Samba-3.0.0 RC's and transitive trusts
Jason Haar
Jason.Haar at trimble.co.nz
Thu Sep 18 20:49:04 GMT 2003
On Thu, Sep 18, 2003 at 11:17:27AM -0500, Gerald (Jerry) Carter wrote:
> Can you describe you domain structure a little more. I'm a
> little unclear on what is not working.
OK,
Like everyone else, we used to have a NT4 network. With Active Directory
(AD), we decided to migrate to AD instead of upgrade. So we originally had a
bunch of trusted NT4 domains (let's say "nt-1","nt-2","nt-3"). Now we still
have them (so much for the "migration" ;-), but we also have an AD tree: a
root domain "top-dom", and subdomains "sub1.top-dom","sub2.top-dom".
Those ADs show up under Win9x/NT as "sub1" and "sub2". The AD is
configured to have trust relationships with the old NT4 domains, and "sub1"
trusts "sub2" due to AD trusts being transitive.
So I've tried installing Samba-3.0.0rc* into the sub1.top-dom AD domain.
[global]
workgroup = SUB1
realm = SUB1.TOP-DOM
...and I've done a successful "net join" and can connect correctly to the
Samba server from "sub1.top-dom" and "nt-1" accounts. So that's the
server-side component working OK.
Also, if I do "wbinfo -m", it returns:
NT-1
NT-2
SUB2
TOP-DOM
Now I want to get client-side working (i.e. winbindd). I have it running,
and have edited /etc/nsswitch.conf to use it to do getent lookups. When I do:
getent passwd sub1.top-dom+jhaar
getent passwd sub1+jhaar
getent passwd nt-1+jhaar
it works correctly. However, when I do:
getent passwd sub2.top-dom+username
getent passwd sub2+username
It doesn't work. "winbindd -d9" reports
accepted socket 20
[12866]: request interface version
[12866]: request location of privileged pipe
accepted socket 22
read failed on sock 20, pid 12866: EOF
[12866]: getpwnam sub2+user
user 'user' does not exist
read failed on sock 22, pid 12866: EOF
One other thing. I don't know how usable winbindd is supposed to be yet, but
it's not in a usable state on our network. I find that winbindd works for
5-15 minutes (once it's loaded fully), but then hangs indefinitely. i.e.
"wbinfo -p" works for 5-15 minutes, thereafter never returns. The initial
debugging upon starting winbindd shows it going off all over our WAN looking
up what I assume it thinks are domain controllers - but by eyeball I can say
those boxes aren't or aren't any more. Eventually (after 1-2 minutes) it
finds working domain controllers and then "wbinfo -p" starts working.
Perhaps we have some chronic Windows configuration issues on our network,
but they don't manifest themselves as far as Windows is concerned...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba-technical
mailing list