Inter-Domain Trust Relationship and lmhosts Text Casing

By Jerome at October 13, 2004 11:40 Tags: ,

Among the things that are interesting in latest versions of Samba, there are NT4 Inter-Domain Trust Relationships. In the Windows world, the original NT4 domain model was not scalable enough when NT4 was omnipresent. Companies fusions did not mix well with the single windows domain to merge all user accounts and everything else.

One solution brought back then was the ability to have an NT4 domain to trust users authenticated in an other NT4 domain. This comes in multiple flavors known as incoming, outgoing, bidirectional trust to allow users to be authenticated in both or only selected domains. Other things like transitive and non-transitive trusts can also be used in at least a 3 domains interaction to allow users from domain, say, A to be authenticated in domain C through B, if the trust between A and B is transitive.

This facility is now fully integrated in Windows 2000/2003 domains and this allows to trust NT4 style domains, which includes Samba managed domains.

Here at epitech we a growing need to interconnect a number of small domains to allow users to connect to a variety of services and to allow an unified password management, a samba domain is used to map users between the Windows and the Unix world.

When establishing the trust between two domains , there are at least two possible scenarios :

  • The domain can be identified using a Netbios broadcast or WINS resolution, which implies that the domain is known and has registerd itself to the wins or is located on the same physical IPv4 subnet,
  • Or, the domain cannot be identified using a single broadcast and must be identified via a manual addition of the domain in the WINS or the domain and the associated domain controller have been added to the lmhosts file.

During a lot of trying, I have found that a combination of both the WINS and lmhosts modification are needed to establish the trust. If you don't do both, the domain controller that wants to establish the trust tries to partially resolve the remote DC by using a really weird NETLOGON/UDP packet that is of course rejected (and not even logged) by Samba. The rest is done by an attempt to locate the remote DC by a local subnet broadcast, which of course fails.

You might say : "Well, modifying the lmhosts file should be a piece of cake !". Actually yes, writing it is. So here is what you might want to add in your lmhosts file :    mysamba-dc             #PRE   #DOM:midhearth   "midearth       \0x1b"  #PRE

Which seems to be good. By the way, the \x1b is used to identify the midearth entry as a domain and should be placed at the 16 byte index. Historical laziness... What a shame.  Anyway, this does not work and produces the strange behavior I described earlier. Here is a version of the same block of text that really works :    MYSAMBA-DC             #PRE   #DOM:MIDEARTH   "MIDEARTH       \0x1b"  #PRE

Noticing anything ? Yes ! All names are uppercased... And no error or warning message notifies you about this when casing is not correct. After that, everything works fine and the trust can be establised. I kind of hate losing time with that kind of tricks, but hey, it works now :)

Multiple MassStorage Drivers with Windows 2000/XP/2003 and INACCESSIBLE_BOOT_DEVICE

By Jerome at October 08, 2004 11:42 Tags:

One annoying thing about Windows is the Mass Storage drivers management. The Windows Setup only installs the necessary drivers for the current system, which is generally fine most of the time. As long as you change your hardware but not the Mass Storage chipset, there is no problem. Windows is just restarting its Plug and Play stage to re-detect all the new devices and peripherals and this works really fine.

Here at Epitech, computers were Via based for two years in a row and changing from one to the other was not a problem. This year's new computers are now Intel based. Nice computers, really.

But one problem : Via based Windows installation don't boot anymore. There is a nice 0x7B stop mode (a bsod) which means INACCESSIBLE_BOOT_DEVICE. Windows was unable to find any suitable boot device, because it does not have the appropriate drivers for the current hardware.

Microsoft has a KBase article (KB314082) about this particular issue, which states that you can force a Windows installation to try every known MassStorage driver during the startup. Since the procedure implies the copying of some Intel drivers, I assumed a while ago that it would only work in the Via to Intel direction. Well, apparently not. It also works in the Intel to Via direction, which is really nice :) Actually, it works for any to any chipset, as long as the hardware is natively known by Windows.

This solves a lot of problems for many people here that do really want to reinstall their Windows.

Windows Installer CleanUp Utility

By Jerome at April 02, 2004 11:54 Tags:

Microsoft met a mis à disposition un utilitaire permettant de nettoyer la base de registre des problèmes liés à l'utilisation de Windows Installer... Une solution lorsque certains logiciels ne veulent plus s'installer et lancent des erreurs étranges...

News Source: The Windows Installer CleanUp Utility

About me

My name is Jerome Laban, I am a Software Architect, C# MVP and .NET enthustiast from Montréal, QC. You will find my blog on this site, where I'm adding my thoughts on current events, or the things I'm working on, such as the Remote Control for Windows Phone.