SAMBA on OS X Server [SEC=UNCLASSIFIED]
bj at SerNet.DE
Fri Feb 26 13:03:44 MST 2010
On 2010-02-26 at 14:35 +0800 walter.hill at customs.gov.au sent off:
> The immediate issue is making the 2008R2 server a domain member (I have)
> but I've uncovered what I believe is the "trust problem" addressed by
> samba 3.4.4 - SIDs aren't resolving back to their actual names.
I saw problems like this, too. A w2k8r2 server with an outgoing trust to a
Samba domain fails to resolve the "foreign" Samba domain's SIDs to names. The
reason why this fail is that the w2k8r2 server tries to authenticate on the
samba domain with its own machine account to do the lookup sid calls. The
server should know that the only account it can use to authenticate is the
interdomain trust account. So finally authentication fails and w2k8r2 gives up
immediately. w2k3 makes all this anonymously, which succeeds.
I've had some discussion with Microsoft support staff about this
misbehaviour or bug of w2k8r2. They argued that it's a security feature not to
do it anonymously any more. So far they could however not explain very well why
it's "saver" to authenticate with a non-existing account in the foreign
There is a workaround to make w2k8r2 authenticate anonymously again: set
HKLM\System\CurrentControlSet\Control\Lsa\UseMachineId to 0.
This workaround for the w2k8r2 misbehaviour may however cause other trouble in
certain setups, see MS KB972069 for example.
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
More information about the samba-technical