[Samba] Samba and trusted domains

Nir Barkan nirb at itgil.com
Mon Jul 3 13:53:07 GMT 2006


Nscd is running

This is my nsswitch.conf:

# /etc/nsswitch.nis:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS (YP) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:     files winbind nis
group:      files winbind nis

# consult /etc "files" only if nis is down.
hosts:      files nis dns
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:    nis [NOTFOUND=return] files

networks:   nis [NOTFOUND=return] files
protocols:  nis [NOTFOUND=return] files
rpc:        nis [NOTFOUND=return] files
ethers:     nis [NOTFOUND=return] files
netmasks:   nis [NOTFOUND=return] files
bootparams: nis [NOTFOUND=return] files
publickey:  nis [NOTFOUND=return] files

netgroup:   nis

automount:  files nis
aliases:    files nis

# for efficient getservbyname() avoid nis
services:   files nis
sendmailvars:   files
printers:       user files nis

auth_attr:  files nis
prof_attr:  files nis
project:    files nis
project:    files nis

-----Original Message-----
From: Michael Gasch [mailto:gasch at eva.mpg.de] 
Sent: Monday, July 03, 2006 4:06 PM
To: Nir Barkan
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba and trusted domains

 > When running the id command, nothing written on the winbind debug
looks like a prob with NSS and winbindd...
what looks your nsswitch.conf like?
do you use nscd?

greez

Nir Barkan wrote:
> id EU15\\test1
> 
> gives:
> 
> id: invalid user name: "EU15\test1"
> 
> When running the id command, nothing written on the winbind debug
> 
> Nir
> 
> -----Original Message-----
> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
> Sent: Monday, July 03, 2006 2:31 PM
> To: Nir Barkan
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba and trusted domains
> 
> looks good, but the log isn´t very informative.
> 
> what does now "id EU15\\test1" on the member server say?
> winbindd has to allocate an uidnumber for this user.
> 
> greez
> 
> 
> 
> Nir Barkan wrote:
>> Now I don't have idmap errors, but the user from the trusted domain still
>> can't connect, this is what the debug logs when the user from the trusted
>> domain tries to connect:
>>
>> Added domain EU15 wineur.EU15.com
S-1-5-21-2139401007-2349514585-891123631
>> [    0]: request interface version
>> [    0]: request location of privileged pipe
>> [    0]: domain_info [EU15]
>> [ 8520]: Get DC name for EU15
>> cm_get_ipc_userpass: No auth-user defined
>> Doing spnego session setup (blob length=122)
>> got OID=1 2 840 48018 1 2 2
>> got OID=1 2 840 113554 1 2 2
>> got OID=1 2 840 113554 1 2 2 3
>> got OID=1 3 6 1 4 1 311 2 2 10
>> got principal=eur-dc04-lon$@WINEUR.EU15.COM
>> Doing kerberos session setup
>> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28
> IDT
>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
>> request returned ok.
>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
>> request returned ok.
>> lsa_io_sec_qos: length c does not match size 8
>> [    0]: pam auth crap domain: [EU15] user: test1
>> [ 8520]: pam auth crap domain: EU15 user: test1
>> [    0]: request interface version
>> [    0]: request location of privileged pipe
>> [    0]: domain_info [EU15]
>> [    0]: pam auth crap domain: [EU15] user: test1
>> [ 8520]: pam auth crap domain: EU15 user: test1
>> [    0]: request interface version
>> [    0]: request location of privileged pipe
>> [    0]: domain_info [EU15]
>> [    0]: pam auth crap domain: [EU15] user: test1
>> [ 8520]: pam auth crap domain: EU15 user: test1
>> [    0]: request interface version
>> [    0]: request location of privileged pipe
>> [    0]: domain_info [EU15]
>> [    0]: pam auth crap domain: [EU15] user: test1
>> [ 8520]: pam auth crap domain: EU15 user: test1
>> [    0]: domain_info [EU15]
>> [    0]: pam auth crap domain: [EU15] user: test1
>> [ 8520]: pam auth crap domain: EU15 user: test1
>>
>> -----Original Message-----
>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>> Sent: Monday, July 03, 2006 1:19 PM
>> To: Nir Barkan
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba and trusted domains
>>
>> for trusted domains to work you have to use either tdbsam or ldap 
>> backend. don´t know whether ad works, though.
>>
>> this should work for you:
>> #	idmap backend =		# please comment out for tdbsam
>> 	idmap uid = 10000-100000
>> 	idmap gid = 10000-100000
>>          winbind use default domain = Yes	# your choice
>>          winbind trusted domains only = no	# must
>>          allow trusted domains = yes		# must
>>
>>
>> greez
>>
>>
>> Nir Barkan wrote:
>>> I tried all the combinations on the "idmap backend" line and still have
>>> errors.
>>>
>>> What is the exact "idmap backend" line that I should add to my smb.conf
>> file
>>> when "ITGIL" = my domain and "EU15" = my trusted domain?
>>>
>>> Thanks,
>>>
>>> Nir
>>>
>>> -----Original Message-----
>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>> Sent: Monday, July 03, 2006 11:22 AM
>>> To: Nir Barkan
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba and trusted domains
>>>
>>> :)
>>>
>>>  > idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>> this is not correct semantic ;)
>>>
>>> example:
>>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
>>>
>>> this should work
>>>
>>> greez
>>>
>>>
>>> Nir Barkan wrote:
>>>> I added the idmap backend to my smb.conf as you suggested
>>>>
>>>>
>>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>>
>>>> I get the following (on the winbind debug):
>>>>
>>>> idmap_init: using 'ITGIL=10000-19999' as remote backend
>>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
>> ld.so.1:
>>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
>> failed:
>>>> No such file or directory
>>>> idmap_init: could not load remote backend 'ITGIL=10000-19999'
>>>> Could not init idmap -- netlogon proxy only
>>>>
>>>> The idmap directory exists; do I need to run something manually?
>>>>
>>>> P.S
>>>>
>>>> ITGIL = my domain
>>>> EU15 = my trusted domain
>>>>
>>>> Thanks,
>>>>
>>>> Nir
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>> Sent: Sunday, July 02, 2006 9:46 PM
>>>> To: Nir Barkan
>>>> Cc: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>
>>>> you should do something like
>>>>
>>>> idmap backend =
"MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
>>>>
>>>> as i already wrote in a posting before. this won't work with idmap_rid,

