[Samba] strange trusts in 3.0.21?

William Jojo jojowil at hvcc.edu
Fri Dec 30 12:43:40 GMT 2005 


We have a three-way Samba trust in our development environment. All three
are using OpenLDAP and Samba 3.0.21. The LDAP database is shared for
access to Posix/Samba user info. SID's are appropriately assigned to the
users and machines with algorithmic RID's and the IDMAP table is preloaded
with the SID-RID to UID mappings. This all works and was tested with
assigning windows ACLs to shares with users from trusted domains.


The problem is the following:

ACDEV trusts DEVXP and DEVEX
DEVXP trusts ACDEV and DEVEX
DEVEX trusts ACDEV and DEVXP

A machine INTDEV4 (INTDEV4$) joins ACDEV.

INTDEV4 shows INTDEV4 (local machine), ACDEV, DEVEX and DEVXP as possible
choices for logging in. Perfect.


Three users are used for testing:

billtest (sambaSID & sambaPrimaryGroupSID is in ACDEV)
	log on to ACDEV - YES
	log on to DEVXP - YES
	log on to DEVEX - YES

edwartho (sambaSID & sambaPrimaryGroupSID is in DEVEX)
	log on to ACDEV - **NO**
	log on to DEVXP - YES
	log on to DEVEX - YES

test1 (sambaSID & sambaPrimaryGroupSID is in DEVXP)
	log on to ACDEV - **NO**
	log on to DEVXP - YES
	log on to DEVEX - YES

The error received for the **NO** is "The username and password
provided...please check case...etc"

log.smbd shows NT_STATUS_OK for checking the NT password, but a parse
underflow later on (see snip below)


If I change INTDEV4$ to have SID in DEVXP and join it to DEVXP:

billtest (sambaSID & sambaPrimaryGroupSID is in ACDEV)
        log on to ACDEV - YES
        log on to DEVXP - **NO**
        log on to DEVEX - YES

edwartho (sambaSID & sambaPrimaryGroupSID is in DEVEX)
        log on to ACDEV - YES
        log on to DEVXP - **NO**
        log on to DEVEX - YES

test1 (sambaSID & sambaPrimaryGroupSID is in DEVXP)
        log on to ACDEV - YES
        log on to DEVXP - YES
	log on to DEVEX - YES


I have the logs if someone wants to see, or is this expected behavior?


<snip of billtest failure>

[2005/12/29 17:01:08, 5] auth/auth.c:check_ntlm_password(294)
  check_ntlm_password:  PAM Account for user [billtest] succeeded
[2005/12/29 17:01:08, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [billtest] -> [billtest]
-> [bil
ltest] succeeded
...
[2005/12/29 17:01:08, 5] rpc_parse/parse_prs.c:prs_ntstatus(733)
      022c status      : NT_STATUS_OK
[2005/12/29 17:01:08, 5] rpc_server/srv_pipe.c:api_rpcTNP(2254)
  api_rpcTNP: called NETLOGON successfully
[2005/12/29 17:01:08, 10] rpc_server/srv_pipe.c:api_rpcTNP(2263)
  api_rpcTNP: rpc input buffer underflow (parse error?)
[2005/12/29 17:01:08, 5] rpc_parse/parse_prs.c:prs_uint8s(790)
  00fc : 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
[2005/12/29 17:01:08, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(526)
  free_pipe_context: destroying talloc pool of size 920
[2005/12/29 17:01:08, 10]
rpc_server/srv_pipe_hnd.c:write_to_internal_pipe(960)
  write_to_pipe: data_used = 320
[2005/12/29 17:01:08, 3] smbd/pipes.c:reply_pipe_write_and_X(207)
  writeX-IPC pnum=7703 nwritten=336



Cheers,

Bill

More information about the samba mailing list