[Samba] losing NT4 WAN trust domains with samba-3.0.8+

Adam Cody ajcody at gmail.com
Fri Dec 17 19:52:25 GMT 2004


If I use any of the binary packages for SuSE SLES9 greater than 3.0.7
I can not see some of my NT4 trust domain via winbind.
We have 5 regular NT 4 domains that trust each other. Two of them our
within our LAN (local subnet), one of these domains the samba machine
is within ... security = domain.
There's another 5 domains that are setup for our AD enviroment for
exchange, mixed mode. Using 3.0.7 and below, if I do a getent passwd I
can see accounts from all 10 domains. If I upgrade to 3.08-3.0.10 I
lose the 3 of the 5 regular NT 4 domains. These domains are not within
my lan, local subnet.

Some possible items from the 3.0.8 release notes that might explain this:
  o New experimental idmap backend for assigning uids/gids
    directly based on the user/group RID when acting as a
    member of single domain without any trusts.
  o New experimental idmap backend for assigning uids/gids
    directly based on the user/group RID when acting as a
    member of single domain without any trusts.
    * Fix deadlock loop in winbind's required_membership_sid
      verification.
    * Bring the same level of "required_membership"-functionality 
      that ntlm_auth uses, to pam_winbindd as well.
    * Add the idmap_rid module (written in conjunction with 
      Sumit Bose ).
   * Prevent idmap_rid from making unnecessary calls to domain 
      controllers for trusted domains.

Any help would be much appreciated, as it's stopping our windows
fileserver replacement we were going to do during the holiday break.
Adam

_____________________________
**Works with samba 3.0.7 and below, fails with 3.0.8 and above
[global]
   workgroup = RICK
   interfaces = 127.0.0.1 eth0
   bind interfaces only = true
   passdb backend = ldapsam:ldap://linuxwest.XXXXXX.com
   map to guest = guest
   security = domain
   encrypt passwords = yes
   server string = Samba Server
   netbios name = linuxwest
   domain master = false 
   domain logons = no
   local master = no
   obey pam restrictions = yes
   wins server = 172.XX.XXX.1
   name resolve order = wins lmhosts hosts
   username map = /etc/samba/smbusers
   winbind use default domain = yes
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%U
   template shell = /bin/bash
   ldap suffix = dc=XXXXXX,dc=com
   ldap machine suffix = ou=People
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=Manager,dc=ricardo-us,dc=com
   idmap backend = ldap:ldap://linuxwest.XXXXXX.com
   allow trusted domains = yes
   map acl inherit = yes
   add user script = /usr/sbin/smbldap-useradd.pl -a -m '%u'
   delete user script = /usr/sbin/smbldap-userdel.pl '%u'
   add group script = /usr/sbin/smbldap-groupadd.pl -p '%g'
   delete group script = /usr/sbin/smbldap-groupdel.pl '%g'
   add user to group script = /usr/sbin/smbldap-groupmod.pl -m '%u' '%g'
   delete user from group script = /usr/sbin/smbldap-groupmod.pl -x '%u' '%g'
   set primary group script = /usr/sbin/smbldap-usermod.pl -g -%g' '%u'
   add machine script = /usr/sbin/smbldap-useradd.pl -w '%u'
   host msdfs = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
   deadtime = 3
   wins support = no
_________________________________
**Works with samba 3.0.7 and below, fails with 3.0.8 and above
[global]
   workgroup = RICARDO
   interfaces = 127.0.0.1 eth0
   bind interfaces only = true
   map to guest = guest
   security = domain
   encrypt passwords = yes
   server string = Samba Server
   netbios name = linuxeast
   domain master = false
   domain logons = no
   local master = no
   obey pam restrictions = yes
   wins server = 172.20.161.1
   name resolve order = lmhosts hosts wins bcast
   username map = /etc/samba/smbusers
   winbind use default domain = yes
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%U
   template shell = /bin/bash
   allow trusted domains = yes
   map acl inherit = yes
   host msdfs = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
   deadtime = 3
   wins support = no
   passdb backend = tdbsam:/etc/samba/passdb.tdb smbpasswd:/etc/samba/smbpasswd
   preferred master = auto 

_________________________________
/etc/nsswitch.conf
passwd: compat winbind
group:  compat winbind

hosts:  files dns wins
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files
passwd_compat:  ldap
group_compat:   ldap

__________________________________
example pam.d file - login
#%PAM-1.0
auth    sufficient      pam_winbind.so
auth    requisite       pam_unix2.so    nullok         #set_secrpc
auth    required        pam_securetty.so
auth    required        pam_nologin.so
auth    required        pam_homecheck.so
auth    required        pam_env.so
auth    required        pam_mail.so
account sufficient      pam_winbind.so
account required        pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session required        pam_unix2.so    none         # debug or trace
session required        pam_limits.so
session required        pam_homecheck.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022


More information about the samba mailing list