Re: [Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)

Wed, 27 Feb 2013 10:15:38 -0800 

Hi,
Did this ever get an answer? I just upgraded both ends of a bidirectional domain trust setup to 3.6.12 (from 3.5.something against 3.6.5, worked perfectly) and I face *exactly* the same problem, ie a share on an XP box cannot be access by another XP box at the other end. The SMB error code is identical. 

Thanks

Alex

On 20/11/12 21:10, Fernando Torrez wrote:

Hi all

I have two samba PDC installed according to these specifications:

domain FOOBAR with pdc server name: BAR (ip 192.168.1.1)
opensuse 11.1
samba-3.5.6-15.1
openldap2-2.4.12-5.6.1
smbldap-tools-0.9.5-25.1
A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100)


domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4)
openSUSE 12.2
samba-3.6.7-48.12.1.i586
openldap2-2.4.31-2.1.3.i586
smbldap-tools-0.9.6-5.1.noarch
A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101)

I made interdomain trust relationships according to the steps written at the 
end of this mail,
but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using 
windows explorer, it hungs forever.

Doing some packet capture with wireshark I got these results:

249    15.610519    192.168.1.101    192.168.10.100    SMB    260    Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
250    15.610866    192.168.10.100    192.168.1.101    SMB    291    Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
251    15.611490    192.168.1.101    192.168.10.100    SMB    400    Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
252    15.615751    192.168.1.101    192.168.10.100    ICMP    74    Echo 
(ping) request  id=0x0200, seq=1024/4, ttl=30
253    15.622135    192.168.10.100    192.168.1.101    ICMP    74    Echo 
(ping) reply    id=0x0200, seq=1024/4, ttl=128
254    15.689197    192.168.10.100    192.168.1.101    SMB    175    Session 
Setup AndX Response
255    15.689820    192.168.1.101    192.168.10.100    SMB    136    Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
256    15.689959    192.168.10.100    192.168.1.101    SMB    93    Tree 
Connect AndX Response, Error: Unknown (0xC000035C)
257    15.690717    192.168.1.101    192.168.10.100    SMB    260    Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
258    15.690970    192.168.10.100    192.168.1.101    SMB    291    Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
259    15.691353    192.168.1.101    192.168.10.100    SMB    400    Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
260    15.732067    192.168.10.100    192.168.1.101    SMB    175    Session 
Setup AndX Response
261    15.732568    192.168.1.101    192.168.10.100    SMB    136    Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
262    15.732728    192.168.10.100    192.168.1.101    SMB    93    Tree 
Connect AndX Response, Error: Unknown (0xC000035C)
263    15.733215    192.168.1.101    192.168.10.100    SMB    260    Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
264    15.733547    192.168.10.100    192.168.1.101    SMB    291    Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
265    15.733918    192.168.1.101    192.168.10.100    SMB    400    Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
266    15.745888    192.168.10.100    192.168.1.101    SMB    175    Session 
Setup AndX Response
267    15.746319    192.168.1.101    192.168.10.100    SMB    136    Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
268    15.746437    192.168.10.100    192.168.1.101    SMB    93    Tree 
Connect AndX Response, Error: Unknown (0xC000035C)

As it can be seen, there's a recurrent strange error called: Error: Unknown 
(0xC000035C) and doing some googling I only could find something like:
  0xC000035C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network 
session expired

  
I think that samba 3.5 and samba 3,6 are not fully compatible when doing interdomain trustings

because idmap are not configured and managed in the same way. isn't it?

This behavior doesn't appear if FOOBAR\USUARIO1 tries to access LAPAZ\SERVERLPZ 
shares
or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or 
FOOBAR\BAR).

I thought that both windows have samething wrong, so I tried with another two 
win workstations with same results.

If someone can point me to the right direction to solve this problem. I would 
really appreciate any help

Thanks in advance

    Fernando Torrez


INTERDOMAIN TRUST RELATIONSHIP PROCESS

1.- PREVIOUS ADJUSTMENTS
On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins 
server:

wins server = 192.168.1.1

and made sure that smb.conf have these lines defined for mapping:

         idmap config * : backend = ldap
         idmap config * : readonly = no
         idmap config * : default = yes
         idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
         idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
         idmap config * : ldap_url = ldap://serverlpz.lapaz.tld
         idmap config * : range = 50000-500000

         idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
         idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
         idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld
         idmap alloc config:range = 50000-500000

and finally I ran the command:
serverlpz:~ # net idmap secret '*' mysecret
Secret stored

on FOOBAR domain server (bar) I only made sure that these lines were defined:

         idmap backend = ldap:ldap://bar.foobar.tld
         idmap uid = 10000-20000
         idmap gid = 10000-20000

