[Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)

Fernando Torrez fernando_torrez at hotmail.com
Tue Nov 20 14:10:11 MST 2012 

Hi all

I have two samba PDC installed according to these specifications:

domain FOOBAR with pdc server name: BAR (ip 192.168.1.1)
opensuse 11.1  
samba-3.5.6-15.1
openldap2-2.4.12-5.6.1
smbldap-tools-0.9.5-25.1
A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100)


domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4)
openSUSE 12.2
samba-3.6.7-48.12.1.i586
openldap2-2.4.31-2.1.3.i586
smbldap-tools-0.9.6-5.1.noarch
A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101)

I made interdomain trust relationships according to the steps written at the end of this mail, 
but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using windows explorer, it hungs forever.

Doing some packet capture with wireshark I got these results:

249    15.610519    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
250    15.610866    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
251    15.611490    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
252    15.615751    192.168.1.101    192.168.10.100    ICMP    74    Echo (ping) request  id=0x0200, seq=1024/4, ttl=30
253    15.622135    192.168.10.100    192.168.1.101    ICMP    74    Echo (ping) reply    id=0x0200, seq=1024/4, ttl=128
254    15.689197    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
255    15.689820    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
256    15.689959    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)
257    15.690717    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
258    15.690970    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
259    15.691353    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
260    15.732067    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
261    15.732568    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
262    15.732728    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)
263    15.733215    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
264    15.733547    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
265    15.733918    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
266    15.745888    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
267    15.746319    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
268    15.746437    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)

As it can be seen, there's a recurrent strange error called: Error: Unknown (0xC000035C) and doing some googling I only could find something like:
 0xC000035C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network session expired
 
I think that samba 3.5 and samba 3,6 are not fully compatible when doing interdomain trustings
because idmap are not configured and managed in the same way. isn't it?

This behavior doesn't appear if FOOBAR\USUARIO1 tries to access LAPAZ\SERVERLPZ shares
or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or FOOBAR\BAR).

I thought that both windows have samething wrong, so I tried with another two win workstations with same results.

If someone can point me to the right direction to solve this problem. I would really appreciate any help

Thanks in advance

   Fernando Torrez


INTERDOMAIN TRUST RELATIONSHIP PROCESS

1.- PREVIOUS ADJUSTMENTS
On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins server:

wins server = 192.168.1.1

and made sure that smb.conf have these lines defined for mapping:

        idmap config * : backend = ldap
        idmap config * : readonly = no
        idmap config * : default = yes
        idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
        idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
        idmap config * : ldap_url = ldap://serverlpz.lapaz.tld
        idmap config * : range = 50000-500000

        idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
        idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
        idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld
        idmap alloc config:range = 50000-500000

and finally I ran the command:
serverlpz:~ # net idmap secret '*' mysecret
Secret stored

on FOOBAR domain server (bar) I only made sure that these lines were defined:

        idmap backend = ldap:ldap://bar.foobar.tld
        idmap uid = 10000-20000
        idmap gid = 10000-20000

2.-MAKING TWO WAY INTERDOMAIN TRUST RELATIONSHIP

serverlpz:/var/log/samba # smbldap-useradd -i foobar
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR

bar:~ # net rpc trustdom establish lapaz
Enter FOOBAR$'s password: ADMINISTRATOR
Could not connect to server SERVERLPZ
Trust to domain LAPAZ established

bar:~ # smbldap-useradd -i lapaz
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR

serverlpz:~ # net rpc trustdom establish foobar
Enter LAPAZ$'s password: ADMINISTRATOR
Could not connect to server BAR
Trust to domain FOOBAR established

3.- VERIFYING TRUSTINGS
bar:~ # net rpc trustdom list -Uroot%mykey
Trusted domains list:
LAPAZ               S-1-5-21-2768586194-2883361281-2776744031
Trusting domains list:
LAPAZ               S-1-5-21-2768586194-2883361281-2776744031

serverlpz:~ # net rpc trustdom list -Uroot%mysecondkey
Trusted domains list:
FOOBAR              S-1-5-21-792737186-2111905618-2835975785
Trusting domains list:
FOOBAR              S-1-5-21-792737186-2111905618-2835975785

bar:~ # wbinfo -u
root
nobody
usuario1
LAPAZ\root
LAPAZ\nobody
LAPAZ\compu1
bar:~ # wbinfo -g
domain admins
domain users
domain guests
domain computers
sistemas
LAPAZ\domain admins
LAPAZ\domain users
LAPAZ\domain guests
LAPAZ\domain computers
LAPAZ\seccion

serverlpz:/var/log/samba # wbinfo -u
root
nobody
compu1
FOOBAR\root
FOOBAR\nobody
FOOBAR\usuario1
serverlpz:/var/log/samba # wbinfo -g
domain admins
domain users
domain guests
domain computers
seccion
FOOBAR\domain admins
FOOBAR\domain users
FOOBAR\domain guests
FOOBAR\domain computers
FOOBAR\sistemas

5.- MODIFYING nsswitch TO ENABLE AUTHENTICATION THROUGH winbind

I made sure that both nsswitch.conf files have these lines defined:

passwd: files ldap winbind
shadow: files ldap
group:  files ldap winbind

5.- FINAL VERIFICATIONS

bar:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
....
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
usuario1:x:1001:513:System User:/home/usuario1:/bin/bash
bar$:*:1002:515:Computer:/dev/null:/bin/false
usuario1$:*:1003:515:Computer:/dev/null:/bin/false
lapaz$:*:1004:513:Computer:/dev/null:/bin/false
LAPAZ\root:*:10000:10124::/home/LAPAZ/root:/bin/false
LAPAZ\nobody:*:10001:10124::/home/LAPAZ/nobody:/bin/false
LAPAZ\compu1:*:10002:10124:compu1:/home/LAPAZ/compu1:/bin/false

bar:~ # getent group
at:!:25:
....
ldap:!:70:
named:!:44:
winbind:!:107:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
sistemas:*:1002:
LAPAZ\domain admins:x:10125:LAPAZ\root
LAPAZ\domain users:x:10124:LAPAZ\compu1,LAPAZ\foobar$
LAPAZ\domain guests:x:10126:LAPAZ\nobody
LAPAZ\domain computers:x:10127:LAPAZ\serverlpz$,LAPAZ\compu1$
LAPAZ\seccion:x:10128:

on serverlpz

serverlpz:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
..
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
compu1:x:1001:513:System User:/home/compu1:/bin/bash
serverlpz$:*:1002:515:Computer:/dev/null:/bin/false
compu1$:*:1003:515:Computer:/dev/null:/bin/false
foobar$:*:1004:513:Computer:/dev/null:/bin/false
FOOBAR\root:*:50002:50003::/home/FOOBAR/root:/bin/false
FOOBAR\nobody:*:50003:50003::/home/FOOBAR/nobody:/bin/false
FOOBAR\usuario1:*:50004:50003:usuario1:/home/FOOBAR/usuario1:/bin/false

serverlpz:~ # getent group
at:!:25:
..
winbind:!:112:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
seccion:*:1002:
FOOBAR\domain admins:x:50004:
FOOBAR\domain users:x:50003:FOOBAR\usuario1,FOOBAR\lapaz$
FOOBAR\domain guests:x:50005:FOOBAR\nobody
FOOBAR\domain computers:x:50006:FOOBAR\bar$,FOOBAR\usuario1$
FOOBAR\sistemas:x:50007:

More information about the samba mailing list