[Samba] Trouble with trusted domains
Gerald (Jerry) Carter
jerry at samba.org
Thu Apr 10 22:26:38 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Zielinski wrote:
> Hello list,
>
> perhaps someone can guide me, finding out what's going wrong in the
> following scenario (Active Directory , Samba 3.0.20b same with 3.0.28a):
>
> CHILD1.CONTOSO.COM <-trusts-> CONTOSO.COM <-trusts->CHILD2.CONTOSO.COM
> | | |
> User: CHILD1\testtest | Samba
> Vista
>
> CHILD1\testtest -> Vista : works (of course :-()
> CHLID1\testtest -> Samba : password prompt (logon failure)
>
> What I can see, is that Samba decodes the user correctly out of kerberos
> ticket as testtest at child1.contoso.com.
>
> Then, Samba (better to say: winbind) tries to resolve the shortened name
> CHILD1\testtest into a SID.
>
> winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where
> the user comes from) and receives a "NO MAPPED USER" reply.
>
> Now my question is: shouldn't Samba ask CHILD1 for the user
> CHILD1\testtest or
> should CHILD2 know about user CHILD1\testtest?
> Where lies the mistake?
Fixed in 3.2. We should ask the root of our forest which is what we do
in the 3.2 series.
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH/pQeIR7qMdg1EfYRAk9WAJ46H3bDrtazz2MNmL1IRIGjc3YajgCcD30N
Dj1TGm46GURRr9wf4IIkT0g=
=JbCw
-----END PGP SIGNATURE-----
More information about the samba
mailing list