[Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)

Alex Crow acrow at integrafin.co.uk
Wed Feb 27 11:08:49 MST 2013


Hi,

Did this ever get an answer? I just upgraded both ends of a 
bidirectional domain trust setup to 3.6.12 (from 3.5.something against 
3.6.5, worked perfectly) and I face *exactly* the same problem, ie a 
share on an XP box cannot be access by another XP box at the other end. 
The SMB error code is identical.

Thanks

Alex

On 20/11/12 21:10, Fernando Torrez wrote:
> Hi all
>
> I have two samba PDC installed according to these specifications:
>
> domain FOOBAR with pdc server name: BAR (ip 192.168.1.1)
> opensuse 11.1
> samba-3.5.6-15.1
> openldap2-2.4.12-5.6.1
> smbldap-tools-0.9.5-25.1
> A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100)
>
>
> domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4)
> openSUSE 12.2
> samba-3.6.7-48.12.1.i586
> openldap2-2.4.31-2.1.3.i586
> smbldap-tools-0.9.6-5.1.noarch
> A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101)
>
> I made interdomain trust relationships according to the steps written at the end of this mail,
> but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using windows explorer, it hungs forever.
>
> Doing some packet capture with wireshark I got these results:
>
> 249    15.610519    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
> 250    15.610866    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
> 251    15.611490    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
> 252    15.615751    192.168.1.101    192.168.10.100    ICMP    74    Echo (ping) request  id=0x0200, seq=1024/4, ttl=30
> 253    15.622135    192.168.10.100    192.168.1.101    ICMP    74    Echo (ping) reply    id=0x0200, seq=1024/4, ttl=128
> 254    15.689197    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
> 255    15.689820    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
> 256    15.689959    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)
> 257    15.690717    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
> 258    15.690970    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
> 259    15.691353    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
> 260    15.732067    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
> 261    15.732568    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
> 262    15.732728    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)
> 263    15.733215    192.168.1.101    192.168.10.100    SMB    260    Session Setup AndX Request, NTLMSSP_NEGOTIATE
> 264    15.733547    192.168.10.100    192.168.1.101    SMB    291    Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
> 265    15.733918    192.168.1.101    192.168.10.100    SMB    400    Session Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
> 266    15.745888    192.168.10.100    192.168.1.101    SMB    175    Session Setup AndX Response
> 267    15.746319    192.168.1.101    192.168.10.100    SMB    136    Tree Connect AndX Request, Path: \\COMPU1\IPC$
> 268    15.746437    192.168.10.100    192.168.1.101    SMB    93    Tree Connect AndX Response, Error: Unknown (0xC000035C)
>
> As it can be seen, there's a recurrent strange error called: Error: Unknown (0xC000035C) and doing some googling I only could find something like:
>   0xC000035C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network session expired
>   
> I think that samba 3.5 and samba 3,6 are not fully compatible when doing interdomain trustings
> because idmap are not configured and managed in the same way. isn't it?
>
> This behavior doesn't appear if FOOBAR\USUARIO1 tries to access LAPAZ\SERVERLPZ shares
> or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or FOOBAR\BAR).
>
> I thought that both windows have samething wrong, so I tried with another two win workstations with same results.
>
> If someone can point me to the right direction to solve this problem. I would really appreciate any help
>
> Thanks in advance
>
>     Fernando Torrez
>
>
> INTERDOMAIN TRUST RELATIONSHIP PROCESS
>
> 1.- PREVIOUS ADJUSTMENTS
> On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins server:
>
> wins server = 192.168.1.1
>
> and made sure that smb.conf have these lines defined for mapping:
>
>          idmap config * : backend = ldap
>          idmap config * : readonly = no
>          idmap config * : default = yes
>          idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
>          idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
>          idmap config * : ldap_url = ldap://serverlpz.lapaz.tld
>          idmap config * : range = 50000-500000
>
>          idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
>          idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
