[Samba] can't auth against more then 1 domain
Taylor, Jonn
jonnt at taylortelephone.com
Wed Nov 13 20:51:42 MST 2013
On 11/13/2013 04:43 PM, Doug Tucker wrote:
> On 11/13/2013 04:12 PM, Taylor, Jonn wrote:
>> On 11/13/2013 04:04 PM, Dale Schroeder wrote:
>>> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>>> I have 2 samba servers. One with centos5+samba 3.033 that has
>>>>>> been in service for a few years now. I have installed a
>>>>>> centos6+samba 3.6.9. I followed the how-to I did with the first
>>>>>> one, copied over the krb5.conf and smb.conf from the working
>>>>>> server and all seemed to go well. It is a member server of a
>>>>>> window AD. We have 2 DC's that are part of the same forest: SEAS
>>>>>> and SEAS-S. I joined the new one like the old one to the SEAS
>>>>>> domain. The problem I have run into is the new server will only
>>>>>> auth users in the domain it is joined to (SEAS) and cannot get
>>>>>> get users from SEAS-S. If I check for trusted domains net rpc
>>>>>> trustdom SEAS-S shows up under trusted and trusting. If I do
>>>>>> wbinfo -u | grep SEAS I get a full list of users in the SEAS
>>>>>> domain. But wbinfo -u | grep SEAS-S comes back blank.
>>>>>>
>>>>>> I don't know what to provide to help solved this so I'll post
>>>>>> some basics I guess.
>>>>>>
>>>>>> krb5.conf:
>>>>>> [logging]
>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>>>> dns_lookup_realm = false
>>>>>> dns_lookup_kdc = false
>>>>>> ticket_lifetime = 24h
>>>>>> forwardable = true
>>>>>>
>>>>>> [realms]
>>>>>> SEAS.ENGR.SMU.EDU = {
>>>>>> kdc = seas.engr.smu.edu:88
>>>>>> admin_server = seas.engr.smu.edu:749
>>>>>> default_domain = engr.smu.edu
>>>>>> }
>>>>>>
>>>>>> SEAS-S.ENGR.SMU.EDU = {
>>>>>> kdc = seas-s.engr.smu.edu:88
>>>>>> admin_server = seas-s.engr.smu.edu:749
>>>>>> default_domain = engr.smu.edu
>>>>>> }
>>>>>>
>>>>>> [domain_realm]
>>>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>
>>>>>> [appdefaults]
>>>>>> pam = {
>>>>>> debug = false
>>>>>> ticket_lifetime = 36000
>>>>>> renew_lifetime = 36000
>>>>>> forwardable = true
>>>>>> krb4_convert = false
>>>>>> }
>>>>>>
>>>>>> Globals of smb.conf:
>>>>>>
>>>>>> workgroup = SEAS
>>>>>> realm = SEAS.ENGR.SMU.EDU
>>>>>> security = ADS
>>>>>> encrypt passwords = yes
>>>>>> passdb backend = tdbsam
>>>>>> obey pam restrictions = no
>>>>>> invalid users = root
>>>>>> username map = /etc/samba/domain_user.map
>>>>>> winbind separator = +
>>>>>> winbind cache time = 600
>>>>>> idmap uid = 19000-20000
>>>>>> idmap gid = 19000-20000
>>>>>>
>>>>>> Please let me know what else I may provide to help solve this. I
>>>>>> found some threads on this issue that were several years old in
>>>>>> regard to 3.028 having this issue and it was patched in a later
>>>>>> release. I can't find anything current about this. Thank you in
>>>>>> advance.
>>>>> Doug,
>>>>>
>>>>> This is most likely related to the idmap syntax changes in recent
>>>>> Samba versions. idmap uid/gid is depracated. 3.6 uses something
>>>>> like the following:
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 1000000 - 2000000
>>>>> idmap config DOMAIN1 : default = Yes
>>>>> idmap config DOMAIN1 : backend = rid
>>>>> idmap config DOMAIN1 : range = 1000 - 2000
>>>>> idmap config DOMAIN2 : backend = rid
>>>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>>>
>>>>> Range values should not overlap. Adjust backend and range values
>>>>> to suit your situation.
