OT: Trusts and winlogon problems

Elrond elrond at samba.org
Tue May 16 18:15:52 GMT 2000 

On Tue, May 16, 2000 at 11:18:16PM +1000, Luke Kenneth Casson Leighton wrote:
> 
> elrond, the fn call to look at is net_trust_dom_list, in
> srv_netlogon_nt.c.

Thanks for the hint.

But: This is more an NT-problem (also it turns to also have
some other issues, more below)

It is like this:

NT-Terminal-Server
     |
   member-of
     |
     V
NT-PDC-controlled-Domain.
     |
   trusts
     |
     V
Samba-PDC-controlled-Domain.

I just can't reboot the Terminalserver (it's not "mine",
also they were kind enough to give me the admin-pw, and
there are some big calculations running on it)

And the problem is, that the samba-domain is not showing up
in the listbox, when you try to log into the
terminal-server.

>From your suggestion, I run rpcclient against the TS and
did a domlist and samba-dom was in it. So the main things
seem to work, just that listbox doesn't want to contain the
new domain. (I said, it's an nt-issue, and I guess,
rebooting will help)

Now about the samba-related stuff:
(I have to note, since it's more "production", it's
currently an older samba version, but I'm updating it while
typing this mail.)

Here's, what I did and what happened:

First off all, I remembered, that the "trusting domains"
parameter in smb.conf was useless, no code used it, so I
didn't even touch it.
So I just created an nt-dom$ in my passwd, did the
"createuser nt-dom$ -i", and "samuser nt-dom$ -p pw", then
called the admin of the nt-box to do the right stuff in
usrmgr on his pdc.

Until here, all seemed to have worked properly.
So I tried to access their boxes with smbclient /
rpcclient. This failed somehow, after some debugging,
raising log-levels and stuff like that, I got it:

The nt-pdc does some net_req_chal, but with its own name
as the "trust-account", not the name of its domain. So I
thought, "you want your name, okay, you can have that too"
and added nt-pdc$ also as an interdom-trust-account, did
set the same pw, et voila, smbclient / rpcclient worked
fine. (more on this stuff below...)

Now we come to something, that might be a problem in samba
(that's, why I'm updating it): After a while, I started to
ask myself, wether interactive logons would work anyway, so
I asked the admin of the nt-pdc to log into his pdc with
some account from the samba-domain. This failed, and NT
said something about "the trust-connection between the
primary and the trusting domain could not be set up." or
the like. I currently haven't got good logs for this, so
this is just a start of a possible "bug".

Okay, that's, where I'm currently.

So after the above nt-pdc$-action, I asked myself, wether
NT-Servers, that let other domains other domains trust it,
also had this stuff, and what it was created like, so I got
to some company with lots of nt, compiled rpcclient on a
small Sun and checked. There wasn't any nt-pdc$, just
nt-dom$. So how does NT handle this stuff? The thing, I
could imagine, would be:

trusting-pdc connects to trusted-pdc, requests chal for
"trusting-pdc".
trusted-pdc now does some lots of work (querying wins,
doing dclist on 138, etc.) to get a complete list of dcs for
trusting-dom and verify, that trusting-pdc is in there. and
then traet "trusting-pdc" as "trusting-dom".

I wasn't able to get any traces from pdc-to-pdc in that
company (I was glad, I could run rpcclient towards theier
boxes.)


    Elrond

> 
> 
> On Tue, 16 May 2000, Elrond wrote:
> 
> > 
> > Okay, this time, I would appreciate some help from the nt
> > gurus here.
> > 
> > Here's the scenario:
> > 
> > There's an NT-Terminal-server, which is a member of an
> > NT-Domain. This NT-Domain now trusts my Samba-Domain (was
> > some tricky, I'll write something about that too). This
> > seems to work mainly (there are small issues, if
> > neccessary, I'll explain them).
> > 
> > Mainly means: The NT-PDC has my samba-domain in its
> > logon-box.
> > 
> > BUT: The Terminal-Server doesn't have it in its logon-box.
> > For understandable reasons, I can't currently reboot it. I
> > tried to stop and start the logon-service ("Anmeldedienst"
> > in german, not sure, if I translated it corrctly back) on
> > it, but that did't help.
> > 
> > So how do I tell the Terminalserver to "reread" the lists
> > of valid domains from its PDC?
> > 
> > Just as a side-note: The trust-relationship seems to work,
> > as I can access shares on the Terminalserver with
> > accounts from my samba-domain, so the main trust works,
> > just the logon-box doesn't list my domain. This should be
> > fixable by rebooting, which I currently don't want to do.
> > 
> > 
> >     Elrond
> > 
> 
> <a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
> <a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
> <a href=" http://samba.org"      > Samba Web site                  </a>
> <a href=" http://mcp.com"        > Macmillan Technical Publishing  </a>
>  
> ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-ntdom mailing list