[PATCH] lookup user principal name,
was: Re: Another attempt at a patch to allow kerberos upn lookups
via winbind...
Don McCall
donmccall1 at yahoo.com
Wed Feb 14 19:12:33 GMT 2007
In the meantime, can I run something by you guys?
I have a samba 3.0.22 server on HP-UX 11.23 joined to a Windows 2k3 AD domain: VMAD0.MCCALL.COM
VMAD0.MCCALL.COM trusts another Win2k3 AD domain: VMAD1.MCCALL.COM
BUT VMAD1.MCCALL.COM does NOT trust VMAD0.MCCALL.COM (ie 1 way trust).
In this case, wbinfo -u returns ONLY users from VMAD0, and wbinfo -u --domain=VMAD1 fails.
the log.winbindd looks like:
[2007/02/14 13:49:45, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =vmdc1$@VMAD1.MCCALL.COM
[2007/02/14 13:49:45, 3] libsmb/clikrb5.c:ads_krb5_mk_req(478)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/02/14 13:49:45, 1] libsmb/clikrb5.c:ads_krb5_mk_req(486)
ads_krb5_mk_req: krb5_get_credentials failed for vmdc1$@VMAD1.MCCALL.COM (Serv
er not found in Kerberos database)
[2007/02/14 13:49:45, 1] nsswitch/winbindd_ads.c:ads_cached_connection(108)
ads_connect for domain VMAD1 failed: Server not found in Kerberos database
[2007/02/14 13:49:45, 10] nsswitch/winbindd_cache.c:store_cache_seqnum(337)
store_cache_seqnum: success [VMAD1][4294967295 @ 1171478985]
[2007/02/14 13:49:45, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(396)
refresh_sequence_number: VMAD1 seq number is now -1
SO it appears that winbind requires a two way trust (incomming/outgoing) between the domain it is a member of, and any domains trusted by its own domain, so it can contact a trusted domain dc when it's resolving stuff.
Is this right????
Don
----- Original Message ----
From: Gerald (Jerry) Carter <jerry at samba.org>
To: Guenther Deschner <gd at samba.org>
Cc: samba-technical at lists.samba.org; "McCall, Don (GSE-WTEC-Alpharetta)" <don.mccall at hp.com>
Sent: Tuesday, February 13, 2007 9:10:24 PM
Subject: Re: [PATCH] lookup user principal name, was: Re: Another attempt at a patch to allow kerberos upn lookups via winbind...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenther Deschner wrote:
> Hello Don,
>
> can you please give the attached patch a try?
Guenther, Would you mind waiting to apply this?
I have al alternate implementation I would like to
propose as soon as I finish the patch against SAMBA_3_0.
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF0m+QIR7qMdg1EfYRAui2AKCT5uFZc88P9091CgIXCbeGSC9gkwCg41ZA
OOJRCuPYWPJlbSz9PDagZfM=
=U/Uk
-----END PGP SIGNATURE-----
____________________________________________________________________________________
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html
More information about the samba-technical
mailing list