samba - Sep 2008 - Samba 3.0.28a onwards "allow trusted domains" has no effect?

Hi,

   I've noticed a discrepancy between Samba Version 3.0.28a and Version 
3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.

I have an environment with 2 domains linked via a trust, an Active 
Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to 
work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of 
the primary domain's domain admins in uid/name mapping on files.

Below is a relevant snippet of the identical samba configuration on both 
machines:

allow trusted domains = no
idmap backend = rid
idmap config PRIMARYDOMAIN:range = 10000-19999
idmap config OTHERDOMAIN:range = 20000-29999
idmap gid = 10000-30000
idmap uid = 10000-30000

Testparm confirms that allow trusted domains is set to No, so it seems 
that 3.0.28a does not respect the fact that trusted domains are not 
supposed to be allowed at all? This seems to break the way the rid 
backend works of course as there is a rid clash with the other domain.

This output from wbinfo --group-info shows the name clash:

domain admins:x:10512
OTHERDOMAIN\domain admins:x:10512

Can anyone offer any advice on what to do about this?
I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which 
those are the latest stable versions packaged for the systems. I have 
tried 3.0.32 and the problem seems to occur there too. Is this a bug 
that has crept in after 3.0.24?

-h

-- 
Hari Sekhon

On Tue, 2008-09-09 at 15:52 +0100, Hari Sekhon wrote:
> Hi,
> 
>    I've noticed a discrepancy between Samba Version 3.0.28a and Version
> 3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.
> 
> I have an environment with 2 domains linked via a trust, an Active 
> Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to 
> work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of 
> the primary domain's domain admins in uid/name mapping on files.
> 
> Below is a relevant snippet of the identical samba configuration on both 
> machines:
> 
> allow trusted domains = no
> idmap backend = rid
> idmap config PRIMARYDOMAIN:range = 10000-19999
> idmap config OTHERDOMAIN:range = 20000-29999
> idmap gid = 10000-30000
> idmap uid = 10000-30000
Hari, this is not, as is, a valid configuration for either versions, is
this the full configuration used ?
> Testparm confirms that allow trusted domains is set to No, so it seems 
> that 3.0.28a does not respect the fact that trusted domains are not 
> supposed to be allowed at all? This seems to break the way the rid 
> backend works of course as there is a rid clash with the other domain.
Allow trusted domains = no controls only authentication/access to the
service not id resolution.
> This output from wbinfo --group-info shows the name clash:
> 
> domain admins:x:10512
> OTHERDOMAIN\domain admins:x:10512
> 
> Can anyone offer any advice on what to do about this?
> I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which 
> those are the latest stable versions packaged for the systems. I have 
> tried 3.0.32 and the problem seems to occur there too. Is this a bug 
> that has crept in after 3.0.24?
If that is the configuration you use, it seem more like a configuration
error.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <simo@redhat.com>