[Samba] AD Auth Trusted Domain issues
Paul Lauss
plauss at protocolgs.com
Tue Mar 30 12:23:02 MDT 2010
The trust check succeeded... I have attached the pertinent logs... it
looks like it is timing out... I am not sure why though. The link
should be a little slower but it shouldn't be terrible, it is a 2Mb pipe.
mailtestbed:~# wbinfo -t
checking the trust secret via RPC calls succeeded
On 3/30/2010 9:47 AM, François Legal wrote:
> I'm not sure to 100% understand what you mean (it's been a long time since
> I last used an AD server with SFU).
> However, next step now will be to increase winbindd debug level while
> issuing the wbinfo -i command, and see what fails there.
>
> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity.
>
> François
>
> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com>
> wrote:
>
>> Hello,
>> Thank you so much for your reply! We are using AD 2003 R2 on both the
>> domain and the child domain. I am using 10000-29999 for IDs on the main
>> domain (RDOMAIN) and 30000-100000 on the child domain (KID).
>> Interestingly, in the Unix tab (in AD Users and Computers for any
>> object) under "NIS Domain" on any of the RDOMAIN servers we get the
>> pulldown option "RDOMAIN" but on the Trusted domains server the only
>> option is "KID". I'm not sure if that is expected or would affect this
>> but I can't seem to get the RDOMAIN option in the KID Trusted domain.
>>
>> Thanks,
>> -Paul
>>
>> On 3/30/2010 2:27 AM, François Legal wrote:
>>
>>> Hello,
>>>
>>> I'm not familiar with this kind of setup, but I wonder whether or not
>>>
> the
>
>>> KID domain has the SFU schema extensions setup for idmapping (see idmap
>>> backend = ad) and if porperly setup, check that the defined uid/gid for
>>> that domain fall in the idmap uid range
>>>
>>> François
>>>
>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com>
>>> wrote:
>>>
>>>
>>>> I have been killing myself on this issue over the last 2 weeks. I
>>>>
> have
>
>>>> setup pam AD authentication using winbind on our companies email
>>>> servers. That part is currently working. I have been trying to add
>>>>
> an
>
>>>> existing "Trusted" child domain and allow authentication from that
>>>> domain as well. I am part of the way there, but not quite to the
>>>> functional point as of yet. Our primary domain is rdomainprv or
>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I
>>>>
> am
>
>>>> seeing, followed by my configs. Also, we had to open ports 88, 139
>>>>
> and
>
>>>> 389 (I believe those are the correct ports, though the networking guys
>>>> opened them) from the email/winbind server to the child domain, at the
>>>> firewall. Any help would be very much appreciated!
>>>>
>>>> mailtestbed:~# wbinfo --all-domains
>>>> BUILTIN
>>>> MAILTESTBED
>>>> RDOMAINPRV
>>>> KID
>>>>
>>>> mailtestbed:~# wbinfo -u | grep testuser
>>>> KID\testuser
>>>>
>>>> mailtestbed:~# wbinfo -a KID\\testuser%password
>>>> plaintext password authentication succeeded
>>>> challenge/response password authentication succeeded
>>>>
>>>> Here is where it's falling apart:
>>>> mailtestbed:~# wbinfo -i KID\\testuser
>>>> Could not get info for user KID\testuser
>>>>
>>>> mailtestbed:~# id KID\\testuser
>>>> id: KID\testuser: No such user
>>>>
>>>> mailtestbed:~# id testuser
>>>> id: testuser: No such user
>>>>
>>>> mailtestbed:~# getent passwd KID\\testuser
>>>> mailtestbed:~#
>>>>
>>>> mailtestbed:~# getent passwd testuser
>>>> mailtestbed:~#
>>>>
>>>> mailtestbed:~# id RDOMAINPRV\\testmer
>>>> uid=10001(testmer) gid=10001 groups=999(users)
>>>>
>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer
>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>
>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>
>>>> Versions (Debian Lenny)
>>>> samba 2:3.2.5-4lenny9
>>>> winbind 2:3.2.5-4lenny9
>>>>
>>>> smb.conf
>>>> [global]
>>>> workgroup = RDOMAINPRV
>>>> realm = RDOMAIN.PRV
>>>> server string = %h server
>>>> dns proxy = no
>>>> name resolve order = lmhosts host wins bcast
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 1000
>>>> syslog = 0
>>>> panic action = /usr/share/samba/panic-action %d
>>>> security = ADS
>>>> encrypt passwords = yes
>>>> passdb backend = tdbsam
>>>> obey pam restrictions = yes
>>>> unix password sync = yes
>>>> passwd program = /usr/bin/passwd %u
>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>> pam password change = yes
>>>> allow trusted domains = yes
>>>> winbind trusted domains only = no
>>>> idmap backend = ad
>>>> idmap uid = 10000-1000000
>>>> idmap gid = 10000-1000000
>>>> template homedir = /home/%U
>>>> winbind use default domain = yes
>>>> winbind nss info = rfc2307
>>>> winbind nested groups = yes
>>>> client use spnego = yes
>>>> client ntlmv2 auth = yes
>>>> restrict anonymous = 2
>>>> winbind enum groups = no
>>>> winbind enum users = no
>>>>
>>
>>>> winbind cache time = 30
>>>>
>>>> krb5.conf
>>>> [libdefaults]
>>>> default_realm = RDOMAIN.PRV
>>>> krb4_config = /etc/krb.conf
>>>> krb4_realms = /etc/krb.realms
>>>> kdc_timesync = 1
>>>> ccache_type = 4
>>>> forwardable = true
>>>> proxiable = true
>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5
>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5
>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5
>>>>
> des3-hmac-sha1
>
>>>> des-cbc-crc des-cbc-md5
>>>> v4_instance_resolve = false
>>>> v4_name_convert = {
>>>> host = {
>>>> rcmd = host
>>>> ftp = ftp
>>>> }
>>>> plain = {
>>>> something = something-else
>>>> }
>>>> }
>>>> fcc-mit-ticketflags = true
>>>> [realms]
>>>> RDOMAIN.PRV = {
>>>> default_domain = RDOMAIN.PRV
>>>> master_kdc = dc02.rdomain.prv
>>>> admin_server = dc02.rdomain.prv
>>>> kdc = aurad.rdomain.prv
>>>> kdc = addc01.rdomain.prv
>>>> kdc = addc02.rdomain.prv
>>>> kdc = addc03.rdomain.prv
>>>> #kdc = addc04.rdomain.prv
>>>> kdc = addc05.rdomain.prv
>>>> kdc = chlddc01.kid.rdomain.prv
>>>> }
>>>> KID.RDOMAIN.PRV = {
>>>> default_domain = KID.RDOMAIN.PRV
>>>> kdc = chlddc01.kid.rdomain.prv
>>>> master_kdc = addc02.rdomain.prv
>>>> admin_server = addc02.rdomain.prv
>>>> kdc = addc01.rdomain.prv
>>>> kdc = addc02.rdomain.prv
>>>> }
>>>> [domain_realm]
>>>> .rdomain.prv = RDOMAIN.PRV
>>>> rdomain.prv = RDOMAIN.PRV
>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV
>>>> kid.rdomain.prv = KID.RDOMAIN.PRV
>>>> [kdc]
>>>> profile = /var/kerberos/krb5kdc/kdc.conf
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> validate = true
>>>> }
>>>> [login]
>>>> krb4_convert = true
>>>> krb4_get_tickets = false
>>>>
>>>>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ADlogs.text
URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/ea13781c/attachment.text>
More information about the samba
mailing list