samba - Oct 2007 - Winbind authentication over transitive trusts between multiple W2k3 Domains

Hallo,

we use Samba 3.0.22 with MIT Kerberos and winbind on Ubuntu edgy in a 
Windows2003 ADS enviroment. Everything works fine like kinit, net ads 
join, getting the Domain accounts from the own and other domains, but one 
important thing fails - obviously winbind cannot resolve name to sid, when 
the account is in another domain, where is only a transitive trust, not a 
direct.

Lets say there are 3 AD domains in one tree: NIRVANA.ROM as top, 
CA.NIRVANA.ROM and PO.NIRVANA.ROM as 2 child domains. Our Samba server 
IDEFIX is in domain PO.
Our configuration ...
krb5.conf:
[libdefaults]
        default_realm = PO.NIRVANA.ROM
        ticket_lifetime = 36000
        dns_lookup_realm = false
        dns_lookup_kdc = false
        clockskew = 300

[realms]
        CA.NIRVANA.ROM = {
                kdc = castor.ca.nirvana.rom
                admin_server = castor.ca.nirvana.rom
                default_domain = CA
        }
        PO.NIRVANA.ROM = {
                kdc = pollux.po.nirvana.rom
                admin_server = pollux.po.nirvana.rom
                default_domain = PO
        }
        NIRVANA.ROM = {
                kdc = thor.nirvana.rom
                admin_server = thor.nirvana.rom
                default_domain = NIRVANA
        }

[domain_realm]
        .ca.nirvana.rom = CA.NIRVANA.ROM
        ca.nirvana.rom = CA.NIRVANA.ROM
        .po.nirvana.rom = PO.NIRVANA.ROM
        po.nirvana.rom = PO.NIRVANA.ROM
        .nirvana.rom = NIRVANA.ROM
        nirvana.rom = NIRVANA.ROM

smb.conf:
[global]
   workgroup = PO
   security = ADS
   realm = PO.NIRVANA.ROM
   netbios name = IDEFIX
   password server = *

   idmap uid = 10000-200000
   idmap gid = 10000-200000
   template shell = /bin/false

   allow trusted domains = Yes
   winbind trusted domains only = No
   winbind use default domain = No
   winbind nested groups = Yes
   winbind separator = +
   winbind cache time = 3600
   winbind enum users = Yes
   winbind enum groups = Yes
   client use spnego = yes
...

wbinfo -t says ok
wbinfo --sequence get sequence numbers for all 3 domains
wbinfo -u get all accounts from all 3 domains with the correct prefix
getent passwd looks like wbinfo -u

But users from the other child domain cannot be authenticated. We traced 
it down to the name-to-sid function.
wbinfo -n PO+administrator
> S-1-5-21-1669369028-1636446635-1573960127-500 User (1)
wbinfo -n NIRVANA+administrator
> S-1-5-21-1755308885-1021831964-821464085-500 User (1)
wbinfo -n CA+administrator
> Could not lookup name CA+administrator
winbindd with debug7 shows this
...
    00001c smb_io_dom_rid2
        001c type   : 08
        0020 rid    : 00000000
        0024 rid_idx: ffffffff
    0028 mapped_count: 00000000
    002c status      : NT_STATUS_NONE_MAPPED
lookup_name returned an error
lookupname returned an error

While the other queries show an NT_STATUS_OK and mapped_count 1 and so on.

The only way we could make it work was to build a shortcut trust between 
the 2 child domains CA and PO, but since we have in productive enviroment 
more then 3 domains it wouldn't be a quite nice solution.
Has anybody seen this behavior too? Is that really a bug or missing 
feature in the current samba version? Or do we have any missconfiguration 
(I hope)?

Any help would be much appreciated.
Thanks in advance.

Mit freundlichen Gr??en
With kind regards

Sandra Geigenm?ller



KION Information Management Services GmbH, Sitz der Gesellschaft: Wiesbaden,
Registergericht: Wiesbaden HRB 22949, USt-Id-Nr. DE 252065348, Gesch?ftsf?hrung:
Helmut Draxler, Holger Pudzich