Samba-3.0.0 RC's and transitive trusts

Jason Haar Jason.Haar at
Thu Sep 18 20:49:04 GMT 2003

On Thu, Sep 18, 2003 at 11:17:27AM -0500, Gerald (Jerry) Carter wrote:
> Can you describe you domain structure a little more.  I'm a
> little unclear on what is not working.


Like everyone else, we used to have a NT4 network. With Active Directory
(AD), we decided to migrate to AD instead of upgrade. So we originally had a
bunch of trusted NT4 domains (let's say "nt-1","nt-2","nt-3"). Now we still
have them (so much for the "migration" ;-), but we also have an AD tree: a
root domain "top-dom", and subdomains "","". 
Those ADs show up under Win9x/NT  as "sub1" and "sub2". The AD is
configured to have trust relationships with the old NT4 domains, and "sub1"
trusts "sub2" due to AD trusts being transitive.

So I've tried installing Samba-3.0.0rc* into the AD domain. 

        workgroup = SUB1
	realm = SUB1.TOP-DOM

...and I've done a successful "net join" and can connect correctly to the
Samba server from  "" and "nt-1" accounts. So that's the
server-side component working OK.

Also, if I do "wbinfo -m", it returns:


Now I want to get client-side working (i.e. winbindd). I have it running,
and have edited /etc/nsswitch.conf to use it to do getent lookups. When I do:

getent passwd
getent passwd sub1+jhaar
getent passwd nt-1+jhaar

it works correctly. However, when I do:

getent passwd
getent passwd sub2+username

It doesn't work. "winbindd -d9" reports

accepted socket 20
[12866]: request interface version
[12866]: request location of privileged pipe
accepted socket 22
read failed on sock 20, pid 12866: EOF
[12866]: getpwnam sub2+user
user 'user' does not exist
read failed on sock 22, pid 12866: EOF

One other thing. I don't know how usable winbindd is supposed to be yet, but
it's not in a usable state on our network. I find that winbindd works for
5-15 minutes (once it's loaded fully), but then hangs indefinitely.  i.e.
"wbinfo -p" works for 5-15 minutes, thereafter never returns. The initial
debugging upon starting winbindd shows it going off all over our WAN looking
up what I assume it thinks are domain controllers - but by eyeball I can say
those boxes aren't or aren't any more. Eventually (after 1-2 minutes) it
finds working domain controllers and then "wbinfo -p" starts working.
Perhaps we have some chronic Windows configuration issues on our network,
but they don't manifest themselves as far as Windows is concerned...


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba-technical mailing list