interdomain trust rpc error (error in winbindd?)

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 31 15:16:44 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 30 Jul 2003, Jeremy Drake wrote:

> I'll cut right to the point.  I set up winbind on a samba PDC which trusts 
> a win2k domain running in mixed mode.  I can do "getent passwd" and I see 
> the domain users, and the same for group.  The problem comes when I try to 
> authenticate a user from the trusted domain.  Note that this seems to work 
> properly with a win2k domain member.  I get no meaningful errors from 
> anyone other than  NT_STATUS_NO_LOGON_SERVERS.  When I start "winbindd -d 
> 100", I get tons of info, the meaningful piece is pasted here:
> 
> [2003/07/30 13:38:00, 3] rpc_client/cli_pipe.c:rpc_api_pipe(456)
>   Bind NACK received on pipe 4005!
> [2003/07/30 13:38:00, 2] 
> rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1580)
>   rpc bind to \PIPE\NETLOGON failed
> ...
> [2003/07/30 13:38:00, 3] 
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(354)
>   could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
> [2003/07/30 13:38:00, 2] 
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(422)
>   NTLM CRAP authentication for user [ATS]\[jeremyd] returned 
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
> 
> 
> The tcp dump shows it does indeed receive a "DCERPC Bind_nak: call_id: 
> 65538 reason: Unknown (9)" from the pdc of the win2k domain.

Again, this sounds like an old bug (a week old).  Can you check what 
domain is being sent in the rpc bind that fails?  It should be the 
destination domain.  I've tested your exact scenario and everything 
works.  


The only case that is failing for me right now 

  * 2k client that is a member of Samba domain
  * logon as a Samba domain member
  * try to browse a Samba box that is a member of an trusted 
    AD domain (mixed or native) and you get prompted for 
    a username/pw)

This was working so it may be a configuration error here due to mutiple 
changes i keep making from day to day.

The failure is at the NTLMSSP_NEGOTIATE.  I get a response from the 
trusted samba server of STATUS_LOGON_FAILURE.  I'll track this down later 
today....   grrr... 

<rant>
  why do things keep breaking that were working?
</rant>



cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/KTLgIR7qMdg1EfYRAjiFAJ9KBDN//WaFSugz4DPhuHTZ7q27egCdFZpr
aRLJB0UGvLgr7wq5Wzc4OkY=
=fSsC
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list