Primary domain's status in winbindd child process is not
consistent with the parent winbindd process.
jra at samba.org
Mon Jun 2 20:54:55 GMT 2008
On Mon, Jun 02, 2008 at 02:15:15AM -0600, Bo Yang wrote:
> Hi, All:
> Assume winbindd parent process is Pp, and domain A(primary domain) trusts domain B, child process for domain A and B is Pa and Pb respectively.
> cached logon is enabled and kerberos login is disabled.
> Pa, Pb will both be forked, and the primary domain's status in the two process is initialized and offline.
> Some time later, Domain A(primary domain) and domain B both go online. Thus the status of primary domain is updated in Pp and Pa, but not in Pb.
> So the status of primary domain in Pb is still offline and initialized. But domain B's status is online. And when PAM_AUTH request arrived, cached logon is not performed because domain B is online, Samlogon is performed. And Pb tries to connect to DC of primary domain(domain A) for pass through authentication. But domain A's status in Pb is always offline and initialized(never being updated), thus PAM_AUTH will always returns DOMAIN_CONTROLLER_NOT_FOUND error............
> We should keep track of the status of primary domain in child winbindd process, I think.
> Patch for 3-0-test and v3-2-test in the attachment.
> Please review it.
Ok, I'm trying to review and follow the logic.
There's a question I have however.
The pam auth request comes in for the use B\fred,
ie. user fred in the trusted domain. So the
auth request gets passed down to Pb. But domain
B is online - when does Pb need to contact domain
controller for domain A.
Give me a better description of the usage scenario
More information about the samba-technical