbind-patch (1.73 KB, patch)
2010-02-17 09:46 UTC, Ralf Schwiete
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Schwiete 2010-02-17 07:05:52 UTC
Hello,

I've the Following Domain Forresttrust:
array: struct netr_DomainTrust
    netbios_name             : *
        netbios_name             : 'FOREST_ROOT'
    dns_name                 : *
        dns_name                 : 'forest_root.net'
    trust_flags              : 0x00000022 (34)
           0: NETR_TRUST_FLAG_IN_FOREST
           1: NETR_TRUST_FLAG_OUTBOUND
           0: NETR_TRUST_FLAG_TREEROOT
           0: NETR_TRUST_FLAG_PRIMARY
           0: NETR_TRUST_FLAG_NATIVE
           1: NETR_TRUST_FLAG_INBOUND
           0: NETR_TRUST_FLAG_MIT_KRB5
           0: NETR_TRUST_FLAG_AES
    parent_index             : 0x00000000 (0)
    trust_type               : NETR_TRUST_TYPE_UPLEVEL (2)
    trust_attributes         : 0x00000048 (72)
           0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE
           0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY
           0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
           1: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
           0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
           0: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST
           1: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
    sid                      : *
        sid                      : S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx
    guid                     : 00000000-0000-0000-0000-000000000000

As you can see this is an Foresttrust which is treaten as external. This is the reason why this Forest will not be scanned for subdomains in "rescan_forest_trusts()":
(...)
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
     (type == NETR_TRUST_TYPE_UPLEVEL) &&
     (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
        /* add the trusted domain if we don't know
           about it */
(...)

to scan an forest which is treaten as external the following may be better:
(...)
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
     (type == NETR_TRUST_TYPE_UPLEVEL) &&
     (attribs & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
        /* add the trusted domain if we don't know
           about it */
(...)

maybe "trust_is_transitive()" and "get_trust_type()" should also be modified. I've written a little patch which may help.
Comment 1 Ralf Schwiete 2010-02-17 07:10:11 UTC
Created attachment 5363 [details]
may fix the foresttrust-problem
Comment 2 Ralf Schwiete 2010-02-17 07:10:21 UTC
Created attachment 5364 [details]
may fix the foresttrust-problem
Comment 3 Ralf Schwiete 2010-02-17 09:46:13 UTC
Created attachment 5368 [details]
winbind-patch

loading up an old (wrong) version of the patch - sorry
Comment 4 Karolin Seeger 2010-05-27 04:44:41 UTC
Thanks a lot for providing the patch!

Any volunteer for patch review?