The Samba-Bugzilla – Bug 266
cannot access 2k file server in samba domain from XP client in trusted domain
Last modified: 2005-08-24 10:16:29 UTC
From Jeremy Drake < jeremy at apptechsys dot com> :
When I browse from a machine in a trusted win2k domain
to a win2k member of a trusting samba domain, I get
the following error:
The system detected a possible attempt to compromise
security. Please ensure that you can contact the server
that authenticated you.
The event logs on the box I'm trying to connect to have
entries regarding group policy not being applied because it is
a member of a downlevel domain. Could this be the problem,
or am I missing something stupid here?
If it helps, here's my setup. There is an AD domain and a
samba domain. The samba domain trusts the AD domain. XP box
is a member of the AD domain, 2k box is a member of the samba
domain. When I browse from XP box to samba box, everything is
good (now that I have the latest code). When I browse from XP box
to 2k box, I get the security message above. Using 3.0beta2 smbclient
from a member of the AD domain to access 2k box works properly.
I have been able to reproduce some problems when the win2k
member server is runngin SP3 but SP4 machines appear to be
work correctly. DOes this match your experience?
SP2 seems to work ok as well....still testing
It works correctly for me on a clean (just installed) sp3 box, but not on the
one that has been around a while (and a member of another domain). I can do
some more testing as to whether or not previous domain membership will affect
this. Will let you know
Lowering the priority since this does not readily occur as
often as first believed.
I just figured it out. If there is a computer account in the win2k domain for
the machine in question, and it is disabled, then this problem rears its ugly
head. If there is no computer account (removed or never existed), or if that
account is still intact (ie you just joined it to another domain) everything
seems to be fine. Note that by default, when you unjoin a domain (the win2k
domain), the computer tries to automatically disable the computer account in
the domain. If you are running as an account which has privileges to do this
when you unjoin the machine, it is done, otherwise it is not done. I believe
this is the key to our problem. Check and see if this works on your box which
reproduces this, and if it does, there should probably be a note in some
documentation warning of this behavior.
Jeremy, you are a genius! I believe your analysis is spot on.
My tests show the same thing. I'm moving this to the documentation
area since there's not much we can do about
John, would you or Jelmer add this to the FAQ or somewhere? Thanks.
I added this to the Common Errors section of the Interdomain Trusts Chapter of
originally reported against 3.0.0beta3. CLeaning out
non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.