winbindd: msrpc vs. ads methods & domain trusts between ADS and NT4

Chere Zhou qzhou at isilon.com
Fri Jun 6 18:38:17 GMT 2003


All right, I found what's wrong.  Now I need to know a proper way to fix it.

in winbindd_ads.c: 74:
	if (status.error_type == ADS_ERROR_SYSTEM &&
	        status.err.rc == ECONNREFUSED) {
                        DEBUG(1,("Trying MSRPC methods\n"));
                        domain->methods = &msrpc_methods;
                }

My NT4 PDC gives back the status.err.rc as EINVAL instead of ECONNREFUSED, 
which caused the fall back to rpc never executed.

Can you tell me if I change the if statement to 
	if (status.error_type == ADS_ERROR_SYSTEM) {
will I break some other scenarios?  Or, maybe I should go for 
	if (status.error_type == ADS_ERROR_SYSTEM &&
	    (status.err.rc == ECONNREFUSED || status.err.rc == EINVAL)) {

Thanks for your help!
Chere


On Wednesday 04 June 2003 04:54 pm, Chere Zhou wrote:
> The problem I am seeing is that nt4 users are not authenticated.  wbinfo
> --sequence always show the domain is disconnected.   Then I started wbinfo
> --sequence, and debug winbindd, it shows that the ads method of getting
> sequence number is called, and of course failed.
>
> I don't see where is the magic bit to drop back to RPC.  This is for a
> trusted domain.  Why would you always try ADS if it is an NT4 PDC?
>
> On Wednesday 04 June 2003 04:32 pm, Andrew Bartlett wrote:
> > On Thu, 2003-06-05 at 05:29, Chere Zhou wrote:
> > > I have a 2 way trust between w2k domain and nt4 domain.  Join samba 3.0
> > > into the w2k domain as a member.  It does not seem to work with nt4
> > > users.
> > >
> > > Looking at winbindd code, I found that all domain->methods point to the
> > > cache methods, the cache methods then point to either msrpc or ads
> > > methods depending on lp_security().  So if I set security=ads, msrpc
> > > methods are not even going to be used at all.   This structure will
> > > certainly not work with trusts between w2k and nt4 domains.
> >
> > You missed the magic bit in the ADS code, that apon failure to connect,
> > drops back to RPC.
> >
> > > Is there an easy way to fix this?  I can't think of anything right now.
> > > I think in order to make this work, we will need to figure out what
> > > type of domain this is when doing add_trusted_domains, and set the
> > > domain->methods to the correct msrpc or ads methods, instead of the
> > > cache methods right now. Then change the call into cache methods to
> > > call directly instead of domain->methods, and use domain->methods for
> > > the calls from the cache methods.
> > >
> > > Where can I find more information about the current design, concern?
> > > What might be a better solution to fix this?  Anybody working on this
> > > right now?
> >
> > What's the actual bug you are seeing?
> >
> > For my mind, I think we should not have the switch to ADS/RPC at all,
> > and should always try ADS...
> >
> > Andrew Bartlett



More information about the samba-technical mailing list