[Samba] Authentication and trusted domains
Jurjen Oskam
jurjen at stupendous.org
Wed Dec 6 11:32:58 GMT 2006
Hi there,
This is most likely something very basic which I'm not seeing right now.
I have a Samba-server, which is running in security = domain, and it's
a member of that domain (DOMAINA). The domain is a Win2003 domain.
That domain has established a trust with another domain (DOMAINB). There's
a Windows terminal server TERMSRV which is a member of DOMAINA, but a user
from DOMAINB logged in (using the trust). The user wants to reach a share
on the Samba-server. This is what happens (smbd -i -d 3 output):
Got user=[MFABER] domain=[DOMAINB] workstation=[TERMSRV] len1=24 len2=24
check_ntlm_password: Checking password for unmapped user
[DOMAINB]\[MFABER]@[TERMSRV] with the new password interface
check_ntlm_password: mapped user is: [DOMAINA]\[MFABER]@[TERMSRV]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: Authentication for user [MFABER] -> [MFABER] FAILED
with error NT_STATUS_WRONG_PASSWORD
As you see, smbd sees that MFABER from DOMAINB tries to access a share,
but to me it looks like it tries to validate the password in the DOMAINA
domain. This fails. (It fails with NT_STATUS_WRONG_PASSWORD because there
is also a (different) user named MFABER in DOMAINA)
I'd like users from DOMAINB to access resources on the Samba server.
Winbindd, smbd and nmbd are all running. Samba version is 3.0.21c.
Am I missing something obvious here?
[global]
workgroup = DOMAINA
netbios name = smb-lpar
security = domain
encrypt passwords = Yes
password server = *
client use spnego = Yes
restrict anonymous = Yes
lanman auth = No
min protocol = NT1
mangling method = hash2
os level = 0
lm announce = No
preferred master = No
local master = No
domain master = No
wins server = 172.17.1.64 172.17.1.65
allow trusted domains = Yes
idmap uid = 2000-100000000
idmap gid = 2000-100000000
template shell = /bin/ksh
template homedir = /home/%U
winbind use default domain = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
log level = 1
Thanks,
--
Jurjen Oskam
More information about the samba
mailing list