The Samba-Bugzilla – Bug 265
transitive trusts not working with mixed mode 2k DC's
Last modified: 2005-02-07 08:41:30 UTC
Here's what I've discovered so far with this
+-- CAMP (mixed-mode)
+-- KAMA (mixed-mode)
+-- JAYA (native-mode)
I know you said it must be native mode, but the DCs I was using were mixed
mode so I did some testing there first (once you change to native mode, you
can't go back). I had 2 mixed-mode DCs that are both Win2000 SP3.
The mixed-mode DCs basically acted like previous builds except that
enumerating users/groups showed them from all transitive trusts if "Allow
trusted domains" is enabled. That's nice. Authentication works as before,
i.e., authenticates against the DC and its parent.
wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
sequence numbers from transitive trusts, too (if "Allow trusted domains" is
If "Allow trusted domains" is enabled, all users/groups on all transitive
trusts are displayed. Authentication works on all transitive trusts. Yea!
If "Allow trusted domains" is disabled, only users/groups in the domain
joined show up. Also, authentication only works on the joined domain.
Is that how it *should* work? Is there any way to enumerate users/groups
from the joined domain but authenticate against any domain?
We have a customer with 650+ domains. Clearly, enumerating all those
suckers will be painful. But if we join a "resource" domain, we'd want to
be able to authenticate against an "authentication" domain (that has all the
Also, do you think working with mixed-mode DCs is feasible?
Add Ken to the CC list. Asked for log.winbindd via email
Cannot reproduce this. Using the following 2k domain tree:
+-- FROST (native)
+-- AQUA (native)
+-- FRUIT (mixed)
Joined Samba 3.0 box to FRUIT.
# wbinfo -m
VALE is a Samba domain with an expliciti 2-way trust setup.
Ken can't reproduce it either. Closing this one.
originally reported against 3.0.0beta3. CLeaning out
non-production release versions.