Bug 1381 - ads/domain member server can be visible
Summary: ads/domain member server can be visible
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.4
Hardware: Other other
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-25 03:41 UTC by Levente Farkas
Modified: 2004-06-07 06:21 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Levente Farkas 2004-05-25 03:41:03 UTC
hi,
after we migrate our samba server SERVER from 2.x to 3.0.4 (which was not so
easy and I can recommend everyone the convmv tool to convert the old filenames
to the new one utf8), and we (finaly) able to join to the ADS server (the samba
server is a simple ADS memeber server).
we have a few problems:

- the win2000 clients can see the shares on the samba server if and only if they
are member of the same domain and the user login to the same domain as the samba
server. ie. if we has DOM1 and the win2000 client login to local workstation (or
other domain) rather than the domain of the samba server the we got the
following error:
"\\SERVER is not accessible.
 The trust relationship between this workstation and the primary domain failed."

- another problem is that the win9x clients are no longer able to connect to the
samba sever. they alway got a prompt for the password for \\SERVER\IPC$. but of
course they don't know such a password.

- the worst thing is that I try to use samba 3.0.4 as security = DOMAIN rather
then the new ADS, but it's even worst! it seems that samba 3 is no longer able
to take part as a NT style domain member in an ads enviroment (while at the same
time samba 2 is able to do that and can be used from both win9x and win2000 clients.

- netbios alias are not working even in the same domain. ie if I has an alias
SERVER2 to SERVER, then I've got the same error as out of domain case:
"\\SERVER2 is not accessible.
 The trust relationship between this workstation and the primary domain failed."
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-06-02 13:13:09 UTC
most of these sound like configuation problems and 
not source level bugs.  

Also please make sure you apply the 3.0.4 patch at 
http://samba.org/~jerry/patches/post03.0.4/

(In reply to comment #0)

> - the win2000 clients can see the shares on the samba 
> server if and only if they are member of the same domain 
> and the user login to the same domain as the samba
> server. ie. if we has DOM1 and the win2000 client 
> login to local workstation (or other domain) rather than 
> the domain of the samba server the we got the following error:
> "\\SERVER is not accessible.  The trust relationship between 
> this workstation and the primary domain failed."

please provide level 10 debug logs, your smb.conf, and any 
other relevant information.

> - another problem is that the win9x clients are no longer 
> able to connect to the samba sever. they alway got a prompt 
> for the password for \\SERVER\IPC$. but of course they don't 
> know such a password.
> 
> - the worst thing is that I try to use samba 3.0.4 as 
> security = DOMAIN rather then the new ADS, but it's 
> even worst! it seems that samba 3 is no longer able
> to take part as a NT style domain member in an ads 
> enviroment (while at the same time samba 2 is able to 
> do that and can be used from both win9x and win2000 clients.

more detail.

> - netbios alias are not working even in the same domain. 

please search the mailing archives with regards to the 
'smb ports' and 'netbios aliases'.  Then provide more 
information if you still think you have found a bug.
Comment 2 Levente Farkas 2004-06-07 04:04:39 UTC
the problem was solved! after a MS AD crash we are not able to recover or AD and
the result was that we split the AD (ie. some part was on server A some another
part on server B, the kerberos server is on B). although from any windows the
two server seems to identical (both are AD) from samba there are different. in
our smb.conf we put:
password server = A, B
this cause the problem. after we change it to
password server = B
everything is working:-)
the strange is why is it working when you log into the saam domain as the samba
server and why not when other domain? so it seems to me there may have some bug
in the samba code too.
if you still need some debug logs or other info I can switch it back for a few
minutes.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-06-07 06:21:53 UTC
kerberos logins are done using the service ticket
so the 'password server' doesn't really participate 
here.  See libsmb/namequery.c:get_dc_list().

I'm going to close this out since the current 
interaction between the 'password server' parameter and
krb5 logins (or lack thereof) is by design.

Thanks for providing the update.