[Samba] Re: Trusting and trusted domain (home mapping) problem
Igor Belyi
sambauser at katehok.ac93.org
Fri Nov 5 04:51:39 GMT 2004
Adrian Chow wrote:
> Hi Igor,
>
> Regarding the home mapping problem:- I changed my log to level 3. And
> I got the following log which I think is weird. (maybe the reason why
> it cannot map). The problem is :- Logging user_A with domain_A at
> Domain_A_computer gets home directory mapped but Logging user_B with
> domain_B at Domain_A_computers does not get home directory mapped.
>
> This is the log from domain_A_pdc. The XP computer joins domain_A. I
> am logging in as user_B from domain_B where domain_B_pdc have mutual
> trust with domain_A_pdc.
> The log file is /var/log/samba/xp_computer_name from domain_A_pdc. It
> is when I run "net use x: /home" or logon to the domain.
>
> --------------------------------------------------------
> [2004/11/04 17:20:05, 2] auth/auth.c:check_ntlm_password(305)
> check_ntlm_password: authentication for user [grade2] -> [grade2]
> -> [UWCSTU\grade2] succeeded
> [2004/11/04 17:20:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2004/11/04 17:20:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60088215
> [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(222)
> User name: UWCSTU\grade2 Real name: Grade 2 User
> [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(241)
> UNIX uid 10002 is UNIX user UWCSTU\grade2, and will be vuid 109
> [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(270)
> Adding homes service for user 'UWCSTU\grade2' using home directory:
> '/home/UWCSTU/grade2'
> [2004/11/04 17:20:05, 3] param/loadparm.c:lp_add_home(2341)
> adding home's share [grade2] for user 'UWCSTU\grade2' at
> '/home/UWCSTU/grade2'
> ----------------------------------------------------------
>
> Why is it adding homes services? domain_A_pdc should get
> domain_b_user info from domain_b_pdc (which it uses ldap to get the
> sambaHomeDrive and sambaHomePath). It is like when winbind
> successfully maps the user, it does not know the homepath or the
> homedrive.
As far as I understand - that's how Samba works with "builtin" shares -
[homes] and [printers] - it creates the right shares on the fly. Funny
thing - I have userA's home share getting created in both Domains, but
since in DomainB this path does not exists - Nobody have access to this
share. But H: is correctly mapped to the share specified as
sambaHomePath. What I mean - these lines do not indicate an error - I
have the sames lines but mapping works.
>
> This is the result when I add winbind into nsswitch.conf. But if I
> don't (like your case)... I cannot even login as user_b for domain_b
> at the xp computer. It is because the user_b is not even found in the
> local database file. With winbind in nsswitch.conf, getent passwd and
> getent group will return the user and group in the trusted domain.
> And the shares will have problem with valid users = @"Domain_B\Domain
> Users". Igor, I really wonder how your scenario works...
>
> Questions:-
> 1. Does your "getent passwd" and "getent group" show the trusted
> domain accounts?
I don't know how I did it work previously without winbind in
nsswitch.conf but after cleaning everything and stating from the scratch
I realized that I do need it there for accounts from trusted domains. In
my both domains I have:
% grep winbind /etc/nsswitch.conf
passwd: ldap winbind files
group: ldap winbind files
Yes, both "getent passwd" and "getent group" shows me accounts and
grooups from trusted domain as well.
> 2. Does your smb.conf for shares work if you want certain groups in
> the trusted domain to access it? Can you give an example of how to do
> it? (e.g valid users = ... )
With winbind in nsswitch.conf the full names work. I've tried 'valid
users = @"DomainA\Domain Users"' for a share and it works - userA from
this group has access to the share and userB - does not. You just need
to make sure that UNIX permission on the share's path allows access for
users on this group as well.
> 3. I have the proper sambaHomePath and sambaHomeDrive as yours. Is
> there any winbind settings you have in the smb.conf that cause it to work?
The only winbind related entries in smb.conf in both Domains are:
% grep idmap /etc/samba/smb.conf
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
> 4. Do you specify the "auth methods" in the smb.conf?
No, I don't - they are default to those for 'security = user':
% testparm -sv |& grep "auth method"
auth methods =
> 5. You have winbind running?
Yes, I do. And it works according to the entries appearing in LDAP.
> 6. Do you have pam_winbind in your pam.d directory files (e.g login,
> ssh...)?
No, I don't use pam_winbind (no winbind in any of the /etc/pam.d/*
files). To be honest, I don't even know what it could be used for.
On related note - I did have problem with user login when I had 'obey
pam restrictions = Yes' in smb.conf. It caused Samba to fail when it
asks PAM to verify account of the user from the trusting domain.
>
> Thats all the questions I can think of now.
>
> Thanks for helping.
>
> adrian
>
>
>
>
>
>
> Igor Belyi wrote:
>
>> Adrian Chow wrote:
>>
>>> Hi Igor,
>>>
>>> Do you have trustdomains in your "auth methods"?
>>>
>>> Currently I removed the winbind from nsswitch.conf. And "smbclient
>>> //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
>>
>>
>>
>> Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U
>> domain_A_user"?
>>
>>> If I put winbind in the nsswitch.conf, then I will be able to
>>> authenticated but cannot connect to shared folder with the following
>>> error:-
>>> Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
>>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>
>>
>>
>> I would also guess that since "valid users" and "write list" accept
>> only UNIX and NIS groups you will need to have winbind in your
>> nsswitch.conf for @"Domain_A\Domain Users" to work...
>>
>> Does Samba allows Domain_A\domain_a_user to access this share if you
>> list the user without domain specification: "valid users =
>> domain_a_user"?
