svn commit: samba r13895 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Mar 12 14:58:49 GMT 2006

On Thu, Mar 09, 2006 at 05:14:59PM +0100, Guenther Deschner wrote:
> The interesting thing is that it *was* working (just verified with two NT4
> domains) and that it is *still* working after your patch. Apparently there
> is no extra work required to make a login with pam_winbind work using
> NTLM. Checking the krb5 case next. 
> Still wondering...

Okay, I know how that could work. I have two domains,
WINDOWS and WIN2. WINDOWS trusts WIN2, I'm member of
WINDOWS. If I re-activate your patch and authenticate as
WIN2\vl, the request goes to the WIN2 domain child which
then opens a connection of its own to WINDOWS. I would
consider this as a bug. When designing the child model I had
one child per trusted domain in mind.

If I now log in alternating between WIN2\vl and WINDOWS\vl
this seems to break our credential chaining. The two winbind
children do another ReqChal/Auth2 for every auth request
which is a bit too much traffic.

So I'd like to keep WBFLAG_PAM_CONTACT_TRUSTDOM removed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list