>          idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld
>          idmap alloc config:range = 50000-500000
>
> and finally I ran the command:
> serverlpz:~ # net idmap secret '*' mysecret
> Secret stored
>
> on FOOBAR domain server (bar) I only made sure that these lines were defined:
>
>          idmap backend = ldap:ldap://bar.foobar.tld
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>
> 2.-MAKING TWO WAY INTERDOMAIN TRUST RELATIONSHIP
>
> serverlpz:/var/log/samba # smbldap-useradd -i foobar
> New password : ADMINISTRATOR
> Retype new password : ADMINISTRATOR
>
> bar:~ # net rpc trustdom establish lapaz
> Enter FOOBAR$'s password: ADMINISTRATOR
> Could not connect to server SERVERLPZ
> Trust to domain LAPAZ established
>
> bar:~ # smbldap-useradd -i lapaz
> New password : ADMINISTRATOR
> Retype new password : ADMINISTRATOR
>
> serverlpz:~ # net rpc trustdom establish foobar
> Enter LAPAZ$'s password: ADMINISTRATOR
> Could not connect to server BAR
> Trust to domain FOOBAR established
>
> 3.- VERIFYING TRUSTINGS
> bar:~ # net rpc trustdom list -Uroot%mykey
> Trusted domains list:
> LAPAZ               S-1-5-21-2768586194-2883361281-2776744031
> Trusting domains list:
> LAPAZ               S-1-5-21-2768586194-2883361281-2776744031
>
> serverlpz:~ # net rpc trustdom list -Uroot%mysecondkey
> Trusted domains list:
> FOOBAR              S-1-5-21-792737186-2111905618-2835975785
> Trusting domains list:
> FOOBAR              S-1-5-21-792737186-2111905618-2835975785
>
> bar:~ # wbinfo -u
> root
> nobody
> usuario1
> LAPAZ\root
> LAPAZ\nobody
> LAPAZ\compu1
> bar:~ # wbinfo -g
> domain admins
> domain users
> domain guests
> domain computers
> sistemas
> LAPAZ\domain admins
> LAPAZ\domain users
> LAPAZ\domain guests
> LAPAZ\domain computers
> LAPAZ\seccion
>
> serverlpz:/var/log/samba # wbinfo -u
> root
> nobody
> compu1
> FOOBAR\root
> FOOBAR\nobody
> FOOBAR\usuario1
> serverlpz:/var/log/samba # wbinfo -g
> domain admins
> domain users
> domain guests
> domain computers
> seccion
> FOOBAR\domain admins
> FOOBAR\domain users
> FOOBAR\domain guests
> FOOBAR\domain computers
> FOOBAR\sistemas
>
> 5.- MODIFYING nsswitch TO ENABLE AUTHENTICATION THROUGH winbind
>
> I made sure that both nsswitch.conf files have these lines defined:
>
> passwd: files ldap winbind
> shadow: files ldap
> group:  files ldap winbind
>
> 5.- FINAL VERIFICATIONS
>
> bar:~ # getent passwd
> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
> ....
> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
> nobody:x:999:514:nobody:/dev/null:/bin/false
> usuario1:x:1001:513:System User:/home/usuario1:/bin/bash
> bar$:*:1002:515:Computer:/dev/null:/bin/false
> usuario1$:*:1003:515:Computer:/dev/null:/bin/false
> lapaz$:*:1004:513:Computer:/dev/null:/bin/false
> LAPAZ\root:*:10000:10124::/home/LAPAZ/root:/bin/false
> LAPAZ\nobody:*:10001:10124::/home/LAPAZ/nobody:/bin/false
> LAPAZ\compu1:*:10002:10124:compu1:/home/LAPAZ/compu1:/bin/false
>
> bar:~ # getent group
> at:!:25:
> ....
> ldap:!:70:
> named:!:44:
> winbind:!:107:
> Domain Admins:*:512:root
> Domain Users:*:513:
> Domain Guests:*:514:
> Domain Computers:*:515:
> Administrators:*:544:
> Account Operators:*:548:
> Print Operators:*:550:
> Backup Operators:*:551:
> Replicators:*:552:
> sistemas:*:1002:
> LAPAZ\domain admins:x:10125:LAPAZ\root
> LAPAZ\domain users:x:10124:LAPAZ\compu1,LAPAZ\foobar$
> LAPAZ\domain guests:x:10126:LAPAZ\nobody
> LAPAZ\domain computers:x:10127:LAPAZ\serverlpz$,LAPAZ\compu1$
> LAPAZ\seccion:x:10128:
>
> on serverlpz
>
> serverlpz:~ # getent passwd
> at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
> ..
> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
> nobody:x:999:514:nobody:/dev/null:/bin/false
> compu1:x:1001:513:System User:/home/compu1:/bin/bash
> serverlpz$:*:1002:515:Computer:/dev/null:/bin/false
> compu1$:*:1003:515:Computer:/dev/null:/bin/false
> foobar$:*:1004:513:Computer:/dev/null:/bin/false
> FOOBAR\root:*:50002:50003::/home/FOOBAR/root:/bin/false
> FOOBAR\nobody:*:50003:50003::/home/FOOBAR/nobody:/bin/false
> FOOBAR\usuario1:*:50004:50003:usuario1:/home/FOOBAR/usuario1:/bin/false
>
> serverlpz:~ # getent group
> at:!:25:
> ..
> winbind:!:112:
> Domain Admins:*:512:root
> Domain Users:*:513:
> Domain Guests:*:514:
> Domain Computers:*:515:
> Administrators:*:544:
> Account Operators:*:548:
> Print Operators:*:550:
> Backup Operators:*:551:
> Replicators:*:552:
> seccion:*:1002:
> FOOBAR\domain admins:x:50004:
> FOOBAR\domain users:x:50003:FOOBAR\usuario1,FOOBAR\lapaz$
> FOOBAR\domain guests:x:50005:FOOBAR\nobody
> FOOBAR\domain computers:x:50006:FOOBAR\bar$,FOOBAR\usuario1$
> FOOBAR\sistemas:x:50007:
>   		 	   		



More information about the samba mailing list