I have compiled samba 3.24 on SUSE 10.2 with default configure options. My setup looks like, SUSE PDC (SUSEDOM) running samba 3.2.4 which is trusting Windows 2003 domain (running in mixed mode) and a windows 2008 domain (running in windows 2000 native mode). I could establish trust between these two domains. But when I try to login to the SUSE PDC with the windows 2008 domain credentials it fails with status logon failure. The wbinfo -u command does not display the users from 2008 whereas it displays all the users from the 2003 domain and a login to SUSE PDC with windows 2003 domain credentials is successful. I tried to capture the network trace on windows 2008 domain controller when running "wbinfo -u" command, and what I found was SamrConnect2 RPC is failing with STATUS_ACCESS_DENIED. I suspect the error was because samba had opened the samr pipe with a anonymous login. Is there anything which I'm missing here, because samba 3.2 release notes say "Support for establishing interdomain trust relationships with Windows 2008" From the winbind debug logs for the 2008 domain I could see ------------------------------------------------------------ [2009/02/13 10:38:25, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine CIF33 pipe \samr fnum 0x4005 returned 48 bytes. samr_Connect2: struct samr_Connect2 out: struct samr_Connect2 connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED [2009/02/13 10:38:25, 10] winbindd/winbindd_cm.c:cm_connect_sam(2106) cm_connect_sam: rpccli_samr_Connect2 failed for domain CIFS2K8 Error was NT_STATUS_ACCESS_DENIED ---------------------------------------------- My smb.conf: ----------- asususe:/usr/local/samba # bin/testparm Load smb config files from /usr/local/samba/lib/smb.conf Processing section "[homes]" Processing section "[tmp]" Processing section "[netlogon]" Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = SUSEDOM server string = %h server interfaces = 127.0.0.1, eth0 bind interfaces only = Yes client schannel = Yes server schannel = Yes log level = 10 log file = /var/opt/samba/log.%m printcap name = cups domain logons = Yes os level = 65 preferred master = Yes domain master = Yes idmap uid = 50000 - 60000 idmap gid = 50000 - 60000 winbind separator = + winbind cache time = 3000 winbind enum users = Yes winbind enum groups = Yes read only = No dos filetime resolution = Yes [homes] comment = Home Directories path = /home/%U read only = Yes create mask = 0700 directory mask = 0700 browseable = No [tmp] comment = Temporary file space path = /tmp [netlogon] comment = Network Logon Service path = /var/opt/samba/netlogon read only = Yes guest ok = Yes share modes = No Let me know if you need more info. Thanks Anoop
*** Bug 6111 has been marked as a duplicate of this bug. ***
I was able to work around it by doing wbinfo --set-auth-user=user%password. Is there a way to fix it in the code?
(In reply to comment #0) > I have compiled samba 3.24 on SUSE 10.2 with default configure options. > My setup looks like, > > SUSE PDC (SUSEDOM) running samba 3.2.4 which is trusting Windows 2003 domain > (running in mixed mode) and a windows 2008 domain (running in windows 2000 > native mode). I could establish trust between these two domains. > > But when I try to login to the SUSE PDC with the windows 2008 domain > credentials it fails with status logon failure. The wbinfo -u command does not > display the users from 2008 whereas it displays all the users from the 2003 > domain and a login to SUSE PDC with windows 2003 domain credentials is > successful. > > I tried to capture the network trace on windows 2008 domain controller when > running "wbinfo -u" command, and what I found was SamrConnect2 RPC is failing > with STATUS_ACCESS_DENIED. I suspect the error was because samba had opened the > samr pipe with a anonymous login. > > Is there anything which I'm missing here, because samba 3.2 release notes say > "Support for establishing interdomain trust relationships with Windows 2008" This is true for domain members but was not correct for Samba as PDC. This just has been fixed very recently. You need to have Samba 3.3.9 at least (to be released on thursday, Oct. 14th) or Samba 3.4.2.
(In reply to comment #2) > I was able to work around it by doing wbinfo --set-auth-user=user%password. > Is there a way to fix it in the code? No. Unfortunately not. Using this is the only option you have with your Samba version. Side-note: For properly looking up names and SIDs in your w2k8 domain winbind needs to use LSA over ncacn_ip_tcp transport, something that is too complex to backport to the Samba 3.2 series. As said, Samba 3.3.9 and 3.4.2 will have this fixed. Closing as "Fixed" in recent versions of Samba.