Bug 2077 - Cannot map home directory and execute login scripts after login to trusted domain
Cannot map home directory and execute login scripts after login to trusted do...
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.8
x86 Windows XP
: P1 normal
: none
Assigned To: Jim McDonough
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-22 23:46 UTC by Adrian Chow
Modified: 2005-08-24 10:21 UTC (History)
2 users (show)

See Also:


Attachments
Trace of netrsamlogonsam RPC from NT DC (26.90 KB, application/octet-stream)
2005-07-06 12:30 UTC, John Janosik
no flags Details
Patch to add login authorization server to server_info_3 (1.76 KB, patch)
2005-07-13 13:01 UTC, Jim McDonough
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian Chow 2004-11-22 23:46:39 UTC
I have 2 domains A and B.  They are mutually trusting each other.  Hence joining
a computer to domain A allows userB from domain B to login to Domain_B as well.

The backend for both the samba domain servers are on LDAP.  nsswitch have
winbind in it.  wbinfo -u/-g on both servers will show user and group of the
remote domains.  Winbind is working.  Wbinfo -t succeeded.

Each user have attributes sambaHomeDrive and sambaHomePath stored in the LDAP.

Scenario:-
1.  When Domain_A_user logins to Domain_A on Domain_A_computer, the
sambaHomeDrive and sambaHomePath is mapped properly.  Logon scripts specifed in
LDAP are properly read and executed.
2.  When Domain_B_user logins to Domain_B on Domain_A_computer, the home
directory and the login scripts from Domain_B are not executed.  Login is
however successful.

Going thru the log files, the authentication is successful but on the
Domain_A_controller, it is trying to create /home/DOMAIN_B/DOMAIN_B_user and
then trying to make that the home directory.  Isn't it suppose to get info from
the Domain_B_controller and properly map and execute the logon scripts?

Igor Belyi (a great help) can testify to our audious task to try to make it
work. At the end, he mentioned to hack the source.
Comment 1 Wolfgang Ratzka 2005-03-21 10:16:52 UTC
(In reply to comment #0)
> I have 2 domains A and B.  They are mutually trusting each other.  Hence joining
> a computer to domain A allows userB from domain B to login to Domain_B as well.
> 
> The backend for both the samba domain servers are on LDAP.  nsswitch have
> winbind in it.  wbinfo -u/-g on both servers will show user and group of the
> remote domains.  Winbind is working.  Wbinfo -t succeeded.

> 2.  When Domain_B_user logins to Domain_B on Domain_A_computer, the home
> directory and the login scripts from Domain_B are not executed.  Login is
> however successful.
> 

Let me just add, that I can reproduce that with DOMAIN_A on Samba/LDAP
and DOMAIN_B a NT 4.0 Domain.
Comment 2 John Janosik 2005-07-01 12:59:03 UTC
I have duplicated this bug with two Samba 3.0.14a Domains.  I have not had time
to test but I suspect that Samba should be returning the name of the
authenticating domain controller in the netrsamlogonrequest response rather than
its own hostname.

The code in question is at rpc_server/srv_netlog_nt.c, line 795.  In the 
init_net_user_info3 call.

I'll have to create a new test environment next week as the one I was using has
been put into production.  I should now for sure then if this is the bug.
Comment 3 Jeremy Allison 2005-07-04 22:17:47 UTC
I'm eagerly awaiting your report - I'd like to get this fixed for 3.0.20...

Thanks,

Jeremy.
Comment 4 John Janosik 2005-07-06 12:30:00 UTC
Created attachment 1295 [details]
Trace of netrsamlogonsam RPC from NT DC

I got a network trace from the following situation that shows the NT DC does
return the name of the authenticating server rather than its own name.

host jpjnt(9.10.70.155) NT 4 sp6a DC for JPJNTDOM
host jpjlin(9.10.70.79) Samba 3.0.14a DC for JPJLIN1
host jpjw2k1(9.10.70.126) Win2k pro sp4 joined to JPJNTDOM.

Trace is taken on jpjnt and covers logon of JPJLIN1\ajpjanos on jpjw2k1.  The
request packet is #34, the response is in #67.	I have also taken a trace of a
user from the NT domain logging into the win2k box when it is joined to the
Samba domain.  Samba is returning a different info level, I'm not sure what
combination I need to get a Windows box to return that info level for a better
comparision.
Comment 5 John Janosik 2005-07-07 14:42:28 UTC
Well I decided to just go ahead and test having Samba return the authenticating
server name instead of its own name and now login scripts run OK in this
situation.  I'll ask jmcd to attach my patch when he gets back in the office as
I'm not allowed to post code.
Comment 6 Jim McDonough 2005-07-13 13:01:24 UTC
Created attachment 1305 [details]
Patch to add login authorization server to server_info_3

This is the patch from John
Comment 7 Jim McDonough 2005-07-13 13:04:33 UTC
I checked in John's patch, with a few minor formatting changes and a comment. 
Thanks, John!
Comment 8 Gerald (Jerry) Carter 2005-08-24 10:21:21 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.