Members fails when authenticating trusted domain users

Luiz Angelo Daros de Luca luizluca at gmail.com
Tue Aug 14 00:12:42 GMT 2007 

Hello,

I'm having a problem with trusted domains in samba 3.0.23d. Users from
remote trusted domains are correctly accepted when trying to login
into the PDC/BDC. But when they connect to a domain member, they
fails. Here there is some more info.

https://bugzilla.samba.org/show_bug.cgi?id=4874

Remote domain username is based
on a ID number. Ex:

REMOTE_DOMAIN/0002021

As all users in the remote domain have a corresponding local
domain/unix user, I use the usermap script to search LDAP and map the
user to the corret local unix user.

The idmap ranges are absent intentionally as no new group/user is
necessary. Samba auths correctly in the remote domain but fails just
after when the users group sid domain is different from the user's sid
domain.

rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)
  _net_sam_logon: user TRE-SC\042138400906 has user sid
S-1-5-21-917466437-634157975-1849977318-8299
   but group sid S-1-5-21-523112625-507000586-1192791579-513.
  The conflicting domain portions are not supported for NETLOGON calls

pdb_get_group_sid and pdb_set_group_sid maps any group that doesn't
have a corresponding gid to localdomain-513. Shouldn't it map to
usersdomain-513? Mapped user's gid has a corresponding local domain
samba group that is not 513.

Why does a localdomain-513 matters if it is different from the user's domain?

I successfully authenticated my users patching samba to map to user's
domain-513 in any case but maybe this can break something else out
there as there's no gid to it.

Any ideias?

-- 
      Luiz Angelo Daros de Luca
            luizluca at gmail.com
              ICQ: 19290419

 I Know, "Where you wanted to go today",
    but I decided to stop here instead!
                        MS Windows
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-domainsid.patch
Type: text/x-patch
Size: 2236 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070813/13d0212c/samba-domainsid.bin

More information about the samba-technical mailing list