[Samba] 3.6.0 Domain trusts broken

Alex Crow acrow at integrafin.co.uk
Tue Oct 11 11:44:18 MDT 2011

Hi all,

Since the winbind refactoring in Samba 3.6.0, interdomain trusts between 
Samba servers seem to be broken in that being able to resolve or modify 
file permissions on the other domain work only very intermittently (eg 
about once out of 10 tries). This is regardless of whether I use 
idmap_rid or idmap_ldap as the backend.

I set up two 3.6.0 domain controllers with an XP client attached to 
each, and trying to add permissions from the trusted domain by choosing 
the domain and hitting the "Add" then "Advanced" buttons and then the 
"Find Now" mostly brings up a password prompt - any credentials entered 
here still cause the listing of users/groups/security principals to fail 
with a "Login failure: unknown name or bad password" dialog. However I 
can still log in to either domain from XP with no issues.

The smb.conf on one of the servers is as follows, the other server is 
the same apart from the domain being "TESTDOM2" and wins server = <ip of 
PDC> rather than "wins support=yes".

Any help is much appreciated.



workgroup = TESTDOM1
netbios name = PDC

interfaces = eth0, lo
passdb backend = ldapsam:ldap://

username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 104857
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = yes

show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=testdom1,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups

ldap admin dn = cn=manager,dc=testdom1,dc=net
ldap ssl = no
ldap timeout = 60
client use spnego = no

idmap cache time = 320

idmap config TESTDOM1 : backend = nss
idmap config TESTDOM1 : range = 500-9999

idmap config * : backend = rid
idmap config * : range = 20000-40000
idmap config * : base_rid = 1000

idmap config TESTDOM2 : backend = rid
idmap config TESTDOM2 : range = 100000-200000
idmap config TESTDOM2 : base_rid = 1000

winbind nested groups = yes

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes

wins support = yes
log level = 1
domain logons = yes
domain master = yes
preferred master = yes
logon drive = H:

passdb expand explicit = yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
enable privileges = Yes
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon home = ""
logon path = ""

This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the samba mailing list