Re: [Samba] Trouble with trusted domains
On Fri, Apr 11, 2008 at 08:34:40AM -0500, Gerald (Jerry) Carter wrote: > | Oh, I did not see that code. Can you point me at the right > | lines? > > Hey Volker, > > $ git-log b442644bac2a7d5853440254257ca34a8e7c25de > (SVN r22072). Okay, thanks! Volker pgpPEWSEC5hQK.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: | On Thu, Apr 10, 2008 at 05:27:24PM -0500, Gerald (Jerry) Carter wrote: |>> We should ask CONTOSO.COM. I'm afraid this is a known |>> limitation right now. It could be coded up, but it is not |>> yet. |> Volker, This is already done in 3.2 so I'm guessing you say |> we should backport this fix? | | Oh, I did not see that code. Can you point me at the right | lines? Hey Volker, $ git-log b442644bac2a7d5853440254257ca34a8e7c25de (SVN r22072). cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/2jwIR7qMdg1EfYRAjKeAKDJM/hCW5o8NDnbnGgThRE/Kmx/+ACeNyAo m+RD2UHwdQyTXtHGHeMGjLg= =etTx -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
On Thu, Apr 10, 2008 at 05:27:24PM -0500, Gerald (Jerry) Carter wrote: > > We should ask CONTOSO.COM. I'm afraid this is a known > > limitation right now. It could be coded up, but it is not > > yet. > > Volker, This is already done in 3.2 so I'm guessing you say > we should backport this fix? Oh, I did not see that code. Can you point me at the right lines? Thanks, Volker pgpZSl4ZLhyvA.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: > On Thu, Apr 10, 2008 at 02:20:28PM +0200, Martin Zielinski wrote: >> winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where >> the user comes from) and receives a "NO MAPPED USER" reply. >> >> Now my question is: shouldn't Samba ask CHILD1 for the user >> CHILD1\testtest or >> should CHILD2 know about user CHILD1\testtest? >> Where lies the mistake? > > We should ask CONTOSO.COM. I'm afraid this is a known > limitation right now. It could be coded up, but it is not > yet. Volker, This is already done in 3.2 so I'm guessing you say we should backport this fix? cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/pRMIR7qMdg1EfYRArUIAJ9dmMlpk7o5OtIF6jjBvPdIWgr1OgCffSNt dB+Xz+hzXEA4tkRV3BxTzKI= =7kFs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Zielinski wrote: > Hello list, > > perhaps someone can guide me, finding out what's going wrong in the > following scenario (Active Directory , Samba 3.0.20b same with 3.0.28a): > > CHILD1.CONTOSO.COM <-trusts-> CONTOSO.COM <-trusts->CHILD2.CONTOSO.COM > || | > User: CHILD1\testtest| Samba > Vista > > CHILD1\testtest -> Vista : works (of course :-() > CHLID1\testtest -> Samba : password prompt (logon failure) > > What I can see, is that Samba decodes the user correctly out of kerberos > ticket as [EMAIL PROTECTED] > > Then, Samba (better to say: winbind) tries to resolve the shortened name > CHILD1\testtest into a SID. > > winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where > the user comes from) and receives a "NO MAPPED USER" reply. > > Now my question is: shouldn't Samba ask CHILD1 for the user > CHILD1\testtest or > should CHILD2 know about user CHILD1\testtest? > Where lies the mistake? Fixed in 3.2. We should ask the root of our forest which is what we do in the 3.2 series. cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH/pQeIR7qMdg1EfYRAk9WAJ46H3bDrtazz2MNmL1IRIGjc3YajgCcD30N Dj1TGm46GURRr9wf4IIkT0g= =JbCw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with trusted domains
On Thu, Apr 10, 2008 at 02:20:28PM +0200, Martin Zielinski wrote: > winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where > the user comes from) and receives a "NO MAPPED USER" reply. > > Now my question is: shouldn't Samba ask CHILD1 for the user > CHILD1\testtest or > should CHILD2 know about user CHILD1\testtest? > Where lies the mistake? We should ask CONTOSO.COM. I'm afraid this is a known limitation right now. It could be coded up, but it is not yet. Volker pgpCkwYWxnJMY.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba