[Samba] 3.6.15/fix for BUG 9817 breaks our cross-domain support

Thomas Werschlein thomas.werschlein at geo.uzh.ch
Fri Aug 23 07:43:58 MDT 2013


We discovered that the the patch for BUG 9817 (https://bugzilla.samba.org/show_bug.cgi?id=9817) which was first included into Samba 3.6.15 breaks our cross-domain setup:

AD DC Domain "AD" [WinServer 2003 R2]                  
AD DC Domain "D"  [WinServer 2008 R2]

client_1 (domain member in AD, WinServer 2003 R2)                         
samba_srv (domain member in D, OmniOS)

Usernames and passwords are externally synchronized between the two domains AD and D.
There is no domain trust between A and AD.

In smb.conf we have set "map untrusted to domain = yes" in order to allow cross-domain access (AD -> D) to file resources:

When a user is logged in as AD\user to client_1, he is able to access \\samba_srv\someshare without entering his username/password again (although samba_srv is member of domain D, not AD).

This behaviour stopped working with Samba 3.6.15.

Reverting the patch for BUG 9817 (setting "params.domain_name = user_info->mapped.domain_name" in source3/auth/auth_winbind.c as it used to be) did "fix" it for us and brought back the cross-domain support we currently depend on.

This is not to say that Samba is wrong: the reasoning for patch 9817 sounds obvious after all. But somehow it does not work for our peculiar setup.


Thomas Werschlein, IT Service Management 
Department of Geography, University of Zurich
PGP-Key-ID: C76C851B

More information about the samba mailing list