I have 2 domains A and B. They are mutually trusting each other. Hence joining
a computer to domain A allows userB from domain B to login to Domain_B as well.
The backend for both the samba domain servers are on LDAP. nsswitch have
winbind in it. wbinfo -u/-g on both servers will show user and group of the
remote domains. Winbind is working. Wbinfo -t succeeded.
Each user have attributes sambaHomeDrive and sambaHomePath stored in the LDAP.
1. When Domain_A_user logins to Domain_A on Domain_A_computer, the
sambaHomeDrive and sambaHomePath is mapped properly. Logon scripts specifed in
LDAP are properly read and executed.
2. When Domain_B_user logins to Domain_B on Domain_A_computer, the home
directory and the login scripts from Domain_B are not executed. Login is
Going thru the log files, the authentication is successful but on the
Domain_A_controller, it is trying to create /home/DOMAIN_B/DOMAIN_B_user and
then trying to make that the home directory. Isn't it suppose to get info from
the Domain_B_controller and properly map and execute the logon scripts?
Igor Belyi (a great help) can testify to our audious task to try to make it
work. At the end, he mentioned to hack the source.
(In reply to comment #0)
> I have 2 domains A and B. They are mutually trusting each other. Hence joining
> a computer to domain A allows userB from domain B to login to Domain_B as well.
> The backend for both the samba domain servers are on LDAP. nsswitch have
> winbind in it. wbinfo -u/-g on both servers will show user and group of the
> remote domains. Winbind is working. Wbinfo -t succeeded.
> 2. When Domain_B_user logins to Domain_B on Domain_A_computer, the home
> directory and the login scripts from Domain_B are not executed. Login is
> however successful.
Let me just add, that I can reproduce that with DOMAIN_A on Samba/LDAP
and DOMAIN_B a NT 4.0 Domain.
I have duplicated this bug with two Samba 3.0.14a Domains. I have not had time
to test but I suspect that Samba should be returning the name of the
authenticating domain controller in the netrsamlogonrequest response rather than
its own hostname.
The code in question is at rpc_server/srv_netlog_nt.c, line 795. In the
I'll have to create a new test environment next week as the one I was using has
been put into production. I should now for sure then if this is the bug.
I'm eagerly awaiting your report - I'd like to get this fixed for 3.0.20...
Created attachment 1295 [details]
Trace of netrsamlogonsam RPC from NT DC
I got a network trace from the following situation that shows the NT DC does
return the name of the authenticating server rather than its own name.
host jpjnt(126.96.36.199) NT 4 sp6a DC for JPJNTDOM
host jpjlin(188.8.131.52) Samba 3.0.14a DC for JPJLIN1
host jpjw2k1(184.108.40.206) Win2k pro sp4 joined to JPJNTDOM.
Trace is taken on jpjnt and covers logon of JPJLIN1\ajpjanos on jpjw2k1. The
request packet is #34, the response is in #67. I have also taken a trace of a
user from the NT domain logging into the win2k box when it is joined to the
Samba domain. Samba is returning a different info level, I'm not sure what
combination I need to get a Windows box to return that info level for a better
Well I decided to just go ahead and test having Samba return the authenticating
server name instead of its own name and now login scripts run OK in this
situation. I'll ask jmcd to attach my patch when he gets back in the office as
I'm not allowed to post code.
Created attachment 1305 [details]
Patch to add login authorization server to server_info_3
This is the patch from John
I checked in John's patch, with a few minor formatting changes and a comment.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.