I have 2 domains A and B. They are mutually trusting each other. Hence joining a computer to domain A allows userB from domain B to login to Domain_B as well. The backend for both the samba domain servers are on LDAP. nsswitch have winbind in it. wbinfo -u/-g on both servers will show user and group of the remote domains. Winbind is working. Wbinfo -t succeeded. Each user have attributes sambaHomeDrive and sambaHomePath stored in the LDAP. Scenario:- 1. When Domain_A_user logins to Domain_A on Domain_A_computer, the sambaHomeDrive and sambaHomePath is mapped properly. Logon scripts specifed in LDAP are properly read and executed. 2. When Domain_B_user logins to Domain_B on Domain_A_computer, the home directory and the login scripts from Domain_B are not executed. Login is however successful. Going thru the log files, the authentication is successful but on the Domain_A_controller, it is trying to create /home/DOMAIN_B/DOMAIN_B_user and then trying to make that the home directory. Isn't it suppose to get info from the Domain_B_controller and properly map and execute the logon scripts? Igor Belyi (a great help) can testify to our audious task to try to make it work. At the end, he mentioned to hack the source.
(In reply to comment #0) > I have 2 domains A and B. They are mutually trusting each other. Hence joining > a computer to domain A allows userB from domain B to login to Domain_B as well. > > The backend for both the samba domain servers are on LDAP. nsswitch have > winbind in it. wbinfo -u/-g on both servers will show user and group of the > remote domains. Winbind is working. Wbinfo -t succeeded. > 2. When Domain_B_user logins to Domain_B on Domain_A_computer, the home > directory and the login scripts from Domain_B are not executed. Login is > however successful. > Let me just add, that I can reproduce that with DOMAIN_A on Samba/LDAP and DOMAIN_B a NT 4.0 Domain.
I have duplicated this bug with two Samba 3.0.14a Domains. I have not had time to test but I suspect that Samba should be returning the name of the authenticating domain controller in the netrsamlogonrequest response rather than its own hostname. The code in question is at rpc_server/srv_netlog_nt.c, line 795. In the init_net_user_info3 call. I'll have to create a new test environment next week as the one I was using has been put into production. I should now for sure then if this is the bug.
I'm eagerly awaiting your report - I'd like to get this fixed for 3.0.20... Thanks, Jeremy.
Created attachment 1295 [details] Trace of netrsamlogonsam RPC from NT DC I got a network trace from the following situation that shows the NT DC does return the name of the authenticating server rather than its own name. host jpjnt(9.10.70.155) NT 4 sp6a DC for JPJNTDOM host jpjlin(9.10.70.79) Samba 3.0.14a DC for JPJLIN1 host jpjw2k1(9.10.70.126) Win2k pro sp4 joined to JPJNTDOM. Trace is taken on jpjnt and covers logon of JPJLIN1\ajpjanos on jpjw2k1. The request packet is #34, the response is in #67. I have also taken a trace of a user from the NT domain logging into the win2k box when it is joined to the Samba domain. Samba is returning a different info level, I'm not sure what combination I need to get a Windows box to return that info level for a better comparision.
Well I decided to just go ahead and test having Samba return the authenticating server name instead of its own name and now login scripts run OK in this situation. I'll ask jmcd to attach my patch when he gets back in the office as I'm not allowed to post code.
Created attachment 1305 [details] Patch to add login authorization server to server_info_3 This is the patch from John
I checked in John's patch, with a few minor formatting changes and a comment. Thanks, John!
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.