FIxed [was Re: Authentication through transitive trusts]

Gerald (Jerry) Carter jerry at
Sat Aug 2 15:43:38 GMT 2003

Hash: SHA1

On Thu, 31 Jul 2003, Ken Cross wrote:

> Jerry et al:
> THANK YOU for your efforts!  Here's what I've discovered so far with this
> setup:
>   +-- CAMP (mixed-mode)
>   +-- KAMA (mixed-mode)
>        +-- JAYA (native-mode)
> Mixed-mode DCs
> I know you said it must be native mode, but the DCs I was using were mixed
> mode so I did some testing there first (once you change to native mode, you
> can't go back).  I had 2 mixed-mode DCs that are both Win2000 SP3.

The issue is more with mixed mode trusted DCs.  The problem is that we 
have to use RPC for mixed mode trusted DCs because we don't know if 
a DC we pick will be NT4 or 2k.  The RPC for enumerated all domains in the 
forest is only available on 2k/2k3 DC's.  But since we ask our DC for the 
trusted domains and the admin specifies security = ads|domain, this really 
doesn;t matter i guess.  

> The mixed-mode DCs basically acted like previous builds except that
> enumerating users/groups showed them from all transitive trusts if "Allow
> trusted domains" is enabled.  That's nice.  Authentication works as before,
> i.e., authenticates against the DC and its parent.  

so connecting as a user from PARENT to a Samba box in JAVA doesn't work?

> wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
> sequence numbers from transitive trusts, too (if "Allow trusted domains" is
> enabled).

Can you send me a level 10 debug log for wqinbindd from startup to the end 
of wbinfo -m ?  Thanks.

> Native-mode DCs
> If "Allow trusted domains" is enabled, all users/groups on all transitive
> trusts are displayed.  Authentication works on all transitive trusts.  Yea!
> If "Allow trusted domains" is disabled, only users/groups in the domain
> joined show up.  Also, authentication only works on the joined domain.

So everything is ok here.

> Wish List
> Is that how it *should* work?  Is there any way to enumerate users/groups
> from the joined domain but authenticate against any domain?

we have to be able to enumerate users kfrom trusted odomains as part of 
7the SID<->uid/gid process.  But if you don't want them enumerates,
see "winbind enumerate users" in smb.conf(5).
> We have a customer with 650+ domains.  Clearly, enumerating all those
> suckers will be painful.  But if we join a "resource" domain, we'd want to
> be able to authenticate against an "authentication" domain (that has all the
> user accounts).

You really need to set 'winbind enumerate users = no" in this case.
Same thing for groups.

It would be an easy change to make winbindd only enuemrate users from our 
local domain as in 'getent passwd'  or even for wbinfo -u.  See 

> Also, do you think working with mixed-mode DCs is feasible?

I'm perplexed about this.  It should work.  I'm going to open
a report in bugzzilla about this so we can track it.

cheers, jerry
 Hewlett-Packard            -------------------------
 SAMBA Team                 ----------------------
 GnuPG Key                  ----
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list