[Samba] Samba 3.0.28a onwards "allow trusted domains" has no effect?

[simo]

On Tue, 2008-09-09 at 15:52 +0100, Hari Sekhon wrote:
> Hi,
> 
>    I've noticed a discrepancy between Samba Version 3.0.28a and Version 
> 3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.
> 
> I have an environment with 2 domains linked via a trust, an Active 
> Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to 
> work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of 
> the primary domain's domain admins in uid/name mapping on files.
> 
> Below is a relevant snippet of the identical samba configuration on both 
> machines:
> 
> allow trusted domains = no
> idmap backend = rid
> idmap config PRIMARYDOMAIN:range = 10000-19999
> idmap config OTHERDOMAIN:range = 20000-29999
> idmap gid = 10000-30000
> idmap uid = 10000-30000

Hari, this is not, as is, a valid configuration for either versions, is
this the full configuration used ?

> Testparm confirms that allow trusted domains is set to No, so it seems 
> that 3.0.28a does not respect the fact that trusted domains are not 
> supposed to be allowed at all? This seems to break the way the rid 
> backend works of course as there is a rid clash with the other domain.

Allow trusted domains = no controls only authentication/access to the
service not id resolution.

> This output from wbinfo --group-info shows the name clash:
> 
> domain admins:x:10512
> OTHERDOMAIN\domain admins:x:10512
> 
> Can anyone offer any advice on what to do about this?
> I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which 
> those are the latest stable versions packaged for the systems. I have 
> tried 3.0.32 and the problem seems to occur there too. Is this a bug 
> that has crept in after 3.0.24?

If that is the configuration you use, it seem more like a configuration
error.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>