[Samba] Samba and trusted domains

Michael Gasch gasch at eva.mpg.de
Mon Jul 3 14:32:24 GMT 2006


if you´re running winbindd there´s no need to run nscd.
it´s a common problem and you should really avoid using it, unless you 
have a real reason.

disable it and run id again

greez

Nir Barkan wrote:
> Nscd is running
> 
> This is my nsswitch.conf:
> 
> # /etc/nsswitch.nis:
> #
> # An example file that could be copied over to /etc/nsswitch.conf; it
> # uses NIS (YP) in conjunction with files.
> #
> # "hosts:" and "services:" in this file are used only if the
> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
> 
> # the following two lines obviate the "+" entry in /etc/passwd and
> /etc/group.
> passwd:     files winbind nis
> group:      files winbind nis
> 
> # consult /etc "files" only if nis is down.
> hosts:      files nis dns
> ipnodes:    files
> # Uncomment the following line and comment out the above to resolve
> # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
> # IPv4 addresses are searched in all of the ipnodes databases before
> # searching the hosts databases. Before turning this option on, consult
> # the Network Administration Guide for more details on using IPv6.
> #ipnodes:    nis [NOTFOUND=return] files
> 
> networks:   nis [NOTFOUND=return] files
> protocols:  nis [NOTFOUND=return] files
> rpc:        nis [NOTFOUND=return] files
> ethers:     nis [NOTFOUND=return] files
> netmasks:   nis [NOTFOUND=return] files
> bootparams: nis [NOTFOUND=return] files
> publickey:  nis [NOTFOUND=return] files
> 
> netgroup:   nis
> 
> automount:  files nis
> aliases:    files nis
> 
> # for efficient getservbyname() avoid nis
> services:   files nis
> sendmailvars:   files
> printers:       user files nis
> 
> auth_attr:  files nis
> prof_attr:  files nis
> project:    files nis
> project:    files nis
> 
> -----Original Message-----
> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
> Sent: Monday, July 03, 2006 4:06 PM
> To: Nir Barkan
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba and trusted domains
> 
>  > When running the id command, nothing written on the winbind debug
> looks like a prob with NSS and winbindd...
> what looks your nsswitch.conf like?
> do you use nscd?
> 
> greez
> 
> Nir Barkan wrote:
>> id EU15\\test1
>>
>> gives:
>>
>> id: invalid user name: "EU15\test1"
>>
>> When running the id command, nothing written on the winbind debug
>>
>> Nir
>>
>> -----Original Message-----
>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>> Sent: Monday, July 03, 2006 2:31 PM
>> To: Nir Barkan
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba and trusted domains
>>
>> looks good, but the log isn´t very informative.
>>
>> what does now "id EU15\\test1" on the member server say?
>> winbindd has to allocate an uidnumber for this user.
>>
>> greez
>>
>>
>>
>> Nir Barkan wrote:
>>> Now I don't have idmap errors, but the user from the trusted domain still
>>> can't connect, this is what the debug logs when the user from the trusted
>>> domain tries to connect:
>>>
>>> Added domain EU15 wineur.EU15.com
> S-1-5-21-2139401007-2349514585-891123631
>>> [    0]: request interface version
>>> [    0]: request location of privileged pipe
>>> [    0]: domain_info [EU15]
>>> [ 8520]: Get DC name for EU15
>>> cm_get_ipc_userpass: No auth-user defined
>>> Doing spnego session setup (blob length=122)
>>> got OID=1 2 840 48018 1 2 2
>>> got OID=1 2 840 113554 1 2 2
>>> got OID=1 2 840 113554 1 2 2 3
>>> got OID=1 3 6 1 4 1 311 2 2 10
>>> got principal=eur-dc04-lon$@WINEUR.EU15.COM
>>> Doing kerberos session setup
>>> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28
>> IDT
>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
>>> request returned ok.
>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
>>> request returned ok.
>>> lsa_io_sec_qos: length c does not match size 8
>>> [    0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [    0]: request interface version
>>> [    0]: request location of privileged pipe
>>> [    0]: domain_info [EU15]
>>> [    0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [    0]: request interface version
>>> [    0]: request location of privileged pipe
>>> [    0]: domain_info [EU15]
>>> [    0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [    0]: request interface version
>>> [    0]: request location of privileged pipe
>>> [    0]: domain_info [EU15]
>>> [    0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>> [    0]: domain_info [EU15]
>>> [    0]: pam auth crap domain: [EU15] user: test1
>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>
>>> -----Original Message-----
>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>> Sent: Monday, July 03, 2006 1:19 PM
>>> To: Nir Barkan
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba and trusted domains
