Bug 6111 - samba 3.2.4 does not trust windows 2008 domain
Summary: samba 3.2.4 does not trust windows 2008 domain
Status: RESOLVED DUPLICATE of bug 6110
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.2.4
Hardware: x86 Other
: P3 critical
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-02-13 02:21 UTC by anoop
Modified: 2009-02-13 02:23 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description anoop 2009-02-13 02:21:31 UTC
I have compiled samba 3.24 on SUSE 10.2 with default configure options.
My setup looks like,

SUSE PDC (SUSEDOM) running samba 3.2.4 which is trusting Windows 2003 domain (running in mixed mode) and a windows 2008 domain (running in windows 2000 native mode). I could establish trust between these two domains.

But when I try to login to the SUSE PDC with the windows 2008 domain credentials it fails with status logon failure. The wbinfo -u command does not display the users from 2008 whereas it displays all the users from the 2003 domain and a login to SUSE PDC with windows 2003 domain credentials is successful.

I tried to capture the network trace on windows 2008 domain controller when running "wbinfo -u" command, and what I found was SamrConnect2 RPC is failing with STATUS_ACCESS_DENIED. I suspect the error was because samba had opened the samr pipe with a anonymous login.

Is there anything which I'm missing here, because samba 3.2 release notes say
"Support for establishing interdomain trust relationships with Windows 2008"

From the winbind debug logs for the 2008 domain I could see 
[2009/02/13 10:38:25, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893)
  rpc_api_pipe: Remote machine CIF33 pipe \samr fnum 0x4005 returned 48 bytes.
      samr_Connect2: struct samr_Connect2
          out: struct samr_Connect2
              connect_handle           : *
                  connect_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000000-0000-0000-0000-000000000000
              result                   : NT_STATUS_ACCESS_DENIED
[2009/02/13 10:38:25, 10] winbindd/winbindd_cm.c:cm_connect_sam(2106)
  cm_connect_sam: rpccli_samr_Connect2 failed for domain CIFS2K8 Error was NT_STATUS_ACCESS_DENIED

My smb.conf:
asususe:/usr/local/samba # bin/testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
Processing section "[tmp]"
Processing section "[netlogon]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

        workgroup = SUSEDOM
        server string = %h server
        interfaces =, eth0
        bind interfaces only = Yes
        client schannel = Yes
        server schannel = Yes
        log level = 10
        log file = /var/opt/samba/log.%m
        printcap name = cups
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        idmap uid = 50000 - 60000
        idmap gid = 50000 - 60000
        winbind separator = +
        winbind cache time = 3000
        winbind enum users = Yes
        winbind enum groups = Yes
        read only = No
        dos filetime resolution = Yes

        comment = Home Directories
        path = /home/%U
        read only = Yes
        create mask = 0700
        directory mask = 0700
        browseable = No

        comment = Temporary file space
        path = /tmp

        comment = Network Logon Service
        path = /var/opt/samba/netlogon
        read only = Yes
        guest ok = Yes
        share modes = No

Let me know if you need more info.

Comment 1 anoop 2009-02-13 02:23:06 UTC

*** This bug has been marked as a duplicate of 6110 ***