[Samba] samba-3.6.1 cannot be used by trusted domain users?
Jason Haar
Jason_Haar at trimble.com
Sun Dec 18 18:51:30 MST 2011
Hi there
Samba is a member of dom1.corp.net, there are also dom2.corp.net and
dom3.corp.net - together making up the "CORP" forest. There are other
forests with two-way trusts with CORP.NET, such as OTHER.NET
We have a problem where Samba/winbind is inconsistent on account details
and therefore access.
* wbinfo -D OTHER returns details about "other.net" - good
* wbinfo --dc-info=OTHER returns a valid domain controller of OTHER - good
however....
* wbinfo -i OTHER\\username returns "failed to call wbcGetpwnam:
WBC_ERR_DOMAIN_NOT_FOUND"
* wbinfo -n OTHER\\username returns the SID
* wbinfo -s SID returns OTHER\username
That last bit flummoxed me - how can winbind figure out the SID without
being able to figure out the rest? We see this not only for usernames in
other forests, but also usernames in other subdomains in the same forest
(ie "wbinfo -i" works for usernames in the same domain as Samba - just
not other domains in the same forest)
testparam -sv|grep trust returns
allow trusted domains = Yes
map untrusted to domain = No
winbind trusted domains only = No
The outcome is that when a user from another domain/forest connects,
they get access denied and the logs show
[2011/12/19 01:26:51.195684, 3]
winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam other\username
[2011/12/19 01:26:59.234921, 5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-1705711945-1589781387-1543859470-20569:
NT_STATUS_UNSUCCESSFUL
So that makes no sense: how can "wbinfo -s SID" work, when the winbind
logfile shows that it couldn't convert the same sid?
Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list