Bug 7144 - Problems scanning for a subdomain in an forest trust
Summary: Problems scanning for a subdomain in an forest trust
Status: NEW
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.0rc2
Hardware: All Solaris
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-17 07:05 UTC by Ralf Schwiete
Modified: 2013-07-25 18:49 UTC (History)
2 users (show)

See Also:

Attachments
may fix the foresttrust-problem (1.80 KB, application/octet-stream)
2010-02-17 07:10 UTC, Ralf Schwiete 		no flags Details
may fix the foresttrust-problem (1.80 KB, patch)
2010-02-17 07:10 UTC, Ralf Schwiete 		no flags Details
winbind-patch (1.73 KB, patch)
2010-02-17 09:46 UTC, Ralf Schwiete 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Schwiete 2010-02-17 07:05:52 UTC 
Hello,

I've the Following Domain Forresttrust:
array: struct netr_DomainTrust
    netbios_name             : *
        netbios_name             : 'FOREST_ROOT'
    dns_name                 : *
        dns_name                 : 'forest_root.net'
    trust_flags              : 0x00000022 (34)
           0: NETR_TRUST_FLAG_IN_FOREST
           1: NETR_TRUST_FLAG_OUTBOUND
           0: NETR_TRUST_FLAG_TREEROOT
           0: NETR_TRUST_FLAG_PRIMARY
           0: NETR_TRUST_FLAG_NATIVE
           1: NETR_TRUST_FLAG_INBOUND
           0: NETR_TRUST_FLAG_MIT_KRB5
           0: NETR_TRUST_FLAG_AES
    parent_index             : 0x00000000 (0)
    trust_type               : NETR_TRUST_TYPE_UPLEVEL (2)
    trust_attributes         : 0x00000048 (72)
           0: NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE
           0: NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY
           0: NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
           1: NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
           0: NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
           0: NETR_TRUST_ATTRIBUTE_WITHIN_FOREST
           1: NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
    sid                      : *
        sid                      : S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx
    guid                     : 00000000-0000-0000-0000-000000000000

As you can see this is an Foresttrust which is treaten as external. This is the reason why this Forest will not be scanned for subdomains in "rescan_forest_trusts()":
(...)
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
     (type == NETR_TRUST_TYPE_UPLEVEL) &&
     (attribs == NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
        /* add the trusted domain if we don't know
           about it */
(...)

to scan an forest which is treaten as external the following may be better:
(...)
if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
     (type == NETR_TRUST_TYPE_UPLEVEL) &&
     (attribs & NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
{
        /* add the trusted domain if we don't know
           about it */
(...)

maybe "trust_is_transitive()" and "get_trust_type()" should also be modified. I've written a little patch which may help.
Comment 1 Ralf Schwiete 2010-02-17 07:10:11 UTC 
Created attachment 5363 [details]
may fix the foresttrust-problem
Comment 2 Ralf Schwiete 2010-02-17 07:10:21 UTC 
Created attachment 5364 [details]
may fix the foresttrust-problem
Comment 3 Ralf Schwiete 2010-02-17 09:46:13 UTC 
Created attachment 5368 [details]
winbind-patch

loading up an old (wrong) version of the patch - sorry
Comment 4 Karolin Seeger 2010-05-27 04:44:41 UTC 
Thanks a lot for providing the patch!

Any volunteer for patch review?