Bug 7924 - SID does not match trust
Summary: SID does not match trust
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-18 00:16 UTC by Stefan Gohmann
Modified: 2011-02-17 03:13 UTC (History)
1 user (show)

See Also:


Attachments
ldbsearch_base.ldif (2.84 KB, text/plain)
2011-01-18 00:17 UTC, Stefan Gohmann
no flags Details
ldbsearch_w2k3server.ldif (1.18 KB, text/plain)
2011-01-18 00:18 UTC, Stefan Gohmann
no flags Details
ldbsearch_windows7.ldif (1.25 KB, text/plain)
2011-01-18 00:18 UTC, Stefan Gohmann
no flags Details
w2k3server_logon.pcap.gz (3.85 KB, application/gzip)
2011-01-18 00:19 UTC, Stefan Gohmann
no flags Details
w2k3server_logon.samba.log.gz (1.45 KB, application/gzip)
2011-01-18 00:20 UTC, Stefan Gohmann
no flags Details
windows7_logon.pcap.gz (15.67 KB, application/gzip)
2011-01-18 00:20 UTC, Stefan Gohmann
no flags Details
windows7_logon.samba.log.gz (3.67 KB, application/gzip)
2011-01-18 00:21 UTC, Stefan Gohmann
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann 2011-01-18 00:16:26 UTC
The join of a windows 2003 server to the samba 4 domain was successful. After the windows reboot I can't login as user because I got a message "The name or security ID (SID) of the domain specified is inconsistent with the trust information for that domain". See here for a screen shot:
http://marc.info/?l=samba-technical&m=129195770806953&q=p5

With Windows 7 everything works fine.

I'm using Samba 4 Alpha 14.

Mails on Samba technical:
http://marc.info/?t=129195775700001&r=1&w=2
Comment 1 Stefan Gohmann 2011-01-18 00:17:27 UTC
Created attachment 6210 [details]
ldbsearch_base.ldif

ldbsearch output of the ldab base
Comment 2 Stefan Gohmann 2011-01-18 00:18:07 UTC
Created attachment 6211 [details]
ldbsearch_w2k3server.ldif

ldbsearch output of the windows 2003 server ldap object
Comment 3 Stefan Gohmann 2011-01-18 00:18:52 UTC
Created attachment 6212 [details]
ldbsearch_windows7.ldif

ldbsearch output of the windows 7 ldap object
Comment 4 Stefan Gohmann 2011-01-18 00:19:30 UTC
Created attachment 6213 [details]
w2k3server_logon.pcap.gz

tcpdump of the windows 2003 logon
Comment 5 Stefan Gohmann 2011-01-18 00:20:16 UTC
Created attachment 6214 [details]
w2k3server_logon.samba.log.gz

samba log of the windows 2003 logon
Comment 6 Stefan Gohmann 2011-01-18 00:20:44 UTC
Created attachment 6215 [details]
windows7_logon.pcap.gz

tcpdump of the windows 7 logon
Comment 7 Stefan Gohmann 2011-01-18 00:21:20 UTC
Created attachment 6216 [details]
windows7_logon.samba.log.gz

samba log of the windows 7 logon
Comment 8 Jonn Taylor 2011-01-22 11:10:38 UTC
I am also getting this same bug. Tested on all versions of windows 2003. Git version 4.0.0alpha15-GIT-6ee39a2 seems to have the same bug. This get version does not have the bug. Version 4.0.0alpha14-GIT-ec33a87.
Comment 9 Matthias Dieter Wallnöfer 2011-01-22 12:24:52 UTC
If I get this correctly, you are speaking about a trust scenario. Domain trusts are a still unsupported feature. So a fix from our side is not likely to be provided soon.
But you could help us writing a patch. This would be highly appreciated.
Comment 10 Stefan Gohmann 2011-01-22 12:45:36 UTC
(In reply to comment #9)
> If I get this correctly, you are speaking about a trust scenario. Domain trusts
> are a still unsupported feature.

I've joined my windows 2003 server into the samba 4 domain and the windows 2003 server has not installed AD. It is not a trust scenario.

Comment 11 Matthias Dieter Wallnöfer 2011-01-22 12:55:21 UTC
Ah sorry, you mean the machine trust account - I've misinterpreted the title.
Probably we should wait for a statement by abartlet.

(In reply to comment #10)
> (In reply to comment #9)
> > If I get this correctly, you are speaking about a trust scenario. Domain trusts
> > are a still unsupported feature.
> 
> I've joined my windows 2003 server into the samba 4 domain and the windows 2003
> server has not installed AD. It is not a trust scenario.
> 

Comment 12 Jonn Taylor 2011-01-22 20:31:52 UTC
Found this when running interactive.

Starting GENSEC mechanism schannel
Could not find session key for attempted schannel connection from TEST-93341044D0: NT_STATUS_OBJECT_NAME_NOT_FOUND
GENSEC mech rejected the incoming authentication at bind_ack: NT_STATUS_OBJECT_NAME_NOT_FOUND
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Comment 13 Jonn Taylor 2011-02-15 08:54:07 UTC
This bug now affects win2k3 as a DC also. The work around for this is to use user@domain when logging in. Tested in 4.0.0alpha15-GIT-b423d83
Comment 14 Andrew Bartlett 2011-02-15 15:10:49 UTC
I have received information from Microsoft about this and what I need to do about it, and will work to sort this out shortly. 
Comment 15 Andrew Bartlett 2011-02-17 03:13:18 UTC
I believe this has been fixed in 5c12cb0556aeeaa8882c7b12a281728bf8d556f6