Bug 266 - cannot access 2k file server in samba domain from XP client in trusted domain
Summary: cannot access 2k file server in samba domain from XP client in trusted domain
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Docs (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P3 normal
Target Milestone: none
Assignee: John H Terpstra (mail address dead(
QA Contact:
Depends on:
Reported: 2003-08-02 08:50 UTC by Gerald (Jerry) Carter (dead mail address)
Modified: 2005-08-24 10:16 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter (dead mail address) 2003-08-02 08:50:16 UTC
From Jeremy Drake < jeremy at apptechsys dot com> :


When I browse from a machine in a trusted win2k domain 
to a win2k member of a trusting samba domain, I get 
the following error:

   The system detected a possible attempt to compromise 
   security. Please ensure that you can contact the server 
   that authenticated you.

The event logs on the box I'm trying to connect to have 
entries regarding group policy not being applied because it is 
a member of a downlevel domain.  Could this be the problem, 
or am I missing something stupid here?
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-08-02 08:51:15 UTC
more comments....

If it helps, here's my setup.  There is an AD domain and a 
samba domain.  The samba domain trusts the AD domain.  XP box 
is a member of the AD domain, 2k box is a member of the samba 
domain.  When I browse from XP box to samba box, everything is 
good (now that I have the latest code).  When I browse from XP box 
to 2k box, I get the security message above.  Using 3.0beta2 smbclient 
from a member of the AD domain to access 2k box works properly.

Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-08-05 22:47:24 UTC
I have been able to reproduce some problems when the win2k 
member server is runngin SP3 but SP4 machines appear to be 
work correctly.  DOes this match your experience?
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-08-06 10:12:09 UTC
SP2 seems to work ok as well....still testing
Comment 4 Jeremy Drake 2003-08-06 10:33:27 UTC
It works correctly for me on a clean (just installed) sp3 box, but not on the 
one that has been around a while (and a member of another domain).  I can do 
some more testing as to whether or not previous domain membership will affect 
this.  Will let you know
Comment 5 Gerald (Jerry) Carter (dead mail address) 2003-08-06 11:05:57 UTC
Lowering the priority since this does not readily occur as
often as first believed.
Comment 6 Jeremy Drake 2003-08-06 12:29:33 UTC
I just figured it out.  If there is a computer account in the win2k domain for 
the machine in question, and it is disabled, then this problem rears its ugly 
head.  If there is no computer account (removed or never existed), or if that 
account is still intact (ie you just joined it to another domain) everything 
seems to be fine.  Note that by default, when you unjoin a domain (the win2k 
domain), the computer tries to automatically disable the computer account in 
the domain.  If you are running as an account which has privileges to do this 
when you unjoin the machine, it is done, otherwise it is not done.  I believe 
this is the key to our problem.  Check and see if this works on your box which 
reproduces this, and if it does, there should probably be a note in some 
documentation warning of this behavior.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2003-08-06 14:27:46 UTC
Jeremy,  you are a genius!  I believe your analysis is spot on.
My tests show the same thing.  I'm moving this to the documentation
area since there's not much we can do about 

John, would you or Jelmer add this to the FAQ or somewhere?  Thanks.
Comment 8 John H Terpstra (mail address dead( 2003-10-18 10:38:05 UTC
I added this to the Common Errors section of the Interdomain Trusts Chapter of
the HOWTO.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:41:30 UTC
originally reported against 3.0.0beta3.  CLeaning out 
non-production release versions.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:16:29 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.