samba - Sep 2004 - ADS and trusted domains=no

Hello,

we have a problem with the same userid's in different domains.
we have to set the option "allow trusted domains = No" because winbind
seens
not beable to browse the
hole AD (30 Domains over 20000 users).
So everything is working fine like kerberos, net commands,....

  Ticket name is [user1@DomA.net]
  [ 3151]: getpwnam DomA\user1
  rpc: name_to_sid name=user1
  name_to_sid [rpc] user1 for domain DomA
  ads query_user gave user1 


But there is one thing we do not understand:
Samba realm: DomA
So a user with Userid: DomA\user1 with password: 123 has access.
But a user (ist the same user) with Userid: DomB\user with password: 123 has
access to.

 Got user=[user1] domain=[DomB] workstation=[work] len1=24 len2=24
  check_ntlm_password:  Checking password for unmapped user
[DomB]\[user1]@[work] with the new password interface
  check_ntlm_password:  mapped user is: [DomA]\[user1]@[work]
  [ 9878]: pam auth crap domain: DomA user: user1
  [ 9878]: getpwnam DomA\user1
  rpc: name_to_sid name=user1

There is the same user in to different domains with the same password.

What is wrong in our configuration:

[global]
        workgroup = DomA
        realm = DomA
        server string = Systemtechnik Server Samba %v
        security = ADS
        allow trusted domains = No
        map to guest = Bad User
        password server = server.DomA.net
        restrict anonymous = 2
        use kerberos keytab = Yes
        log level = 3
        log file = /var/log/samba/smb.log
        name resolve order = wins hosts lmhosts bcast
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = server
        ldap ssl = no
        idmap uid = 10000-80000
        idmap gid = 10000-80000
        template homedir = /home/others
        template shell = /bin/bash
        winbind cache time = 3000
        winbind enable local accounts = No

krb5.conf:

[libdefaults]
        default_keytab_name = FILE:/etc/krb5.keytab
<FILE:/etc/krb5.keytab>
#       clockskew = 300
        default_realm = DomA.net
#       default_tgs_type = DES-CBC-CRC
#       default_tkt_type = DES-CBC-CRC
#       default_etypes = DES-CBC-CRC des-cbc-md5
#       default_etypes_des = DES-CBC-CRC des-cbc-md5

[realms]
        DomA.net= {
                kdc = server.DomA.net
                default_domain = DomA.net
                kpasswd_server = server.DomA.net
        }


[domain_realm]
	doma.net=DomA.net
        .doma.net = .DomA.net
#       .my.domain = MY.REALM


I hope that someone has an Idea.

With kind regards

Mit freundlichen Gr??en

Dirk Ho?

ITELLIUM
Systems & Services
Systemtechnik Server
Theodor-Althoff-Stra?e 2
45133 Essen

Telefon: 0201/727-7357
mailto:dirk.hoss@itellium.com <mailto:dirk.hoss@itellium.com>