From Jeremy Drake < jeremy at apptechsys dot com> : ------------------------------------------ When I browse from a machine in a trusted win2k domain to a win2k member of a trusting samba domain, I get the following error: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. The event logs on the box I'm trying to connect to have entries regarding group policy not being applied because it is a member of a downlevel domain. Could this be the problem, or am I missing something stupid here?
more comments.... If it helps, here's my setup. There is an AD domain and a samba domain. The samba domain trusts the AD domain. XP box is a member of the AD domain, 2k box is a member of the samba domain. When I browse from XP box to samba box, everything is good (now that I have the latest code). When I browse from XP box to 2k box, I get the security message above. Using 3.0beta2 smbclient from a member of the AD domain to access 2k box works properly.
I have been able to reproduce some problems when the win2k member server is runngin SP3 but SP4 machines appear to be work correctly. DOes this match your experience?
SP2 seems to work ok as well....still testing
It works correctly for me on a clean (just installed) sp3 box, but not on the one that has been around a while (and a member of another domain). I can do some more testing as to whether or not previous domain membership will affect this. Will let you know
Lowering the priority since this does not readily occur as often as first believed.
I just figured it out. If there is a computer account in the win2k domain for the machine in question, and it is disabled, then this problem rears its ugly head. If there is no computer account (removed or never existed), or if that account is still intact (ie you just joined it to another domain) everything seems to be fine. Note that by default, when you unjoin a domain (the win2k domain), the computer tries to automatically disable the computer account in the domain. If you are running as an account which has privileges to do this when you unjoin the machine, it is done, otherwise it is not done. I believe this is the key to our problem. Check and see if this works on your box which reproduces this, and if it does, there should probably be a note in some documentation warning of this behavior.
Jeremy, you are a genius! I believe your analysis is spot on. My tests show the same thing. I'm moving this to the documentation area since there's not much we can do about John, would you or Jelmer add this to the FAQ or somewhere? Thanks.
I added this to the Common Errors section of the Interdomain Trusts Chapter of the HOWTO.
originally reported against 3.0.0beta3. CLeaning out non-production release versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.