[Samba] Samba 3.0.28a onwards "allow trusted domains" has no effect?

Hari Sekhon hpsekhon at googlemail.com
Tue Sep 9 14:52:33 GMT 2008


   I've noticed a discrepancy between Samba Version 3.0.28a and Version 
3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.

I have an environment with 2 domains linked via a trust, an Active 
Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to 
work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of 
the primary domain's domain admins in uid/name mapping on files.

Below is a relevant snippet of the identical samba configuration on both 

allow trusted domains = no
idmap backend = rid
idmap config PRIMARYDOMAIN:range = 10000-19999
idmap config OTHERDOMAIN:range = 20000-29999
idmap gid = 10000-30000
idmap uid = 10000-30000

Testparm confirms that allow trusted domains is set to No, so it seems 
that 3.0.28a does not respect the fact that trusted domains are not 
supposed to be allowed at all? This seems to break the way the rid 
backend works of course as there is a rid clash with the other domain.

This output from wbinfo --group-info shows the name clash:

domain admins:x:10512
OTHERDOMAIN\domain admins:x:10512

Can anyone offer any advice on what to do about this?
I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which 
those are the latest stable versions packaged for the systems. I have 
tried 3.0.32 and the problem seems to occur there too. Is this a bug 
that has crept in after 3.0.24?


Hari Sekhon

More information about the samba mailing list