hi, after we migrate our samba server SERVER from 2.x to 3.0.4 (which was not so easy and I can recommend everyone the convmv tool to convert the old filenames to the new one utf8), and we (finaly) able to join to the ADS server (the samba server is a simple ADS memeber server). we have a few problems: - the win2000 clients can see the shares on the samba server if and only if they are member of the same domain and the user login to the same domain as the samba server. ie. if we has DOM1 and the win2000 client login to local workstation (or other domain) rather than the domain of the samba server the we got the following error: "\\SERVER is not accessible. The trust relationship between this workstation and the primary domain failed." - another problem is that the win9x clients are no longer able to connect to the samba sever. they alway got a prompt for the password for \\SERVER\IPC$. but of course they don't know such a password. - the worst thing is that I try to use samba 3.0.4 as security = DOMAIN rather then the new ADS, but it's even worst! it seems that samba 3 is no longer able to take part as a NT style domain member in an ads enviroment (while at the same time samba 2 is able to do that and can be used from both win9x and win2000 clients. - netbios alias are not working even in the same domain. ie if I has an alias SERVER2 to SERVER, then I've got the same error as out of domain case: "\\SERVER2 is not accessible. The trust relationship between this workstation and the primary domain failed."
most of these sound like configuation problems and not source level bugs. Also please make sure you apply the 3.0.4 patch at http://samba.org/~jerry/patches/post03.0.4/ (In reply to comment #0) > - the win2000 clients can see the shares on the samba > server if and only if they are member of the same domain > and the user login to the same domain as the samba > server. ie. if we has DOM1 and the win2000 client > login to local workstation (or other domain) rather than > the domain of the samba server the we got the following error: > "\\SERVER is not accessible. The trust relationship between > this workstation and the primary domain failed." please provide level 10 debug logs, your smb.conf, and any other relevant information. > - another problem is that the win9x clients are no longer > able to connect to the samba sever. they alway got a prompt > for the password for \\SERVER\IPC$. but of course they don't > know such a password. > > - the worst thing is that I try to use samba 3.0.4 as > security = DOMAIN rather then the new ADS, but it's > even worst! it seems that samba 3 is no longer able > to take part as a NT style domain member in an ads > enviroment (while at the same time samba 2 is able to > do that and can be used from both win9x and win2000 clients. more detail. > - netbios alias are not working even in the same domain. please search the mailing archives with regards to the 'smb ports' and 'netbios aliases'. Then provide more information if you still think you have found a bug.
the problem was solved! after a MS AD crash we are not able to recover or AD and the result was that we split the AD (ie. some part was on server A some another part on server B, the kerberos server is on B). although from any windows the two server seems to identical (both are AD) from samba there are different. in our smb.conf we put: password server = A, B this cause the problem. after we change it to password server = B everything is working:-) the strange is why is it working when you log into the saam domain as the samba server and why not when other domain? so it seems to me there may have some bug in the samba code too. if you still need some debug logs or other info I can switch it back for a few minutes.
kerberos logins are done using the service ticket so the 'password server' doesn't really participate here. See libsmb/namequery.c:get_dc_list(). I'm going to close this out since the current interaction between the 'password server' parameter and krb5 logins (or lack thereof) is by design. Thanks for providing the update.