The Samba-Bugzilla – Bug 7924
SID does not match trust
Last modified: 2011-02-17 03:13:18 UTC
The join of a windows 2003 server to the samba 4 domain was successful. After the windows reboot I can't login as user because I got a message "The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain". See here for a screen shot:
With Windows 7 everything works fine.
I'm using Samba 4 Alpha 14.
Mails on Samba technical:
Created attachment 6210 [details]
ldbsearch output of the ldab base
Created attachment 6211 [details]
ldbsearch output of the windows 2003 server ldap object
Created attachment 6212 [details]
ldbsearch output of the windows 7 ldap object
Created attachment 6213 [details]
tcpdump of the windows 2003 logon
Created attachment 6214 [details]
samba log of the windows 2003 logon
Created attachment 6215 [details]
tcpdump of the windows 7 logon
Created attachment 6216 [details]
samba log of the windows 7 logon
I am also getting this same bug. Tested on all versions of windows 2003. Git version 4.0.0alpha15-GIT-6ee39a2 seems to have the same bug. This get version does not have the bug. Version 4.0.0alpha14-GIT-ec33a87.
If I get this correctly, you are speaking about a trust scenario. Domain trusts are a still unsupported feature. So a fix from our side is not likely to be provided soon.
But you could help us writing a patch. This would be highly appreciated.
(In reply to comment #9)
> If I get this correctly, you are speaking about a trust scenario. Domain trusts
> are a still unsupported feature.
I've joined my windows 2003 server into the samba 4 domain and the windows 2003 server has not installed AD. It is not a trust scenario.
Ah sorry, you mean the machine trust account - I've misinterpreted the title.
Probably we should wait for a statement by abartlet.
(In reply to comment #10)
> (In reply to comment #9)
> > If I get this correctly, you are speaking about a trust scenario. Domain trusts
> > are a still unsupported feature.
> I've joined my windows 2003 server into the samba 4 domain and the windows 2003
> server has not installed AD. It is not a trust scenario.
Found this when running interactive.
Starting GENSEC mechanism schannel
Could not find session key for attempted schannel connection from TEST-93341044D0: NT_STATUS_OBJECT_NAME_NOT_FOUND
GENSEC mech rejected the incoming authentication at bind_ack: NT_STATUS_OBJECT_NAME_NOT_FOUND
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
This bug now affects win2k3 as a DC also. The work around for this is to use user@domain when logging in. Tested in 4.0.0alpha15-GIT-b423d83
I have received information from Microsoft about this and what I need to do about it, and will work to sort this out shortly.
I believe this has been fixed in 5c12cb0556aeeaa8882c7b12a281728bf8d556f6