samba - Mar 2007 - winbind occasionally failing to find domain controllers for trusted domains

Hi there

We have a bunch of Win2K3 trusted domains that are parts of other
forests from our own Win2K3 forest.

Most times Samba works just fine with allowing users from such trusted
domains to connect to its shares, but now and then it "gets out of
whack" and loses access/information about these "other" domains.
"log
level = 9" shows things like the following where querying for details
about such domains (e.g. "wbinfo -D TRUSTED")

[2007/03/15 03:36:02, 5] libsmb/namecache.c:namecache_fetch(195)
  no entry for TRUSTED-DOM-02#20 found.
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_lmhosts(939)
  resolve_lmhosts: Attempting lmhosts lookup for name TRUSTED-DOM-02<0x20>
[2007/03/15 03:36:02, 4] libsmb/namequery.c:getlmhostsent(690)
  getlmhostsent: lmhost entry: 127.0.0.1 localhost
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_wins(836)
  resolve_wins: Attempting wins lookup for name TRUSTED-DOM-02<0x20>
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_wins(839)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2007/03/15 03:36:03, 2]
nsswitch/winbindd_util.c:winbindd_dual_init_connection(467)
  Could not resolve DC name TRUSTED-DOM-02 for domain TRUSTED

This isn't surprising. "TRUSTED" is on a completely different
network
from ours, and won't be reachable via broadcasts - only DNS can be
relied on. The domain "TRUSTED" maps to AD name
"TRUSTED.NET" - and that
is resolvable (pointing to all the DCs for that domain). Similarly,
"trusted-dom-02.trusted.net" actually resolves to that host. It just
appears that Samba doesn't "do" such a lookup? And I can't
just add
"trusted.net" to /etc/resolv.conf - we have over 8 trusts in place -
each with different DNS domains (and growing - acquisitions will do that
to you ;-) and I don't fancy the DNS delays.

Needless to say, all this works under Windows. Our existing Win2K3 AD
infrastructure suffers no issues with such relationships - only Samba
seems to pick up such problems. I would have thought that if a Samba
server was using "security = ADS", that such "NT4-style"
lookup options
would be depreciated in preference of DNS and LDAP?

I know I can fix this problem by hard-wiring such hostnames into
/etc/samba/lmhosts - but that sort of defeats the purpose. We certainly
tear down and build up new DCs often enough to turn that into a
maintainance disaster anyway ;)

Have I missed something that could make these trusts more reliable? We
are running Samba-3.0.24 under CentOS4.4

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason Haar wrote:
> Hi there
> 
> We have a bunch of Win2K3 trusted domains that are 
> parts of other forests from our own Win2K3 forest.
...
> Have I missed something that could make these trusts 
> more reliable? We are running Samba-3.0.24 under CentOS4.4
We should be talking to DNS anyways in this case.
Can you DNS resolve teh SRV records for the trusted domain?

Do you have "host" listed in the "name resolve order" option
in smb.conf ?



cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8xNIR7qMdg1EfYRAoj8AJ94N3JZ6wnjWswrOwEEiOUumGKhYwCg3yFx
dzLXWx7KLUe/LCjzAE+1tBU=ePHX
-----END PGP SIGNATURE-----