[Samba] Samba & ADS & NT4 trusted domains not working .

Fri Dec 17 23:21:47 GMT 2004

RH 3.0 ES
krb5 1.2.7
Samba 3.0.9

I am trying to use Samba, Winbind and Kerberos to configure single sign
in and allow users from both Windows and Linux (RH 3.0 ES) platforms to
use shares from either platform. I can not see users from my primary
domain but can see the trusted NT4 groups and users. I have been trying
to get this right for the last week and keep thinking I am missing
something easy. I followed the following doc for setup procedures. Any
help would be appreciated.
http://www.wlug.org.nz/ActiveDirectorySamba

Primary  QG.COM  
AD = W2K3 running in W2K native mode. With two way trusts with the
following.

3 - W2K3 AD in W2K3 native 

5 - NT4 trusted domains

[root at sxec2 rhn-packages]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root at sxec2 rhn-packages]# wbinfo -m
SXEC2
BUILTIN
QMED
CORPORATE
QG_INKJET
QUADTECH
HIGHTECH
IMAGING
QUADMED
CUSTOMERS

[root at sxec2 rhn-packages]# wbinfo --sequence
SXEC2 : 1
BUILTIN : 1
QMED : DISCONNECTED                W2K3 Native         
CORPORATE : 1031564                    NT
QG_INKJET : 95442                          NT      
QUADTECH : 9281                            NT  
HIGHTECH : 164705                           NT
IMAGING : 60026                                NT
QUADMED : DISCONNECTED            W2K3
CUSTOMERS : DISCONNECTED        W2K3
QG : DISCONNECTED                        W2K3 in W2K native

wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
QMED\Domain Admins
QMED\Domain Users
QMED\Domain Guests
QMED\Domain Computers
QMED\Domain Controllers
QMED\Schema Admins
QMED\Enterprise Admins
QMED\Group Policy Creator Owners
QMED\DnsUpdateProxy
QUADTECH\AbnAmro
QUADTECH\Domain Admins
QUADTECH\Domain Guests
QUADTECH\Domain Users
QUADTECH\Organisatie
HIGHTECH\Domain Admins
HIGHTECH\Domain Guests
HIGHTECH\Domain Users
IMAGING\Domain Admins
IMAGING\Domain Guests
IMAGING\DOMAIN POLICY
IMAGING\DOMAIN PROD
IMAGING\Domain Users
CUSTOMERS\Domain Admins
CUSTOMERS\Domain Users
CUSTOMERS\Domain Guests
CUSTOMERS\Domain Computers
CUSTOMERS\Domain Controllers
CUSTOMERS\Schema Admins
CUSTOMERS\Enterprise Admins
CUSTOMERS\Group Policy Creator Owners
CUSTOMERS\DnsUpdateProxy

SMB.conf

[global]
        netbios name = SXEC2
        workgroup = QG
        encrypt passwords = yes
        realm = QG.COM
        server string = "Enterprise Computing Linux Server"
        security = ADS
        password server = "IP of my AD server"
        log level = 3
        os level = 0
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash

krb5.conf

[logging]
default = FILE:/var/log/krb5/krb5libs.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = QG.COM
 default_tgs_enctypes = RC4-HMAC des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = RC4-HMAC des3-hmac-sha1 des-cbc-crc des-cbc-md5
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 QG.COM = {
  kdc = "IP of my AD server"
  default_domain = qg.com
 }

[domain_realm]
.qg.com = QG.COM
qg.com = QG.COM

[appdefaults]
pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
}

Duane Ochs

Enterprise Computing

Quad/Graphics Inc.

Sussex, Wisconsin

414-566-2375 phone

414-566-4010 pin# 2375 beeper 

Duane.Ochs at qg.com

www.QG.com <outbind://8/www.QG.com> 