[Samba] logon Samba workstation domain with Active Directory trustdom account issue

Romain gromly at gmail.com
Sun Dec 16 15:15:17 MST 2012 

Hi,

Did somebody already make a two-way trust relationship between Samba 3 and
AD ?

When I try to access to Samba share with AD account, I've got this:

[2012/12/16 23:00:26.146090,  5] auth/auth.c:268(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [tata] FAILED
with error NT_STATUS_NO_SUCH_USER
[2012/12/16 23:00:26.146123,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [tata] -> [tata]
FAILED with error NT_STATUS_NO_SUCH_USER

but trust domain seems to be ok:

Trusted domains list:

ES01                S-1-5-21-1816646249-803782145-3669927669

Trusting domains list:

ES01                S-1-5-21-1816646249-803782145-3669927669

and when I try to access samba share with the Administrator account that I
create both side with same passwd, I've got this:

[2012/12/16 22:57:22.701841, 1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
_netr_LogonSamLogon: user ES01\Administrator has user sid
S-1-5-21-1816646249-803782145-3669927669-500 but group sid
S-1-5-21-3405883886-2425668597-4100599511-513. The conflicting domain
portions are not supported for NETLOGON calls

and winfo doesn't seem to work, it should list all trusted users, no ?

# wbinfo -u root nobody smb3user administrator


Regards,
Romain


2012/12/15 Romain <gromly at gmail.com>

> Hello list,
>
> Sorry to top again but do we need Kerberos on Samba server to make this
> work ?
>
> Regards,
>
>
> 2012/12/14 Romain <gromly at gmail.com>
>
>> Hi,
>>
>> I made a mistake, we have Samba 3.5.3.
>>
>> Can somebody help ?
>>
>> Regards,
>> Romain
>>
>>
>> 2012/12/13 Romain <gromly at gmail.com>
>>
>>> Hello samba list,
>>>
>>> I'm close to be able to make this work but I just need a bit help. Here
>>> is the situation:
>>>
>>> - Windows 2008 R2 x64 Domain Controller: domain ES01
>>>
>>> - Samba 3.4.3 Domain Controller:domain ES02
>>>
>>> - Windows Seven Workstation (SSO4): on domain ES02
>>>
>>> - Window Xp Workstation (SSO2): on domain ES01
>>>
>>> We put a both side trust relationship and seems to work regarding
>>> command "net rpc trustdom list".
>>>
>>> *[root at localhost ~]# net rpc trustdom list*
>>> *Enter root's password:*
>>> *Trusted domains list:*
>>> *
>>> *
>>> *ES01                S-1-5-21-1816646249-803782145-3669927669*
>>> *
>>> *
>>> *Trusting domains list:*
>>> *
>>> *
>>> *ES01                S-1-5-21-1816646249-803782145-3669927669*
>>>
>>>
>>> Now, here is the issue:
>>>
>>> We can logon domain ES01 with Windows account from Windows Xp
>>> Workstation (normal use)
>>> We can logon domain ES01 with Samba account from Windows Xp Workstation
>>> (that's outgoing trust relationship's work)
>>> We can logon domain ES02 with samba account (pretty normal use)
>>> *We CAN'T logon domain ES02 with Windows Account (and unfortunatly,
>>> that's what we need to go further)*
>>>
>>> I join you all my configuration files and SS4 workstation log while I
>>> try to log with "tata" account from ES01 windows domain.
>>>
>>> As you can see in smb.conf, we tried some custom tricks to make winbind
>>> working...
>>>
>>> Hope you will give us a fresh idea that we didn't think about.
>>>
>>> Regards,
>>> Romain
>>>
>>
>>
>

More information about the samba mailing list