personally significant discrepancy in samba 3.0.21c acting as a ``member server'' in a Windows 2003 domain versus (at least) Windows 2003 SP1: if samba isn't set to ``allow trusted domains'' then check_domain_match() will fail to validate NTLM logons that specify the fully-qualified domain of the user account, as indicated below. (all names [hopefully non-mislead- ingly] changed to keep with tradition) don't know if anybody else cares, but, again, i have my reasons for wishing samba was a little more like Windows on just this one point thanks --buck, maryland, u.s.a. linux% smbclient //windows/ipc\$ -c exit -W example Password: Domain=[EXAMPLE] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2] linux% smbclient //windows/ipc\$ -c exit -W example.com Password: Domain=[EXAMPLE] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2] linux% smbclient //localhost/ipc\$ -c exit -W example Password: Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.0.21c] linux% smbclient //localhost/ipc\$ -c exit -W example.com Password: session setup failed: NT_STATUS_LOGON_FAILURE linux% sudo grep -A`sudo wc -l /var/log/samba/log.linux | awk '{print $1}'` check_domain_match /var/log/samba/log.linux [2006/05/26 07:11:21, 1] auth/auth.c:check_domain_match check_domain_match: Attempt to connect as user myaccount from domain EXAMPLE.COM denied.
should have proofed it before submitting it actually, the stuff about ``allow trusted domains'' was conjectural based solely on looking at the code. i have no experience with changing that setting, but thought the speculation might help illuminate why this is happening with my config and maybe, by contrast, why it hasn't been noticed by anybody else, but it could be just a red herring
Created attachment 2038 [details] patch that does what i want no guarantee of efficiency, leak-free-ness, won't-eat-your-homework-ness, etc.
Buck, Connecting as EXAMPLE.COM\user and EXAMPLE\user are not the same thing. The proper fix is to support the UPN (user@example.com). So I'm going to reject this patch and look at a propoer fix in the future.
could you elaborate, purely for my benefit, on why they're not the same thing? if the one is an alt_name for the other, then why shouldn't samba treat them equivalently, at least for purposes of the check_domain_match()/ lp_allow_trusted_domains()==False checking? anyway, i have my patch that works for me, so i'm not personally concerned about this, except for curiosity's sake; if you could take a second to satisfy that, i'd be appreciative. (on top of the usual appreciation for you guys' continued work on samba)