[Samba] Domain Trust on ADS.

Gerald (Jerry) Carter jerry at samba.org
Fri Dec 12 14:16:22 GMT 2003

Hash: SHA1

Gaurang Pandya wrote:
| Hi Jerry,
| Here is the output for debug level 10. Though there
| are so many things there (ofcourse) I am pasting only
| few line which I think will give you clue. If you need
| any more of those please tel me.
| rpc_api_pipe: len left: 0 smbtrans read: 48
| rpc_api_pipe: fragment first and last both set
| 000018 samr_io_r_connect
|     000018 smb_io_pol_hnd connect_pol
|         0018 data1: 00000000
|         001c data2: 00000000
|         0020 data3: 0000
|         0022 data4: 0000
|         0024 data5: 00 00 00 00 00 00 00 00
|     002c status: NT_STATUS_ACCESS_DENIED
| refresh_sequence_number: backend returned 0xc0000022
| refresh_sequence_number: seq number is now -1
| client_write: wrote 1304 bytes.
| client_write: need to write 38 extra data bytes.
| client_write: wrote 38 bytes.
| client_write: client_write: complete response written.
| read failed on sock 11, pid 939: EOF

Yup.  This is the problem.  This is a native mode
domain right?  You need to give winbindd a username/pw
pair to connect to the DC since the domain policy has
been set to disallow anonymous access to the SAMR pipe.

The other option is to upgrade to 3.0 which works
around this both in security = domain and security = ads
modes but either using cached user information from
the net_samlogon() reply or by using the kerberos
ticket for the machine account to connect to any
2k trusted DC's.

cheers, jerry
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list