>>>>>
>>>>> Dale
>>>>>
>>>>
>>>> Sorry, hit send too soon. Here is the command/log:
>>>>
>>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>>> Enter SEAS-S+tuckerd's password:
>>>> plaintext password authentication succeeded
>>>> Enter SEAS-S+tuckerd's password:
>>>> challenge/response password authentication succeeded
>>>>
>>>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>>> [2013/11/13 15:32:29.093674, 10]
>>>> winbindd/winbindd.c:679(wb_request_done)
>>>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>>
>>> I haven't use the ad backend, but I believe it also requires a
>>> schema mode option. See:
>>> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>>>
>>> I've found this syntax: idmap config DOMAIN : schema mode = rfc2307
>>> | sfu | sfu20
>>> Also found this option in some configs: winbind nss info = rfc2307 |
>>> sfu | sfu20 | template
>>>
>>> I don't have the experience with idmap_ad to guide you, but maybe
>>> this will help.
>>>
>>> Dale
>>>
>>>
>> To clear the cache you can also use this command "net /cache flush/"
>>
>> Also here is my working AD config. This is on a cluster so just ignor
>> the cluster statements.
>>
>> [global]
>> workgroup = TAYLORTELEPHONE
>> realm = TAYLORTELEPHONE.COM
>> netbios name = SHR01
>> server string = Cluster Share
>> interfaces = eth0, eth1, lo
>> security = ADS
>> private dir = /clusterdata/ctdb
>> log file = /var/log/samba/log.%m
>> server signing = auto
>> lpq cache time = 20
>> clustering = Yes
>> printcap name = /etc/printcap
>> wins server = 192.168.173.3
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>> idmap config * : range = 500-4000000
>> idmap config TAYLORTELEPHONE:range = 500-4000000
>> idmap config TAYLORTELEPHONE:backend = rid
>> idmap config * : schema_mode = rfc2307
>> idmap config * : backend = ad
>> admin users = "@TAYLORTELEPHONE\Domain Admins"
>> inherit acls = Yes
>> map acl inherit = Yes
>> max print jobs = 100
>> printing = bsd
>> print command = lpr -r -P'%p' %s
>> lpq command = lpq -P'%p'
>> lprm command = lprm -P'%p' %j
>>
> OK, adding the schema_mode didn't change anything. I'm still missing
> *something*.
>
> Still if I try to do a full dump using wbinfo -u I get every user in
> the SEAS domain but nothing from SEAS-S. Mapping drives using a SEAS
> user still works, SEAS-S user still gets access denied in the client
> and the samba server logs says it can't find SEAS-S.
>
> Oddly, this works just fine:
> [root at lylesmb1 samba]# wbinfo -n SEAS+tuckerd
> S-1-5-21-2041585393-961507653-59529505-6586 SID_USER (1)
> [root at lylesmb1 samba]# wbinfo -n SEAS-S+tuckerd
> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
>
> And in the logs it shows:
>
> [2013/11/13 16:38:11.058477, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'SEAS-S'
> name : *
> name : 'TUCKERD'
> flags : 0x00000000 (0)
> [2013/11/13 16:38:11.061425, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-1863541909-2129596521-199955091-23660
> result : NT_STATUS_OK
>
> [2013/11/13 16:38:02.282938, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'SEAS'
> name : *
> name : 'TUCKERD'
> flags : 0x00000000 (0)
> [2013/11/13 16:38:02.283503, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-2041585393-961507653-59529505-6586
> result : NT_STATUS_OK
>
> I'm flatly confused why a lookup of a single user works, but nothing
> when doing a full dump, and why it won't authenticate and map drives :(
Can you post your smb.conf please.
Jonn
More information about the samba
mailing list