The Samba-Bugzilla – Bug 5339
Interdomaintrust broken since 3.0.28
Last modified: 2008-04-14 00:33:00 UTC
Linux: Gentoo (don't know whether this problem exists with other distributions or not)
OpenLDAP 2.3.41, Samba >= 3.0.28, smbldap-tools 0.91
You have two domains (SMBONE and SMBTWO) using separate ldap-backends, running Samba 3.0.28. You establish an interdomain trust using smbldap-useradd -i SMBONE$ on SMBTWO-SRV and using net rpc trustdom establish SMBTWO on SMBONE-SRV you create the interdomaintrust (there is a nasty error message since ever and then a success message, but it works).On SMBONE winbind is activated (and in nsswitch.conf), so you were able to log into SMBTWO if your client has joined SMBONE until (including) Samba 3.0.27.
You can log into SMBONE if your client has joined SMBONE.
You can log into SMBTWO if your client has joined SMBTWO.
But with Samba 3.0.28 (and 3.0.28a) you can not log into SMBTWO, if your client has joined SMBONE. You can choose SMBTWO from the domainlist (tried with Windows 2000 SP4, but the problem also exists with Windows XP SP2 and newest patches --> seems not to be a Windows fault).
With Samba 3.0.28a winbind (wbinfo -u) can't receive the users of the trusted domains, with Samba 3.0.28 it can, but you can't login (receiving wrong user or password OR there is a problem with an attached device).
Rolling back to Samba 3.0.27 (it is masked of security reasons ...) everything works fine with the same configuration. So it seems there is something broken since Samba 3.0.28.
Created attachment 3233 [details]
Logfiles from trusting domain controller with Samba 3.0.27
Created attachment 3234 [details]
Logfiles from trusted domain controller with Samba 3.0.27
Created attachment 3235 [details]
Logfiles from trusting domain controller with Samba 3.0.28a
Created attachment 3236 [details]
Logfiles from trusted domain controller with Samba 3.0.28a
Created attachment 3237 [details]
Logfiles from trusting domain controller with Samba 3.0.28a when executing wbinfo -u
Created attachment 3238 [details]
Logfiles from trusted domain controller with Samba 3.0.28a when executing wbinfo -u
Two domain controllers smbone and smbtwo, both are PDCs
W2K-Client (doesn't depend on client but for clarity) client of smbone
interdomaintrust between smbone and smbtwo established
Servers: Gentoo, USE="acl cups examples fam ipv6 ldap pam python quotas readline winbind"
not in USE: ads, async automounts caps doc selinux syslog swat
Try to log in from client on smbone and smbtwo
Samba 3.0.27 and before: winbind works
Samba 3.0.28a: winbind doesn't work (doesn't work in 3.0.28, unknown whether Samba 3.0.27a was working as it is not in portage)
can't access profiles from client on smbone because of winbind problem (with force user=%U set) (this worked in 3.0.28!!!)
samba3027*.tar.bz2 log level 10 logs with Samba 3.0.27 --> working
samba3028a*.tar.bz2 log level 10 logs with Samba 3.0.28a --> not working
samba3028a*wbinfou.tar.bz2 log level 10 logs executing wbinfo -u on smbone result Error looking up domain users
Do you have a chance the test the v3-0-test code base in git? It should be fixed in there.
Please tell me, whether you can provide me with a patch-file which can be applied on the samba-3.0.28a or the samba-3.0.28 release tar-file or not.
If this should not possible easily, I will try to manage to get the sources from git.
Thanks for your help.
You can always get the latest 3.0 snapshot as a tar.gz from
Tested git-files (timestamp 10 Apr 17:56) in a testing environment, where the interdomaintrust seems to work properly again (winbind seems to be ok again, trusted server login also works again) . Waiting for Samba 3.0.28b to be released for production environment.
Closing as fixed