>>
>>> The log file from the Domain_B_PDC:-
>>>
>>> [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
>>> Client requested device type [?????] for share [SHARED]
>>> [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
>>> making a connection to 'normal' service shared
>>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>> Unable to get default yp domain
>>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>> Unable to get default yp domain
>>> [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
>>> user 'Domain_A\domain_a_user' (from session setup) not permitted
>>> to access this share (Shared)
>>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
>>> error string = No such file or directory
>>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
>>> error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
>>> NT_STATUS_ACCESS_DENIED
>>>
>>> --------------
>>>
>>> My smb.conf :-
>>>
>>> [Shared]
>>> path = /shared
>>> valid users = @"Domain Users", @"Domain_A\Domain Users"
>>> write list = @"Domain Users", @"Domain_A\Domain Users"
>>> browsable = yes
>>> guest ok = no
>>> writeable =no
>>>
>>>
>>> ---------------
>>>
>>>
>>> Do you have winbind in your nsswitch.conf?
>>
>>
>>
>> No, I don't.
>>
>>> How did you managed to get the mapped home directory for
>>> domain_a_user when he log on to the joined_domain_B_computer?
>>
>>
>>
>> Yes, I have XP computer joined domain_A and this domain has mutual
>> trust with domain_B. I can login on this computer as user_a into
>> domain_A and as user_b into domain_B and their corresponding home
>> directories get correctly mapped into drive H:
>>
>> dn: uid=user_a,ou=People,dc=domain_A,dc=org
>> sambaHomeDrive: H:
>> sambaHomePath: \\server_A\homes
>>
>> dn: uid=user_b,ou=People,dc=domain_B,dc=org
>> sambaHomeDrive: H:
>> sambaHomePath: \\server_B\homes
>>
>>>
>>> Hope to hear from you on this... thanks a lot.
>>>
>>> adrian
>>>
>>> p/s: hope you got my previous mail cos I forgotten to cc to sambalists
>>
>>
>>
>> Yes, I did. I apologize for delays - I work with Samba only in my
>> spare time.
>>
>> Igor
>>
>>> Igor Belyi wrote:
>>>
>>>> ====== (Header) e-mail Filtrado ======
>>>> I would guess that it means that DomainA trust DomainB but DomainB
>>>> does not trust DomainA. Can you verify that trust is mutual between
>>>> them? Check 'net rpc trustom list' on both machines.
>>>>
>>>> No, I do not use winbind for NSS (no winbind in
>>>> /etc/nsswitch.conf). Winbind is used only by Samba when it maps
>>>> users from trust domain into local space.
>>>>
>>>> Adrian Chow wrote:
>>>>
>>>>> Hi Igor,
>>>>>
>>>>> I got stuck now. I did my best. I got stuck at the winbind which
>>>>> I suspected is the reason why the domainA_computer cannot map the
>>>>> domain_B user's home directory.
>>>>>
>>>>> 1. What are the settings of your winbind?
>>>>>
>>>>>
>>>> I have the following winbind related entries in smb.conf:
>>>> ldap idmap suffix = ou=Idmap
>>>> idmap backend = ldap:ldap://localhost
>>>> idmap uid = 10000-20000
>>>> idmap gid = 10000-20000
>>>>
>>>> To see if winbind works you can also try to resolve a name into SID
>>>> and SID into gid. For examle, if wbinfo -g returns you
>>>> 'STAFF\wheel'. Try to do the following:
>>>> wbinfo -n 'STAFF\wheel'
>>>> wbinfo -Y <SID return in a previous command>
>>>>
>>>>> 2. Do you use only "winbind" in your libnss_ldap or use "ldap" as
>>>>> well?
>>>>>
>>>>>
>>>> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far
>>>> as I understand this, winbind usage via NSS can confuse Samba into
>>>> thinking that those users and groups are defined locally and maybe
>>>> allowing Samba to use winbind directly is a better approach for
>>>> trust between domains.
>>>>
>>>> I don't know why would you want to put winbind into libnss_ldap
>>>> which is configuration for LDAP interface for NSS (when you use
>>>> 'ldap' in /etc/nssswitch.conf file)
>>>>
>>>>> 3. My winbind works with :-
>>>>> (For both sides)
>>>>> wbinfo -t
>>>>> wbinfo -p
>>>>> wbinfo -u
>>>>> wbinfo -g
>>>>> getent passwd
>>>>> (For DomainA)
>>>>> "getent group" shows all the local groups and also the groups
>>>>> shown in "wbinfo -g"
>>>>> (For DomainB)
>>>>> "getent group" shows all the local groups and only the GUESTs
>>>>> group. Very weird. The rest of the groups in "wbinfo -g" does
>>>>> not come up.
>>>>> The logs is something like this:-
>>>>> -----------------------------------
>>>>>
>>>>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>>>> could not lookup membership for group rid
>>>>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF
>>>>> (error: NT_STATUS_NO_SUCH_GROUP)
>>>>> [2004/11/01 00:13:10, 0]
>>>>> nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>>>> could not lookup domain group STAFF\wheel
>>>>>
>>>>> ---------------------------------------
>>>>>
>>>>>
>>>> Do you mean that this error message was reported during "getent
>>>> group" in DomainB? Because, without this error message I would
>>>> assume that you have winbind written in /etc/nsswithc.conf on your
>>>> DomainA server but not on your DomainB server.
>>>>
>>>> The error message means that Samba thinks that 'wheel' is a Domain
>>>> group of the 'STAFF' domain and fails to find its mapping. I would
>>>> expect this error to come up during login of a Domain user whose
>>>> primary group is a local 'wheel' group instead of a Domain group.
>>>> If this user is supposed to have 'wheel' as a primary group you
>>>> probably forgot to create a groupmap from a Domain group for it.
>>>>
>>>> Igor
>>>
More information about the samba
mailing list