Björn Jacke bj at SerNet.DE
Fri Feb 26 13:03:44 MST 2010


On 2010-02-26 at 14:35 +0800 walter.hill at sent off:
> The immediate issue is making the 2008R2 server a domain member (I have)
> but I've uncovered what I believe is the "trust problem" addressed by
> samba 3.4.4 - SIDs aren't resolving back to their actual names.

I saw problems like this, too. A w2k8r2 server with an outgoing trust to a
Samba domain  fails to resolve the "foreign" Samba domain's SIDs to names. The
reason why this fail is that the w2k8r2 server tries to authenticate on the
samba domain with its own machine account to do the lookup sid calls. The
server should know that the only account it can use to authenticate is the
interdomain trust account. So finally authentication fails and w2k8r2 gives up
immediately. w2k3 makes all this anonymously, which succeeds.

I've had some discussion with Microsoft support staff about this
misbehaviour or bug of w2k8r2. They argued that it's a security feature not to
do it anonymously any more. So far they could however not explain very well why
it's "saver" to authenticate with a non-existing account in the foreign

There is a workaround to make w2k8r2 authenticate anonymously again: set
HKLM\System\CurrentControlSet\Control\Lsa\UseMachineId to 0.

This workaround for the w2k8r2 misbehaviour may however cause other trouble in
certain setups, see MS KB972069 for example.

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

More information about the samba-technical mailing list