[Samba] samba-3.6.1 cannot be used by trusted domain users?

[Jason Haar]

Hi there

Samba is a member of dom1.corp.net, there are also dom2.corp.net and
dom3.corp.net - together making up the "CORP" forest. There are other
forests with two-way trusts with CORP.NET, such as OTHER.NET

We have a problem where Samba/winbind is inconsistent on account details
and therefore access.

* wbinfo -D  OTHER returns details about "other.net" - good
* wbinfo --dc-info=OTHER returns a  valid domain controller of OTHER - good

however....

* wbinfo -i OTHER\\username returns "failed to call wbcGetpwnam:
WBC_ERR_DOMAIN_NOT_FOUND"
* wbinfo -n OTHER\\username returns the SID
* wbinfo -s SID returns OTHER\username

That last bit flummoxed me - how can winbind figure out the SID without
being able to figure out the rest? We see this not only for usernames in
other forests, but also usernames in other subdomains in the same forest
(ie "wbinfo -i" works for usernames in the same domain as Samba - just
not other domains in the same forest)

testparam -sv|grep trust returns

        allow trusted domains = Yes
        map untrusted to domain = No
        winbind trusted domains only = No

The outcome is that when a user from another domain/forest connects,
they get access denied and the logs show

[2011/12/19 01:26:51.195684,  3]
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam other\username
[2011/12/19 01:26:59.234921,  5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-1705711945-1589781387-1543859470-20569:
NT_STATUS_UNSUCCESSFUL

So that makes no sense: how can "wbinfo -s SID" work, when the winbind
logfile shows that it couldn't convert the same sid?

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1