winbindd: msrpc vs. ads methods & domain trusts between ADS and
NT4
Chere Zhou
qzhou at isilon.com
Wed Jun 4 23:54:41 GMT 2003
The problem I am seeing is that nt4 users are not authenticated. wbinfo
--sequence always show the domain is disconnected. Then I started wbinfo
--sequence, and debug winbindd, it shows that the ads method of getting
sequence number is called, and of course failed.
I don't see where is the magic bit to drop back to RPC. This is for a
trusted domain. Why would you always try ADS if it is an NT4 PDC?
On Wednesday 04 June 2003 04:32 pm, Andrew Bartlett wrote:
> On Thu, 2003-06-05 at 05:29, Chere Zhou wrote:
> > I have a 2 way trust between w2k domain and nt4 domain. Join samba 3.0
> > into the w2k domain as a member. It does not seem to work with nt4
> > users.
> >
> > Looking at winbindd code, I found that all domain->methods point to the
> > cache methods, the cache methods then point to either msrpc or ads
> > methods depending on lp_security(). So if I set security=ads, msrpc
> > methods are not even going to be used at all. This structure will
> > certainly not work with trusts between w2k and nt4 domains.
>
> You missed the magic bit in the ADS code, that apon failure to connect,
> drops back to RPC.
>
> > Is there an easy way to fix this? I can't think of anything right now.
> > I think in order to make this work, we will need to figure out what type
> > of domain this is when doing add_trusted_domains, and set the
> > domain->methods to the correct msrpc or ads methods, instead of the cache
> > methods right now. Then change the call into cache methods to call
> > directly instead of domain->methods, and use domain->methods for the
> > calls from the cache methods.
> >
> > Where can I find more information about the current design, concern?
> > What might be a better solution to fix this? Anybody working on this
> > right now?
>
> What's the actual bug you are seeing?
>
> For my mind, I think we should not have the switch to ADS/RPC at all,
> and should always try ADS...
>
> Andrew Bartlett
More information about the samba-technical
mailing list