samba - Apr 2005 - trusted domain 'disconnected' using winbind

I have a problem with winbind resolving global groups on a trusted NT
Domain. I want to use SQUID and NTLM Authentification and therefore the
external authentification helper needs to check if a user belongs to a given
group. When I do 'windbind -r DOMAIN+USER GROUP', only groups of the
local
domain are listed. It seems as if winbind couldn't find a domain controller
for the trusted domain: 'wbinfo --sequence' shows the trusted domain
disconnected. Debugging winbindd does show following errors:

wbinfo --sequence	=>
[..]
bind_rpc_pipe: transfer syntax differs
rpc_pipe_bind: check_bind_response failed.
[..]
Could not open a connection to DOMAIN_B for \PIPE\samr
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)

wbinfo -g		=>
get_sam_group_entries: could not enumerate domain groups! Error:
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND

Though winbind couldn't find a Domain Controller, checking Password secrets
using 'winbind -a' works without any problems for members of both
domains.

Has anyone an idea how to solve this problem?

Samba Version: 3.0.9-2.6-SUSE
2 NT4 SP6 Servers acting as PDC for 2 trusted Domains

Thx
Andi

Grund, Andreas wrote:
> I have a problem with winbind resolving global groups on a trusted NT
> Domain. I want to use SQUID and NTLM Authentification and therefore the
> external authentification helper needs to check if a user belongs to a
given
> group. When I do 'windbind -r DOMAIN+USER GROUP', only groups of
the local
> domain are listed. It seems as if winbind couldn't find a domain
controller
> for the trusted domain: 'wbinfo --sequence' shows the trusted
domain
> disconnected. Debugging winbindd does show following errors:
> 
> wbinfo --sequence	=>
> [..]
> bind_rpc_pipe: transfer syntax differs
> rpc_pipe_bind: check_bind_response failed.
> [..]
This is they key error message.  Can you send me a raw ethereal trace
and a level 10 debug log surrounduing this error?  Thanks.
> Samba Version: 3.0.9-2.6-SUSE
> 2 NT4 SP6 Servers acting as PDC for 2 trusted Domains




cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.samba.org/archive/samba/attachments/20050426/8c1a0481/signature.bin

Problem is solved!

Actually there were 2 problems. First, I noticed that winbind tried to
resolve a servername which is no longer PDC in the trusted domain - we
changed PDC and BDC some months ago. Don't know where samba gets this
(wrong) information from. So I tried a workaround by adding an entry in
lmhosts with the wrong servername (the one winbind is looking for) but the
correct ip-address of the PDC. In fact this worked fine with our test system
but not with the production server, though configuration was indentical
execpt the sw-release of samba itself. Finally I upgraded 3.0.9-2.6 to
3.0.14a-0.1 and now everything is fine!

Gerald (Jerry) Carter wrote:
> Grund, Andreas wrote:
>> I have a problem with winbind resolving global groups on a
>> trusted NT Domain. I want to use SQUID and NTLM
>> Authentification and therefore the external authentification
>> helper needs to check if a user belongs to a given group.
>> When I do 'windbind -r DOMAIN+USER GROUP', only groups of
>> the local domain are listed. It seems as if winbind couldn't
>> find a domain controller for the trusted domain: 'wbinfo
>> --sequence' shows the trusted domain disconnected. Debugging
>> winbindd does show following errors:  
>> 
>> wbinfo --sequence	=>
>> [..]
>> bind_rpc_pipe: transfer syntax differs
>> rpc_pipe_bind: check_bind_response failed.
>> [..]
> 
> This is they key error message.  Can you send me a raw
> ethereal trace and a level 10 debug log surrounduing this
> error?  Thanks. 
> 
>> Samba Version: 3.0.9-2.6-SUSE
>> 2 NT4 SP6 Servers acting as PDC for 2 trusted Domains
> 
> 
> 
> 
> 
> cheers, jerry
> ====================================================================>
Alleviating the pain of Windows(tm)      -------
> http://www.samba.org GnuPG Key                -----
> http://www.plainjoe.org/gpg_public.asc "I never saved
> anything for the swim back."     Ethan Hawk in Gattaca