Bug 5519 - Samba 3.0.30 interdomain trust with Samba 3.0.20 fails
Samba 3.0.30 interdomain trust with Samba 3.0.20 fails
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: winbind
x86 Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2008-06-04 00:33 UTC by Sysadmin HTL-Leonding
Modified: 2008-06-06 00:24 UTC (History)
1 user (show)

See Also:

smbd_logfile from failing Samba 3.0.22 (456.74 KB, text/plain)
2008-06-06 00:23 UTC, Sysadmin HTL-Leonding
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sysadmin HTL-Leonding 2008-06-04 00:33:09 UTC
You have two domain controllers (one running Samba 3.0.30 (NEWDOM) and one running Samba 3.0.20 (OLDDOM) (i.e. from Suse Linux 10, some Enterprise Linuxes are also using it.).

You can log in on the domain controllers by joining them.

Try to establish a trust relationship between the two domain controllers (Samba 3.0.30 is the trusting domain, Samba 3.0.20 is the trusted domain).

On Samba 3.0.20 (smbpasswd backend, but that shouldn't be the cause)
useradd -c Machine -d /var/lib/nobody -s /bin/false NEWDOM$
smbpasswd -a -i NEWDOM (or was it NEWDOM$) (password: trust)

On Samba 3.0.30
net rpc trustdom establish OLDDOM (password: trust)

On Samba 3.0.20:
net rpc trustdom list --> NEWDOM is shown with SID as trusting domain

On Samba 3.0.30
wbinfo -u --> You see the users from OLDDOM

Try to log in on OLDDOM via a computer (WinXP) that has joined NEWDOM. You receive the error message, that the domain controller can't be contacted or that the computer account is missing. This is not the same message as when it really can't find a domain controller, because then there would be the message that domain OLDDOM is unavailable at the moment.

In the log file of OLDDOM you see the error message that it doesn't know auth type 9.

In the log.smbd file of NEWDOM you see error messages regarding DCE...._OP_RNG and a Bind NACK message regarding ntlm.

A interdomain trust with another Samba 3.0.30 domain controller is working.

Could it be that there is an incompatibility between the new Samba versions and the old one's (i.e. pre-Samba-3.0.24 (there was some change causing you to have to restart your clients after upgrading, maybe interdomain trust has also been broken (can't fix it by restarting, doesn't work then either))?
Comment 1 Sysadmin HTL-Leonding 2008-06-05 03:32:18 UTC
Extract from log.winbindd (Samba 3.0.30, trusting domain)

cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine xxx pipe \lsarpc fnum yyyy

where yyyy is one of
0x7194, 0x748, 0x748d,

cli_pipe_validate_current_pdu: Bind NACK received from remote machine xxx pipe \samr fnum 0x748e

rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2363) cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

Comment 2 Guenther Deschner 2008-06-05 09:47:21 UTC
Can you please upload a full log level 10 logfile ? We need to see more context.
Comment 3 Sysadmin HTL-Leonding 2008-06-06 00:23:54 UTC
Created attachment 3336 [details]
smbd_logfile from failing Samba 3.0.22
Comment 4 Sysadmin HTL-Leonding 2008-06-06 00:24:57 UTC
3.0.23d-6-1083-SUSE-SL10.2 seems to be working
3.0.20-4-SUSE doesn't work
3.0.22-11-SUSE-CODE10 doesn't work (see attached log, seems to be some digest hash computing error?)