allow trusted domains question (3.5.1)
raveenpl
raveenpl at gmail.com
Fri Apr 9 07:16:42 MDT 2010
Hello,
I have two domains DOMA and DOMB. DOMB is trusted by DOMA. I was using
Samba 3.2.15 with option 'allow trusted domains = no' and everything
was OK. After connecting to domain, getent passwd was returning
resources only from DOMA.
After updating to version 3.5.1 I've noticed that option 'allow
trusted domains = no' does not work correctly - it means that although
I have set this parameter to 'no' I can use resources also from DOMB
(getent passwd returns resources from both domains). It looks like
this parameter is ignored.
Configuration in both cases is the same - testparm confirms that.
Below you can find some debug from winbindd
(/usr/local/samba/sbin/winbindd -S -F -i -d 4)
In case of samba 3.5.1:
...
doing parameter allow trusted domains = no
....
Added domain DOMA DOMA.LOCAL S-1-5-21-3423754668-3226266580-4027598783
child daemon request 52
Doing spnego session setup (blob length=115)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=doma-uuvgfordn2$@DOMA.LOCAL
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Sat, 10 Apr 2010 00:43:49 CEST
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
Finished processing child request 52
child daemon request 20
[17478]: list trusted domains
ads: trusted_domains
Finished processing child request 20
Added domain DOMB domb.doma.local
S-1-5-21-63917441-2970242301-2097324486
child daemon request 20
[17478]: list trusted domains
ads: trusted_domains
Finished processing child request 20
In case of samba 3.2.15:
...
doing parameter allow trusted domains = no
...
Added domain DOMA DOMA.LOCAL S-1-5-21-3423754668-3226266580-4027598783
ads_dc_name: domain=DOMA
Do you know what is going?
More information about the samba-technical
mailing list