SAMBA interdomain trusts.
Michael Starling
mlstarling31 at hotmail.com
Wed Aug 28 22:19:32 MDT 2013
I have two SAMBA PDC's with an OpenLDAP backend. My goal is to establish
an interdomain trust between the two domains so that users from each
backend can login to Windows systems by specifying accounts from either
domain.
I've followed the steps to establish the trusts and I can see accounts and groups using wbinfo and getent.
I
can access resources/shares from each domain but I'm unable to logon to
any windows system using the alternate domain although the alternate
domain does indeed show up in the drop down. I simply get a incorrect
password error and eventually lock out my account on the domain that the
system is part of and not the trust domain I'm trying to authenticate
to.
net rpc trustdom LIST reports OK from each PDC.
Trusted domains list:
ABCLOTT S-1-5-21-3441751594-170090486-2794545703
Trusting domains list:
ABCLOTT S-1-5-21-3441751594-170090486-2794545703
net rpc trustdom LIST
Trusted domains list:
XYZLOTT S-1-5-21-3045757412-1322895056-2287618393
Trusting domains list:
XYZLOTT S-1-5-21-3045757412-1322895056-2287618393
I see this in the logs.
check_ntlm_password: sam authentication for user [testuser] FAILED with error NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556149, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [testuser]
[2013/08/28 22:29:11.556178, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [XYZLOTT] was for this SAM.
[2013/08/28 22:29:11.556209, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: winbind had nothing to say
[2013/08/28 22:29:11.556238, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556303, 5] rpc_server/netlogon/srv_netlog_nt.c:1574(_netr_LogonSamLogon_base)
_netr_LogonSamLogonEx: check_password returned status NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556338, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
out: struct netr_LogonSamLogonEx
and this....
[2013/08/28 22:29:11.553321, 2] ../libcli/auth/ntlm_check.c:423(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user testuser
[2013/08/28 22:29:11.553352, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user testuser
[2013/08/28 22:29:11.553382, 4] ../libcli/auth/ntlm_check.c:479(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with domain XYZLOTT
[2013/08/28 22:29:11.553421, 4] ../libcli/auth/ntlm_check.c:508(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with upper-cased version of domain XYZLOTT
[2013/08/28 22:29:11.553459, 4] ../libcli/auth/ntlm_check.c:536(ntlm_password_check)
ntlm_password_check: Checking LMv2 password without a domain
[2013/08/28 22:29:11.553497, 4] ../libcli/auth/ntlm_check.c:567(ntlm_password_check)
ntlm_password_check: Checking NT MD4 password in LM field
[2013/08/28 22:29:11.553527, 3] ../libcli/auth/ntlm_check.c:588(ntlm_password_check)
ntlm_password_check: LM password and LMv2 failed for user testuser, and NT MD4 password in LM field not permitted
I do have ntlm auth = No in smb.conf on each PDC and "Use NTLMv2 only" on
the Windows systems and Domain logins work fine to the primary domain.
Do I need to allow ntlmv1 to get intertrust domain logons to work?
-Mike
More information about the samba-technical
mailing list