Andrew Tridgell tridge at
Tue Dec 15 02:11:11 GMT 1998

> yes, in an inter-domain environment.  we look up the SID against the known
> inter-domain trust SIDs and return the known PDC for that SID.

great, that is the first possibly valid reason I've seen for having
the SID in nmbd. a few comments though:

1) the code I removed didn't do this. 

2) doing this requires changes to much more than just
nmbd_processlogon.c as requests for other domains won't even get that
far. We'd have to change the code that determines if the domain name
is a local name or add the foreign domains to our locally registered
name list for each subnet. If we did the latter (which would probably
be the rifght thing to do) then we'd need to go carefully through all
the other datagram code and make sure we don't reply inappropriately
to other requests.

3) we need to check to see if NT does this (not just rumours, we'd
need to see a sniff). 

4) I thought that clients looking for a domain logon server try
broadcast then if that fails they do a WINS query for a 1C name in the
domain and send a unicast datagram to the resulting IPs. If this does
happen (and I'm pretty sure I've seen it) then making nmbd
proxy-respond to foreign domains is totally unnecessary which would
make the SID totally unnecessary in nmbd.

once we've resolved these then we will know if putting the SID in nmbd
is appropriate.

If we decide that it is appropriate then we will certainly _not_ be
doing it the way you did it before. That broke lots of peoples setups
including nmbd on The right way to do it is to only
fetch the SID when the first such foreign logon datagram comes in. It
is totally wrong to make nmbd exit because it _might_ receive a domain
logon request for a foreign domain! If, when it does receive such a
request, it can't get the SID then it should log a warning and ignore
the packet. Not bloody exit.


More information about the samba-technical mailing list