winbindd: msrpc vs. ads methods & domain trusts between ADS and
NT4
Chere Zhou
qzhou at isilon.com
Fri Jun 6 18:38:17 GMT 2003
All right, I found what's wrong. Now I need to know a proper way to fix it.
in winbindd_ads.c: 74:
if (status.error_type == ADS_ERROR_SYSTEM &&
status.err.rc == ECONNREFUSED) {
DEBUG(1,("Trying MSRPC methods\n"));
domain->methods = &msrpc_methods;
}
My NT4 PDC gives back the status.err.rc as EINVAL instead of ECONNREFUSED,
which caused the fall back to rpc never executed.
Can you tell me if I change the if statement to
if (status.error_type == ADS_ERROR_SYSTEM) {
will I break some other scenarios? Or, maybe I should go for
if (status.error_type == ADS_ERROR_SYSTEM &&
(status.err.rc == ECONNREFUSED || status.err.rc == EINVAL)) {
Thanks for your help!
Chere
On Wednesday 04 June 2003 04:54 pm, Chere Zhou wrote:
> The problem I am seeing is that nt4 users are not authenticated. wbinfo
> --sequence always show the domain is disconnected. Then I started wbinfo
> --sequence, and debug winbindd, it shows that the ads method of getting
> sequence number is called, and of course failed.
>
> I don't see where is the magic bit to drop back to RPC. This is for a
> trusted domain. Why would you always try ADS if it is an NT4 PDC?
>
> On Wednesday 04 June 2003 04:32 pm, Andrew Bartlett wrote:
> > On Thu, 2003-06-05 at 05:29, Chere Zhou wrote:
> > > I have a 2 way trust between w2k domain and nt4 domain. Join samba 3.0
> > > into the w2k domain as a member. It does not seem to work with nt4
> > > users.
> > >
> > > Looking at winbindd code, I found that all domain->methods point to the
> > > cache methods, the cache methods then point to either msrpc or ads
> > > methods depending on lp_security(). So if I set security=ads, msrpc
> > > methods are not even going to be used at all. This structure will
> > > certainly not work with trusts between w2k and nt4 domains.
> >
> > You missed the magic bit in the ADS code, that apon failure to connect,
> > drops back to RPC.
> >
> > > Is there an easy way to fix this? I can't think of anything right now.
> > > I think in order to make this work, we will need to figure out what
> > > type of domain this is when doing add_trusted_domains, and set the
> > > domain->methods to the correct msrpc or ads methods, instead of the
> > > cache methods right now. Then change the call into cache methods to
> > > call directly instead of domain->methods, and use domain->methods for
> > > the calls from the cache methods.
> > >
> > > Where can I find more information about the current design, concern?
> > > What might be a better solution to fix this? Anybody working on this
> > > right now?
> >
> > What's the actual bug you are seeing?
> >
> > For my mind, I think we should not have the switch to ADS/RPC at all,
> > and should always try ADS...
> >
> > Andrew Bartlett
More information about the samba-technical
mailing list