allow trusted domains question (3.5.1)

raveenpl raveenpl at gmail.com
Sun Apr 11 12:10:50 MDT 2010 

Hello,

I have two domains DOMA and DOMB. DOMB is trusted by DOMA. I was using
Samba 3.2.15 with option 'allow trusted domains = no' and everything
was OK. After connecting to domain, getent passwd was returning
resources only from DOMA.

After updating to version 3.5.1 I've noticed that option 'allow
trusted domains = no' does not work correctly - it means that although
I have set this parameter to 'no' I can use resources also from DOMB
(getent passwd returns resources from both domains). It looks like
this parameter is ignored.

Configuration in both cases is the same - testparm confirms that.

Below you can find some debug from winbindd
(/usr/local/samba/sbin/winbindd -S -F -i -d 4)

In case of samba 3.5.1:
...

doing parameter allow trusted domains = no

....
Added domain DOMA DOMA.LOCAL S-1-5-21-3423754668-3226266580-4027598783
child daemon request 52
Doing spnego session setup (blob length=115)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=doma-uuvgfordn2$@DOMA.LOCAL
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Sat, 10 Apr 2010 00:43:49 CEST
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
Finished processing child request 52
child daemon request 20
[17478]: list trusted domains
ads: trusted_domains
Finished processing child request 20
Added domain DOMB domb.doma.local
S-1-5-21-63917441-2970242301-2097324486
child daemon request 20
[17478]: list trusted domains
ads: trusted_domains
Finished processing child request 20


In case of samba 3.2.15:

...
doing parameter allow trusted domains = no
...
Added domain DOMA DOMA.LOCAL S-1-5-21-3423754668-3226266580-4027598783
ads_dc_name: domain=DOMA


Do you know what is going?
-- 
View this message in context: http://old.nabble.com/allow-trusted-domains-question-%283.5.1%29-tp28210585p28210585.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.

More information about the samba-technical mailing list