2 domain auth prob using VPN and MS DNS/WINS

Paul Lantinga PLantinga at DIGITAL-REN.COM
Thu Feb 4 17:55:48 GMT 1999 

Ack! I accidentally sent that last one before I was finished composing it...
sorry 'bout that.

Greetings all.  We've run into a rather nasty problem with samba and a dual
NT domain setup.  The two domains, domainX and domainY are connected via a
VPN as they sit behind two firewalls.  We're having problems with some users
on domainY authenticating to a samba2.0.0 server in domainX.  
The samba server is set to security = server and
password server = domainX-pdc and
encrypt passwords = yes
The machines in domainX are all statically entered into the WINS database on
the pdc for domainX and then pulled via the pdc WINS server of domainY.
This allows domainX and its machines to show up in the network neighborhood.

All of the NT domainX machines are in a DNS subdomain
developer.ourcompany.com.  The machines in the NT domainY are in the DNS
domain ourcomany.com.  The NT workstations in domainY get their addresses
via the ms DHCP server on the pdc for domainY.  That same DHCP server is
also running msDNS (and as mentioned above, WINS also.)  
So, an NT workstation in domainY that wants to get to the samba server in
domainX merely finds the samba server in explorer and clicks on the samba
server.  After a few seconds a dialog box pops up requesting a
username/password to make the connection.

Now, for most of our users and workstations in domainY, we enter the
user/passwd combo for them in domainX and the resources are available.
However, for a couple of users, when they enter the info, it fails.  Looking
at the security log on the pdc for domainX, I see the following (modified
username, domain, etc) for one of those users... 
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	userX
 	Domain:		domainY
 	Logon Type:	3
 	Logon Process:	KSecDD
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	\\samba2.0.0-server

If I understand this correctly, the pdc of domainX is being asked to
authenticate for domainY, which it obviously can't do.  What's going on
here?

>From what I can tell, the NTws in domainY is getting bad info about domainX
machines from the WINS queries it makes to the pdc/WINS server of domainY.
For example, from domainY, a name lookup using NT's nslookup of the
samba-server in domainX returns samba-server.ourcompany.com instead of
samba-server.developer.ourcompany.com.  The NTws in domainY gets it's
response from the WINS server of domainY.  Now, it appears that the marriage
of the DNS and WINS on the domainY pdc is making for responses that give out
incorrect domain data for machines in domainX.  
We tried turning off the WINS pull from domainX to domainY.  This then
requires us to map drives to the IP address.  Very suboptimal solution.

Eventually we'll be separating the DNS and WINS on the domainY pdc, but
until then, what's the best fix for this?  We'd rather stay away from
lmhosts.  
Furthermore, since the primary and secondary WINS servers are handed out in
the DHCP lease, how can one change the order of which NTws resolves a name?
Can I, via the registry, switch things so that the DNS query happens before
the WINS query?  I didn't find much in the registry although
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

thanks, Paul.
Digital Renaissance

More information about the samba mailing list