The Samba-Bugzilla – Bug 5519
Samba 3.0.30 interdomain trust with Samba 3.0.20 fails
Last modified: 2008-06-06 00:24:57 UTC
You have two domain controllers (one running Samba 3.0.30 (NEWDOM) and one running Samba 3.0.20 (OLDDOM) (i.e. from Suse Linux 10, some Enterprise Linuxes are also using it.).
You can log in on the domain controllers by joining them.
Try to establish a trust relationship between the two domain controllers (Samba 3.0.30 is the trusting domain, Samba 3.0.20 is the trusted domain).
On Samba 3.0.20 (smbpasswd backend, but that shouldn't be the cause)
useradd -c Machine -d /var/lib/nobody -s /bin/false NEWDOM$
smbpasswd -a -i NEWDOM (or was it NEWDOM$) (password: trust)
On Samba 3.0.30
net rpc trustdom establish OLDDOM (password: trust)
On Samba 3.0.20:
net rpc trustdom list --> NEWDOM is shown with SID as trusting domain
On Samba 3.0.30
wbinfo -u --> You see the users from OLDDOM
Try to log in on OLDDOM via a computer (WinXP) that has joined NEWDOM. You receive the error message, that the domain controller can't be contacted or that the computer account is missing. This is not the same message as when it really can't find a domain controller, because then there would be the message that domain OLDDOM is unavailable at the moment.
In the log file of OLDDOM you see the error message that it doesn't know auth type 9.
In the log.smbd file of NEWDOM you see error messages regarding DCE...._OP_RNG and a Bind NACK message regarding ntlm.
A interdomain trust with another Samba 3.0.30 domain controller is working.
Could it be that there is an incompatibility between the new Samba versions and the old one's (i.e. pre-Samba-3.0.24 (there was some change causing you to have to restart your clients after upgrading, maybe interdomain trust has also been broken (can't fix it by restarting, doesn't work then either))?
Extract from log.winbindd (Samba 3.0.30, trusting domain)
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine xxx pipe \lsarpc fnum yyyy
where yyyy is one of
0x7194, 0x748, 0x748d,
cli_pipe_validate_current_pdu: Bind NACK received from remote machine xxx pipe \samr fnum 0x748e
rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2363) cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED
Can you please upload a full log level 10 logfile ? We need to see more context.
Created attachment 3336 [details]
smbd_logfile from failing Samba 3.0.22
3.0.23d-6-1083-SUSE-SL10.2 seems to be working
3.0.20-4-SUSE doesn't work
3.0.22-11-SUSE-CODE10 doesn't work (see attached log, seems to be some digest hash computing error?)