[Samba] inter domain trust not working
Razvan Cosma
rg at cosma.name
Tue Nov 6 02:20:48 MST 2012
Hello,
I am trying to make a RHEL6 box (samba-winbind-3.5.10-125.el6.x86_64)
accept logins from a trusted domain; all is working fine for the primary
domain, pam_winbind+pam_mkhomedir allow logins for domain users, when
checking the trusted one though
# net rpc trustdom list -Utest%pass
Trusted domains list:
TRUSTED S-1-2-5-etcetc
Unable to find a suitable server for domain TRUSTED
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
TRUSTED couldn't get domain's sid
There are no trusting domains set.
A tcpdump while running the above command shows the client connecting to
the primary domain controller (which also has all the other roles), then
making a DNS query for
SRV? _ldap._tcp.pdc._msdcs.TRUSTED.
to which it gets a NXDomain
This query should not be made, and will not get an answer, the correct one
would be
SRV? _ldap._tcp.pdc._msdcs.TRUSTED.LOCAL
which does exist and returns all the SRV records as expected
Windows clients do work in the same network/VLAN; any hints on what makes
Samba choke after that query are greatly appreciated.
For reference,
smb.conf:
workgroup = PRIMARY
password server = thedc.primary.local
winbind use default domain = no
realm = PRIMARY.LOCAL
security = ads
encrypt passwords = yes
krb5.conf:
[libdefaults]
default_realm = PRIMARY.LOCAL
dns_lookup_realm = yes
dns_lookup_kdc = yes
forwardable = false
[realms]
PRIMARY.LOCAL = {
}
TRUSTED.LOCAL = {
}
[domain_realm]
.primary.local = PRIMARY.LOCAL
primary.local = PRIMARY.LOCAL
.trusted.local = TRUSTED.LOCAL
trusted.local = TRUSTED.LOCAL
(yes, the realm definitions are empty, as everything should work via DNS. I
have also tried specifying admin_server,default_domain and kdc for the
trusted realm, no dice)
thedc.primary.local is set in resolv.conf on the client
More information about the samba
mailing list