>>>
>>> for trusted domains to work you have to use either tdbsam or ldap 
>>> backend. don´t know whether ad works, though.
>>>
>>> this should work for you:
>>> #	idmap backend =		# please comment out for tdbsam
>>> 	idmap uid = 10000-100000
>>> 	idmap gid = 10000-100000
>>>          winbind use default domain = Yes	# your choice
>>>          winbind trusted domains only = no	# must
>>>          allow trusted domains = yes		# must
>>>
>>>
>>> greez
>>>
>>>
>>> Nir Barkan wrote:
>>>> I tried all the combinations on the "idmap backend" line and still have
>>>> errors.
>>>>
>>>> What is the exact "idmap backend" line that I should add to my smb.conf
>>> file
>>>> when "ITGIL" = my domain and "EU15" = my trusted domain?
>>>>
>>>> Thanks,
>>>>
>>>> Nir
>>>>
>>>> -----Original Message-----
>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>> Sent: Monday, July 03, 2006 11:22 AM
>>>> To: Nir Barkan
>>>> Cc: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>
>>>> :)
>>>>
>>>>  > idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>> this is not correct semantic ;)
>>>>
>>>> example:
>>>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
>>>>
>>>> this should work
>>>>
>>>> greez
>>>>
>>>>
>>>> Nir Barkan wrote:
>>>>> I added the idmap backend to my smb.conf as you suggested
>>>>>
>>>>>
>>>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>>>
>>>>> I get the following (on the winbind debug):
>>>>>
>>>>> idmap_init: using 'ITGIL=10000-19999' as remote backend
>>>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
>>> ld.so.1:
>>>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
>>> failed:
>>>>> No such file or directory
>>>>> idmap_init: could not load remote backend 'ITGIL=10000-19999'
>>>>> Could not init idmap -- netlogon proxy only
>>>>>
>>>>> The idmap directory exists; do I need to run something manually?
>>>>>
>>>>> P.S
>>>>>
>>>>> ITGIL = my domain
>>>>> EU15 = my trusted domain
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nir
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>> Sent: Sunday, July 02, 2006 9:46 PM
>>>>> To: Nir Barkan
>>>>> Cc: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>
>>>>> you should do something like
>>>>>
>>>>> idmap backend =
> "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
>>>>> as i already wrote in a posting before. this won't work with idmap_rid,
> 
>>>>> but with all other backend.
>>>>> i think you can stay with "winbind trusted domains only".
>>>>>
>>>>> you should also run winbindd in interactive mode and debug level 3.
>>>>> then you should see something like "init idmap backend for DOMAIN 
>>>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
>>>>>
>>>>> greez
>>>>>
>>>>>
>>>>> Nir Barkan wrote:
>>>>>> Id test1 not working
>>>>>>
>>>>>> Wbinfo -u return DomainName username (EUROPE test1)
>>>>>>
>>>>>> The user is from trusted domain 
>>>>>>
>>>>>> I defined idmap uid = 10000-2000 and  idmap gid = 10000-20000 on my
>>>>>> smb.conf, Do I need to define something more?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Nir
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>> Sent: Friday, June 30, 2006 4:12 PM
>>>>>> To: Nir Barkan
>>>>>> Cc: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>
>>>>>>  > Id test1 not working
>>>>>> but wbinfo -u shows it?
>>>>>> if so you have a problem with with mapping samba accounts to unix
>>>>> accounts.
>>>>>> is it a user from a trusted domain (to get back to the thread title)?
>>>>>>
>>>>>>  > My dc is windows 2003 DC, do I need to install something on it?
>>>>>> no
>>>>>>
>>>>>> greez
>>>>>>
>>>>>> Nir Barkan wrote:
>>>>>>
>>>>>>> Id test1 not working
>>>>>>>
>>>>>>> I tried without "winbind trusted domains only = Yes" and got the same
>>>>>>> results.
>>>>>>>
>>>>>>> My dc is windows 2003 DC, do I need to install something on it?
>>>>>>>
>>>>>>> P.S
>>>>>>>
>>>>>>> Thanks much for your help :-)
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>>> Sent: Thursday, June 29, 2006 1:19 PM
>>>>>>> To: Nir Barkan
>>>>>>> Cc: samba at lists.samba.org
>>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>>
>>>>>>>
>>>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me
>> the
>>>>>>> user
>>>>>>>
>>>>>>>> uid and gid.
>>>>>>> good
>>>>>>>
>>>>>>> some further questions:
>>>>>>> - does "id test1" work?
>>>>>>> - why did you set "winbind trusted domains only = Yes"
>>>>>>>
>>>>>>> for trusted domains to work, you have to use winbind on your DC.
>>>>>>> furthermore on each member server you have to specify an idmap range
>>> for
>>>>>>> each domain, like
>>>>>>>
>>>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
>>>>>>>
>>>>>>> greez
>>>>>>>
>>>>>>>
>>>>>>>
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399



More information about the samba mailing list