[Samba] interdomain trusts: known to work on v3.5.4?
Eric S. Hvozda
hvozda at ack.org
Thu Aug 18 11:57:22 MDT 2011
Greetings!
I'm having problems with winbind and interdomain trusts.
I've done alot of searching on the topic and there appears to be alot of folk out there with the same problem, but not any solutions.
Environment is CentOS v5.6 with yumable samba3x-winbind-3.5.4-0.70 on x86_64.
Specifically, the host is joined (successfully) to A:
[ehvozda at AD-test samba]$ sudo wbinfo -t
checking the trust secret for domain A via RPC calls succeeded
[ehvozda at AD-test samba]$
A trusts B.
I can kinit and get valid tickets for principles in each, no problem.
winbind appears to see both A & B:
[ehvozda at AD-test samba]$ sudo wbinfo -u
A\administrator
A\guest
A\krbtgt
A\aselwyn
A\ehvozda
A\hvozdae
A\b$
B\administrator
B\guest
B\krbtgt
B\ehvozda
B\ehvozda_xxx
[ehvozda at AD-test samba]$
users in A can authenticate via winbind:
[ehvozda at AD-test samba]$ sudo wbinfo -a A\\hvozdae
Enter A\hvozdae's password:
plaintext password authentication succeeded
Enter A\hvozdae's password:
challenge/response password authentication succeeded
[ehvozda at AD-test samba]$
users in B cannot.
[ehvozda at AD-test samba]$ sudo wbinfo -a B\\ehvozda
Enter B\ehvozda's password:
plaintext password authentication failed
Could not authenticate user B\ehvozda with plaintext password
Enter B\ehvozda's password:
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user B\ehvozda with challenge/response
[ehvozda at AD-test samba]$
However, clearly the user exists (see above).
winbind sees the trust:
[ehvozda at AD-test samba]$ sudo wbinfo -m
BUILTIN
AD-TEST
A
B
[ehvozda at AD-test samba]$
However, for whatever reason, B is considered offline:
[ehvozda at AD-test samba]$ sudo wbinfo --online-status
BUILTIN : online
AD-TEST : online
A : online
B : offline
[ehvozda at AD-test samba]$
Cranking debug level = 10 does not show anything obvious.
A few questions:
* Is interdomain trusts working in v3.5.4?
* Is there specific documentation or a recipe that works for folk?
* What are some debugging techniques I could try?
* Why is domain B is offline?
I've included my smb.conf file below:
[global]
workgroup = A
realm = A.LOCAL
security = ads
idmap backend = tdb
idmap uid = 1000-9999
idmap gid = 1000-9999
idmap config A : backend = ad
idmap config A : range = 1000-2999
idmap config B : backend = ad
idmap config B : range = 3000-4999
template shell = /bin/false
winbind offline logon = false
log level = 10
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
More information about the samba
mailing list