Bug 265 - transitive trusts not working with mixed mode 2k DC's
Summary: transitive trusts not working with mixed mode 2k DC's
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P2 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-02 08:46 UTC by Gerald (Jerry) Carter (dead mail address)
Modified: 2005-02-07 08:41 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter (dead mail address) 2003-08-02 08:46:14 UTC
Here's what I've discovered so far with this
setup:


 PARENT
  +-- CAMP (mixed-mode)
  +-- KAMA (mixed-mode)
       +-- JAYA (native-mode)


Mixed-mode DCs

I know you said it must be native mode, but the DCs I was using were mixed
mode so I did some testing there first (once you change to native mode, you
can't go back).  I had 2 mixed-mode DCs that are both Win2000 SP3.

The mixed-mode DCs basically acted like previous builds except that
enumerating users/groups showed them from all transitive trusts if "Allow
trusted domains" is enabled.  That's nice.  Authentication works as before,
i.e., authenticates against the DC and its parent.

wbinfo -m shows the same (self and parent), but wbinfo --sequence shows
sequence numbers from transitive trusts, too (if "Allow trusted domains" is
enabled).


Native-mode DCs

If "Allow trusted domains" is enabled, all users/groups on all transitive
trusts are displayed.  Authentication works on all transitive trusts.  Yea!

If "Allow trusted domains" is disabled, only users/groups in the domain
joined show up.  Also, authentication only works on the joined domain.


Wish List

Is that how it *should* work?  Is there any way to enumerate users/groups
from the joined domain but authenticate against any domain?

We have a customer with 650+ domains.  Clearly, enumerating all those
suckers will be painful.  But if we join a "resource" domain, we'd want to
be able to authenticate against an "authentication" domain (that has all the
user accounts).

Also, do you think working with mixed-mode DCs is feasible?
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-08-02 08:47:35 UTC
Add Ken to the CC list.   Asked for log.winbindd via email
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-08-02 08:55:31 UTC
Cannot reproduce this.  Using the following 2k domain tree:

        AD (native)
        +-- FROST (native)
            +-- AQUA (native)
        +-- FRUIT (mixed)

Joined Samba 3.0 box to FRUIT.

        # wbinfo -m
        AQUA
        FROST
        VALE
        AD

VALE is a Samba domain with an expliciti 2-way trust setup.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-08-02 11:19:30 UTC
Ken can't reproduce it either.  Closing this one.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:41:30 UTC
originally reported against 3.0.0beta3.  CLeaning out 
non-production release versions.