winbindd: msrpc vs. ads methods & domain trusts between ADS and NT4

[Chere Zhou]

The problem I am seeing is that nt4 users are not authenticated.  wbinfo 
--sequence always show the domain is disconnected.   Then I started wbinfo 
--sequence, and debug winbindd, it shows that the ads method of getting 
sequence number is called, and of course failed.

I don't see where is the magic bit to drop back to RPC.  This is for a 
trusted domain.  Why would you always try ADS if it is an NT4 PDC?  


On Wednesday 04 June 2003 04:32 pm, Andrew Bartlett wrote:
> On Thu, 2003-06-05 at 05:29, Chere Zhou wrote:
> > I have a 2 way trust between w2k domain and nt4 domain.  Join samba 3.0
> > into the w2k domain as a member.  It does not seem to work with nt4
> > users.
> >
> > Looking at winbindd code, I found that all domain->methods point to the
> > cache methods, the cache methods then point to either msrpc or ads
> > methods depending on lp_security().  So if I set security=ads, msrpc
> > methods are not even going to be used at all.   This structure will
> > certainly not work with trusts between w2k and nt4 domains.
>
> You missed the magic bit in the ADS code, that apon failure to connect,
> drops back to RPC.
>
> > Is there an easy way to fix this?  I can't think of anything right now. 
> > I think in order to make this work, we will need to figure out what type
> > of domain this is when doing add_trusted_domains, and set the
> > domain->methods to the correct msrpc or ads methods, instead of the cache
> > methods right now. Then change the call into cache methods to call
> > directly instead of domain->methods, and use domain->methods for the
> > calls from the cache methods.
> >
> > Where can I find more information about the current design, concern? 
> > What might be a better solution to fix this?  Anybody working on this
> > right now?
>
> What's the actual bug you are seeing?
>
> For my mind, I think we should not have the switch to ADS/RPC at all,
> and should always try ADS...
>
> Andrew Bartlett