[Samba] Re: Samba-LDAP interdomain trust

Charlie medievalist at gmail.com
Thu May 8 02:05:05 GMT 2008 

On 4/2/07, Allysson Steve Mota Lacerda <stevelacerda> wrote:
>>
>> When I try to login on the trusting domain (LABI) using an account of the
>> trusted domain (ADMIN) the following message is shown: "A device connected
>> to the system is not functioning ". My "log on to" is set to ADMIN.
>>
>> I had this problem a time ago because the SIDs of my users were wrong but
>> I've fixed it.

As I understand it, that error is what you get when you can't connect
to the domain.  From Windows' point of view the connection to the
domain controller is a virtual device, and it's not working.  That's
the error my users get because my interdomain trusts aren't working.
I believe this is the way windows reports the error and you can't
change that from inside samba (TooMuchCoffeeGuy will correct me if I'm
wrong ;)).  It causes  problems because the Hell Desk sends the flying
monkeys out to repair the "malfunctioning device" and they can't find
one.

>According to log.smbd, the user has an user SID refering to the trusted
>domain but the group SID is from the trusting domain. I don't use groups and
>the sambaPrimaryGroupSID field was empty. Even when I change the
>sambaPrimaryGroupSID value the message is the same.

>[2007/04/03 16:20:02, 2] auth/auth.c:check_ntlm_password(309)
>check_ntlm_password: authentication for user [facomp] -> [facomp]
->[facomp] succeeded
>[2007/04/03 16:20:02, 1]
>rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)
>_net_sam_logon: user ADMIN\facomp has user sid
>S-1-5-21-2439387625-709437076-297468561-23822
>but group sid S-1-5-21-2029413396-4276977753-1550331494-513.
>The conflicting domain portions are not supported for NETLOGON calls

I'm honestly pretty far out of my depth here, but that's the same
error I log also, and I believe it's because my domain trusts don't
work.  My theory at this point is that the workstation sees the user
SID is not from the local domain, it attempts to query the remote
domain that the SID belongs to, and when that fails the group sid
defaults to 513 in the local domain (513 is the default local users
group rid in Microsoft-land) and you are seeing the end of an error
cascade at that point.

>In both log.nmbd files I got the following messages:
>>
>> [2007/04/02 17:01:58, 0]
>> nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(486)
>> get_domain_master_name_node_status_fail:
>> Doing a node status request to the domain master browser at IP
>> <IP_OF_THE_OTHER_DOMAIN_PDC> failed.
>> Cannot get workgroup name.
>>
>> I have two domains running on a single server (different NICs) and they
>> share the WINS server.
>>
>> Can anyone help me?
>>
> --
> Allysson Steve Mota Lacerda
> stevelacerda
> http://www.stevelacerda.net
>

I do not believe I've been much help, except to say that I've got the
same problems, in my 4 samba based domains that behave much the same
way.  Sorry!  If you figure it out, let me know...

--Charlie

More information about the samba mailing list