I already posted trusted domain issue on mailing list. But I couldn't see response for trusted domain fix. By search bugzilla, not find such issue. So I fill this. Hope to track the issue. Here is my circumstance of trusted domains. Parent domain |-- Child1 domain <== Samba joined to |-- Child2 domain |-- Child3 domain |-- Child4 domain |-- Child5 domain All domains are Windows 2003 DC. smb.conf [global] workgroup = child1 security = ads idmap uid = 20000-60000 idmap gid = 20000-60000 First of all, trusted domains can work with 3.0.14a. But it didn't work with Samba3.0.22/23a. I checked Samba3.0.23b code that has the same issue(not tested). - In the Samba-3.0.14a, it allows S-0-0 domain sid saving to the trust global variable domain_list. But from Samba-3.0.22, it did disallow saving such domains. The behavior change caused a block of lookup or auth for trusted domains. Since there was unknown reason on RPC_NETLOGON dsrEnumerateDomainTrusts response with NULL pointer for some trusted domains in trusted domain array, the new code of trustdom_recv() did a check on string_to_sid(), and reject addition of trusted domains with S-0-0 domain sid into domain_list. I feel this might not be very reasonable because I have following domain list log.winbindd: Added domain CHILD1 CHILD1.MYDOM.COM S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX log.winbindd: Added domain BUILTIN S-1-5-32 log.winbindd: Added domain MYNETBIOS S-1-5-21-YYYYYYYYYY-YYYYYYYYYY-YYYYYYYYYY log.winbindd: Added domain PARENT mydom.com S-1-5-21-ZZZZZZZZZZ-ZZZZZZZZZZ-ZZZZZZZZZZZ log.winbindd: Added domain CHILD2 child2.mydom.com S-0-0 log.winbindd: Added domain CHILD3 child3.mydom.com S-0-0 log.winbindd: Added domain CHILD4 child4.mydom.com S-1-5-21-WWWWWWWWWW-WWWWWWWWWWW-WWWWWWWWWW log.winbindd: Added domain CHILD5 child5.mydom.com S-1-5-21-VVVVVVVVVV-VVVVVVVVVVV-VVVVVVVVVV That showed child2 and child3 got S-0-0 sid. Meanwhile the code would reject to add child4 and child5 into domain list. I think it's worth to remove "break" statement, so that those trusted domains with S-0-0 still are added into domain_list. When enumerating trust returns a NULL sid pointer, this doesn't mean winbind rpc lookup failed. Actually, Winbind rpc lookup was always successful for those S-0-0 trusted domains. - If S-0-0 is allowed to add into domain_list, I can see a strange problem when trusted domain user logon. For example child4\avaliduser logon. we can see winbind initilize winbind domain to child1 domain that was the first element in domain_list due to using find_lookup_domain_from_name|sid() calls in winbindd_async.c winbindd_util.c and winbindd_cache.c. Since trusted domain was never BUILTIN, SAM, local Netbios domain, find_lookup_domain_from_name(|sid() switch it to our own domain, so that trusted domain winbind request didn't go to trusted child process, it went to our own winbind child process. I've verified this and fix it by changing find_lookup_domain_from_name|sid() to find_domain_from_name|sid(). This would let winbind to initialize trusted domain and send request to the right winbind child process. With about two fixes, I can fix following trusted domain issue. - wbinfo -u/-g list all trusted domain users/groups. - wbinfo -- sequence got right results. - trusted domain users can logon. Here is a patch, based on 3.0.22. diff winbindd_async.c winbindd_async.c_my 561c561 < domain = find_lookup_domain_from_sid(sid); --- > domain = find_domain_from_sid(sid); 652c652 < domain = find_lookup_domain_from_name(dom_name); --- > domain = find_domain_from_name(dom_name); diff winbindd_util.c winbindd_util.c_my 267d266 < break; 726c725 < domain = find_lookup_domain_from_sid(sid); --- > domain = find_domain_from_sid(sid); diff winbindd_cache.c winbindd_cache.c_my 1587c1587 < domain = find_lookup_domain_from_sid(sid); --- > domain = find_domain_from_sid(sid); I'm not sure if it fits to other cases. Thanks.
Please attach the patch in diff -u format. Thanks.
(In reply to comment #1) > Please attach the patch in diff -u format. Thanks. diff -u winbindd_async.c winbindd_async.c_my --- winbindd_async.c 2006-08-30 13:35:10.000000000 -0700 +++ winbindd_async.c_my 2006-08-30 13:35:39.000000000 -0700 @@ -558,7 +558,7 @@ struct winbindd_domain *domain; struct winbindd_request request; - domain = find_lookup_domain_from_sid(sid); + domain = find_domain_from_sid(sid); if (domain == NULL) { DEBUG(5, ("Could not find domain for sid %s\n", sid_string_static(sid))); @@ -649,7 +649,7 @@ struct winbindd_request request; struct winbindd_domain *domain; - domain = find_lookup_domain_from_name(dom_name); + domain = find_domain_from_name(dom_name); if (domain == NULL) { DEBUG(5, ("Could not find domain for name %s\n", dom_name)); diff -u winbindd_util.c winbindd_util.c_my --- winbindd_util.c 2006-08-30 13:35:47.000000000 -0700 +++ winbindd_util.c_my 2006-08-30 13:35:41.000000000 -0700 @@ -264,7 +264,6 @@ if (!string_to_sid(&sid, sidstr)) { DEBUG(0, ("Got invalid trustdom response\n")); - break; } if (find_domain_from_name_noinit(p) == NULL) { @@ -723,7 +722,7 @@ BOOL rv = False; struct winbindd_domain *domain; - domain = find_lookup_domain_from_sid(sid); + domain = find_domain_from_sid(sid); if (!domain) { DEBUG(1,("Can't find domain from sid\n")); diff -u winbindd_cache.c winbindd_cache.c_my --- winbindd_cache.c 2006-08-30 13:35:12.000000000 -0700 +++ winbindd_cache.c_my 2006-08-30 13:35:40.000000000 -0700 @@ -1584,7 +1584,7 @@ struct cache_entry *centry = NULL; NTSTATUS status; - domain = find_lookup_domain_from_sid(sid); + domain = find_domain_from_sid(sid); if (domain == NULL) { return False; }
See bug #4069. Jeremy.
Arg. I meant see bug #5363. Jeremy.
i guess this is fixed, right? marking as dup. if you think this is not fixed, please reopen this bug - thanks! *** This bug has been marked as a duplicate of bug 3661 ***