2.-MAKING TWO WAY INTERDOMAIN TRUST RELATIONSHIP

serverlpz:/var/log/samba # smbldap-useradd -i foobar
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR

bar:~ # net rpc trustdom establish lapaz
Enter FOOBAR$'s password: ADMINISTRATOR
Could not connect to server SERVERLPZ
Trust to domain LAPAZ established

bar:~ # smbldap-useradd -i lapaz
New password : ADMINISTRATOR
Retype new password : ADMINISTRATOR

serverlpz:~ # net rpc trustdom establish foobar
Enter LAPAZ$'s password: ADMINISTRATOR
Could not connect to server BAR
Trust to domain FOOBAR established

3.- VERIFYING TRUSTINGS
bar:~ # net rpc trustdom list -Uroot%mykey
Trusted domains list:
LAPAZ               S-1-5-21-2768586194-2883361281-2776744031
Trusting domains list:
LAPAZ               S-1-5-21-2768586194-2883361281-2776744031

serverlpz:~ # net rpc trustdom list -Uroot%mysecondkey
Trusted domains list:
FOOBAR              S-1-5-21-792737186-2111905618-2835975785
Trusting domains list:
FOOBAR              S-1-5-21-792737186-2111905618-2835975785

bar:~ # wbinfo -u
root
nobody
usuario1
LAPAZ\root
LAPAZ\nobody
LAPAZ\compu1
bar:~ # wbinfo -g
domain admins
domain users
domain guests
domain computers
sistemas
LAPAZ\domain admins
LAPAZ\domain users
LAPAZ\domain guests
LAPAZ\domain computers
LAPAZ\seccion

serverlpz:/var/log/samba # wbinfo -u
root
nobody
compu1
FOOBAR\root
FOOBAR\nobody
FOOBAR\usuario1
serverlpz:/var/log/samba # wbinfo -g
domain admins
domain users
domain guests
domain computers
seccion
FOOBAR\domain admins
FOOBAR\domain users
FOOBAR\domain guests
FOOBAR\domain computers
FOOBAR\sistemas

5.- MODIFYING nsswitch TO ENABLE AUTHENTICATION THROUGH winbind

I made sure that both nsswitch.conf files have these lines defined:

passwd: files ldap winbind
shadow: files ldap
group:  files ldap winbind

5.- FINAL VERIFICATIONS

bar:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
....
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
usuario1:x:1001:513:System User:/home/usuario1:/bin/bash
bar$:*:1002:515:Computer:/dev/null:/bin/false
usuario1$:*:1003:515:Computer:/dev/null:/bin/false
lapaz$:*:1004:513:Computer:/dev/null:/bin/false
LAPAZ\root:*:10000:10124::/home/LAPAZ/root:/bin/false
LAPAZ\nobody:*:10001:10124::/home/LAPAZ/nobody:/bin/false
LAPAZ\compu1:*:10002:10124:compu1:/home/LAPAZ/compu1:/bin/false

bar:~ # getent group
at:!:25:
....
ldap:!:70:
named:!:44:
winbind:!:107:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
sistemas:*:1002:
LAPAZ\domain admins:x:10125:LAPAZ\root
LAPAZ\domain users:x:10124:LAPAZ\compu1,LAPAZ\foobar$
LAPAZ\domain guests:x:10126:LAPAZ\nobody
LAPAZ\domain computers:x:10127:LAPAZ\serverlpz$,LAPAZ\compu1$
LAPAZ\seccion:x:10128:

on serverlpz

serverlpz:~ # getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
..
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
compu1:x:1001:513:System User:/home/compu1:/bin/bash
serverlpz$:*:1002:515:Computer:/dev/null:/bin/false
compu1$:*:1003:515:Computer:/dev/null:/bin/false
foobar$:*:1004:513:Computer:/dev/null:/bin/false
FOOBAR\root:*:50002:50003::/home/FOOBAR/root:/bin/false
FOOBAR\nobody:*:50003:50003::/home/FOOBAR/nobody:/bin/false
FOOBAR\usuario1:*:50004:50003:usuario1:/home/FOOBAR/usuario1:/bin/false

serverlpz:~ # getent group
at:!:25:
..
winbind:!:112:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
seccion:*:1002:
FOOBAR\domain admins:x:50004:
FOOBAR\domain users:x:50003:FOOBAR\usuario1,FOOBAR\lapaz$
FOOBAR\domain guests:x:50005:FOOBAR\nobody
FOOBAR\domain computers:x:50006:FOOBAR\bar$,FOOBAR\usuario1$
FOOBAR\sistemas:x:50007:
                                        


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to