>>>> but with all other backend.
>>>> i think you can stay with "winbind trusted domains only".
>>>>
>>>> you should also run winbindd in interactive mode and debug level 3.
>>>> then you should see something like "init idmap backend for DOMAIN 
>>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
>>>>
>>>> greez
>>>>
>>>>
>>>> Nir Barkan wrote:
>>>>> Id test1 not working
>>>>>
>>>>> Wbinfo -u return DomainName username (EUROPE test1)
>>>>>
>>>>> The user is from trusted domain 
>>>>>
>>>>> I defined idmap uid = 10000-2000 and  idmap gid = 10000-20000 on my
>>>>> smb.conf, Do I need to define something more?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nir
>>>>>
>>>>> -----Original Message-----
>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>> Sent: Friday, June 30, 2006 4:12 PM
>>>>> To: Nir Barkan
>>>>> Cc: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>
>>>>>  > Id test1 not working
>>>>> but wbinfo -u shows it?
>>>>> if so you have a problem with with mapping samba accounts to unix
>>>> accounts.
>>>>> is it a user from a trusted domain (to get back to the thread title)?
>>>>>
>>>>>  > My dc is windows 2003 DC, do I need to install something on it?
>>>>> no
>>>>>
>>>>> greez
>>>>>
>>>>> Nir Barkan wrote:
>>>>>
>>>>>> Id test1 not working
>>>>>>
>>>>>> I tried without "winbind trusted domains only = Yes" and got the same
>>>>>> results.
>>>>>>
>>>>>> My dc is windows 2003 DC, do I need to install something on it?
>>>>>>
>>>>>> P.S
>>>>>>
>>>>>> Thanks much for your help :-)
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>> Sent: Thursday, June 29, 2006 1:19 PM
>>>>>> To: Nir Barkan
>>>>>> Cc: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>
>>>>>>
>>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me
> the
>>>>>> user
>>>>>>
>>>>>>> uid and gid.
>>>>>> good
>>>>>>
>>>>>> some further questions:
>>>>>> - does "id test1" work?
>>>>>> - why did you set "winbind trusted domains only = Yes"
>>>>>>
>>>>>> for trusted domains to work, you have to use winbind on your DC.
>>>>>> furthermore on each member server you have to specify an idmap range
>> for
>>>>>> each domain, like
>>>>>>
>>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
>>>>>>
>>>>>> greez
>>>>>>
>>>>>>
>>>>>>
>>>>
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399





More information about the samba mailing list