[Samba] strange trusts in 3.0.21?
William Jojo
jojowil at hvcc.edu
Fri Dec 30 12:43:40 GMT 2005
We have a three-way Samba trust in our development environment. All three
are using OpenLDAP and Samba 3.0.21. The LDAP database is shared for
access to Posix/Samba user info. SID's are appropriately assigned to the
users and machines with algorithmic RID's and the IDMAP table is preloaded
with the SID-RID to UID mappings. This all works and was tested with
assigning windows ACLs to shares with users from trusted domains.
The problem is the following:
ACDEV trusts DEVXP and DEVEX
DEVXP trusts ACDEV and DEVEX
DEVEX trusts ACDEV and DEVXP
A machine INTDEV4 (INTDEV4$) joins ACDEV.
INTDEV4 shows INTDEV4 (local machine), ACDEV, DEVEX and DEVXP as possible
choices for logging in. Perfect.
Three users are used for testing:
billtest (sambaSID & sambaPrimaryGroupSID is in ACDEV)
log on to ACDEV - YES
log on to DEVXP - YES
log on to DEVEX - YES
edwartho (sambaSID & sambaPrimaryGroupSID is in DEVEX)
log on to ACDEV - **NO**
log on to DEVXP - YES
log on to DEVEX - YES
test1 (sambaSID & sambaPrimaryGroupSID is in DEVXP)
log on to ACDEV - **NO**
log on to DEVXP - YES
log on to DEVEX - YES
The error received for the **NO** is "The username and password
provided...please check case...etc"
log.smbd shows NT_STATUS_OK for checking the NT password, but a parse
underflow later on (see snip below)
If I change INTDEV4$ to have SID in DEVXP and join it to DEVXP:
billtest (sambaSID & sambaPrimaryGroupSID is in ACDEV)
log on to ACDEV - YES
log on to DEVXP - **NO**
log on to DEVEX - YES
edwartho (sambaSID & sambaPrimaryGroupSID is in DEVEX)
log on to ACDEV - YES
log on to DEVXP - **NO**
log on to DEVEX - YES
test1 (sambaSID & sambaPrimaryGroupSID is in DEVXP)
log on to ACDEV - YES
log on to DEVXP - YES
log on to DEVEX - YES
I have the logs if someone wants to see, or is this expected behavior?
<snip of billtest failure>
[2005/12/29 17:01:08, 5] auth/auth.c:check_ntlm_password(294)
check_ntlm_password: PAM Account for user [billtest] succeeded
[2005/12/29 17:01:08, 2] auth/auth.c:check_ntlm_password(307)
check_ntlm_password: authentication for user [billtest] -> [billtest]
-> [bil
ltest] succeeded
...
[2005/12/29 17:01:08, 5] rpc_parse/parse_prs.c:prs_ntstatus(733)
022c status : NT_STATUS_OK
[2005/12/29 17:01:08, 5] rpc_server/srv_pipe.c:api_rpcTNP(2254)
api_rpcTNP: called NETLOGON successfully
[2005/12/29 17:01:08, 10] rpc_server/srv_pipe.c:api_rpcTNP(2263)
api_rpcTNP: rpc input buffer underflow (parse error?)
[2005/12/29 17:01:08, 5] rpc_parse/parse_prs.c:prs_uint8s(790)
00fc : 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
[2005/12/29 17:01:08, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
free_pipe_context: destroying talloc pool of size 920
[2005/12/29 17:01:08, 10]
rpc_server/srv_pipe_hnd.c:write_to_internal_pipe(960)
write_to_pipe: data_used = 320
[2005/12/29 17:01:08, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
writeX-IPC pnum=7703 nwritten=336
Cheers,
Bill
More information about the samba
mailing list