Here's what I've discovered so far with this setup: PARENT +-- CAMP (mixed-mode) +-- KAMA (mixed-mode) +-- JAYA (native-mode) Mixed-mode DCs I know you said it must be native mode, but the DCs I was using were mixed mode so I did some testing there first (once you change to native mode, you can't go back). I had 2 mixed-mode DCs that are both Win2000 SP3. The mixed-mode DCs basically acted like previous builds except that enumerating users/groups showed them from all transitive trusts if "Allow trusted domains" is enabled. That's nice. Authentication works as before, i.e., authenticates against the DC and its parent. wbinfo -m shows the same (self and parent), but wbinfo --sequence shows sequence numbers from transitive trusts, too (if "Allow trusted domains" is enabled). Native-mode DCs If "Allow trusted domains" is enabled, all users/groups on all transitive trusts are displayed. Authentication works on all transitive trusts. Yea! If "Allow trusted domains" is disabled, only users/groups in the domain joined show up. Also, authentication only works on the joined domain. Wish List Is that how it *should* work? Is there any way to enumerate users/groups from the joined domain but authenticate against any domain? We have a customer with 650+ domains. Clearly, enumerating all those suckers will be painful. But if we join a "resource" domain, we'd want to be able to authenticate against an "authentication" domain (that has all the user accounts). Also, do you think working with mixed-mode DCs is feasible?
Add Ken to the CC list. Asked for log.winbindd via email
Cannot reproduce this. Using the following 2k domain tree: AD (native) +-- FROST (native) +-- AQUA (native) +-- FRUIT (mixed) Joined Samba 3.0 box to FRUIT. # wbinfo -m AQUA FROST VALE AD VALE is a Samba domain with an expliciti 2-way trust setup.
Ken can't reproduce it either. Closing this one.
originally reported against 3.0.0beta3. CLeaning out non-production release versions.