Inter-Domain Trust Relationship and lmhosts Text Casing

By Jerome at October 13, 2004 11:40 Tags: ,

Among the things that are interesting in latest versions of Samba, there are NT4 Inter-Domain Trust Relationships. In the Windows world, the original NT4 domain model was not scalable enough when NT4 was omnipresent. Companies fusions did not mix well with the single windows domain to merge all user accounts and everything else.

One solution brought back then was the ability to have an NT4 domain to trust users authenticated in an other NT4 domain. This comes in multiple flavors known as incoming, outgoing, bidirectional trust to allow users to be authenticated in both or only selected domains. Other things like transitive and non-transitive trusts can also be used in at least a 3 domains interaction to allow users from domain, say, A to be authenticated in domain C through B, if the trust between A and B is transitive.

This facility is now fully integrated in Windows 2000/2003 domains and this allows to trust NT4 style domains, which includes Samba managed domains.

Here at epitech we a growing need to interconnect a number of small domains to allow users to connect to a variety of services and to allow an unified password management, a samba domain is used to map users between the Windows and the Unix world.

When establishing the trust between two domains , there are at least two possible scenarios :

  • The domain can be identified using a Netbios broadcast or WINS resolution, which implies that the domain is known and has registerd itself to the wins or is located on the same physical IPv4 subnet,
  • Or, the domain cannot be identified using a single broadcast and must be identified via a manual addition of the domain in the WINS or the domain and the associated domain controller have been added to the lmhosts file.

During a lot of trying, I have found that a combination of both the WINS and lmhosts modification are needed to establish the trust. If you don't do both, the domain controller that wants to establish the trust tries to partially resolve the remote DC by using a really weird NETLOGON/UDP packet that is of course rejected (and not even logged) by Samba. The rest is done by an attempt to locate the remote DC by a local subnet broadcast, which of course fails.

You might say : "Well, modifying the lmhosts file should be a piece of cake !". Actually yes, writing it is. So here is what you might want to add in your lmhosts file :

     10.0.0.1    mysamba-dc             #PRE   #DOM:midhearth
     10.0.0.1   "midearth       \0x1b"  #PRE

Which seems to be good. By the way, the \x1b is used to identify the midearth entry as a domain and should be placed at the 16 byte index. Historical laziness... What a shame.  Anyway, this does not work and produces the strange behavior I described earlier. Here is a version of the same block of text that really works :

     10.0.0.1    MYSAMBA-DC             #PRE   #DOM:MIDEARTH
     10.0.0.1   "MIDEARTH       \0x1b"  #PRE

Noticing anything ? Yes ! All names are uppercased... And no error or warning message notifies you about this when casing is not correct. After that, everything works fine and the trust can be establised. I kind of hate losing time with that kind of tricks, but hey, it works now :)

blog comments powered by Disqus

About me

My name is Jerome Laban, I am a Software Architect, C# MVP and .NET enthustiast from Montréal, QC. You will find my blog on this site, where I'm adding my thoughts on current events, or the things I'm working on, such as the Remote Control for Windows Phone.