[Samba] 3.6.15/fix for BUG 9817 breaks our cross-domain support

Thomas Werschlein thomas.werschlein at geo.uzh.ch
Fri Aug 23 07:43:58 MDT 2013


Hi,

We discovered that the the patch for BUG 9817 (https://bugzilla.samba.org/show_bug.cgi?id=9817) which was first included into Samba 3.6.15 breaks our cross-domain setup:

AD DC Domain "AD" [WinServer 2003 R2]                  
AD DC Domain "D"  [WinServer 2008 R2]

client_1 (domain member in AD, WinServer 2003 R2)                         
samba_srv (domain member in D, OmniOS)

Usernames and passwords are externally synchronized between the two domains AD and D.
There is no domain trust between A and AD.

In smb.conf we have set "map untrusted to domain = yes" in order to allow cross-domain access (AD -> D) to file resources:

When a user is logged in as AD\user to client_1, he is able to access \\samba_srv\someshare without entering his username/password again (although samba_srv is member of domain D, not AD).

This behaviour stopped working with Samba 3.6.15.

Reverting the patch for BUG 9817 (setting "params.domain_name = user_info->mapped.domain_name" in source3/auth/auth_winbind.c as it used to be) did "fix" it for us and brought back the cross-domain support we currently depend on.

This is not to say that Samba is wrong: the reasoning for patch 9817 sounds obvious after all. But somehow it does not work for our peculiar setup.

Thomas

--
Thomas Werschlein, IT Service Management 
Department of Geography, University of Zurich
PGP-Key-ID: C76C851B






More information about the samba mailing list