Hello list,
perhaps someone can guide me, finding out what's going wrong in the
following scenario (Active Directory , Samba 3.0.20b same with 3.0.28a):
CHILD1.CONTOSO.COM <-trusts-> CONTOSO.COM
<-trusts->CHILD2.CONTOSO.COM
| | |
User: CHILD1\testtest | Samba
Vista
CHILD1\testtest -> Vista : works (of course :-()
CHLID1\testtest -> Samba : password prompt (logon failure)
What I can see, is that Samba decodes the user correctly out of kerberos
ticket as testtest@child1.contoso.com.
Then, Samba (better to say: winbind) tries to resolve the shortened name
CHILD1\testtest into a SID.
winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where
the user comes from) and receives a "NO MAPPED USER" reply.
Now my question is: shouldn't Samba ask CHILD1 for the user
CHILD1\testtest or
should CHILD2 know about user CHILD1\testtest?
Where lies the mistake?
Using rpcclient, I can resolve the name into a SID when addressing
CHILD1 *or* CONTOSO, but not CHILD2.
"wbinfo -n CHILD1\testtest" on Samba also fails.
Thanks,
Martin
On Thu, Apr 10, 2008 at 02:20:28PM +0200, Martin Zielinski wrote:> winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where > the user comes from) and receives a "NO MAPPED USER" reply. > > Now my question is: shouldn't Samba ask CHILD1 for the user > CHILD1\testtest or > should CHILD2 know about user CHILD1\testtest? > Where lies the mistake?We should ask CONTOSO.COM. I'm afraid this is a known limitation right now. It could be coded up, but it is not yet. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080410/8da16784/attachment.bin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Zielinski wrote:> Hello list, > > perhaps someone can guide me, finding out what's going wrong in the > following scenario (Active Directory , Samba 3.0.20b same with 3.0.28a): > > CHILD1.CONTOSO.COM <-trusts-> CONTOSO.COM <-trusts->CHILD2.CONTOSO.COM > | | | > User: CHILD1\testtest | Samba > Vista > > CHILD1\testtest -> Vista : works (of course :-() > CHLID1\testtest -> Samba : password prompt (logon failure) > > What I can see, is that Samba decodes the user correctly out of kerberos > ticket as testtest@child1.contoso.com. > > Then, Samba (better to say: winbind) tries to resolve the shortened name > CHILD1\testtest into a SID. > > winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where > the user comes from) and receives a "NO MAPPED USER" reply. > > Now my question is: shouldn't Samba ask CHILD1 for the user > CHILD1\testtest or > should CHILD2 know about user CHILD1\testtest? > Where lies the mistake?Fixed in 3.2. We should ask the root of our forest which is what we do in the 3.2 series. cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/pQeIR7qMdg1EfYRAk9WAJ46H3bDrtazz2MNmL1IRIGjc3YajgCcD30N Dj1TGm46GURRr9wf4IIkT0g=JbCw -----END PGP SIGNATURE-----