[Samba] winbind issues with AD domain trust

Anderson, Eli C Eli.C.Anderson at nhmccd.edu
Fri May 21 19:40:43 GMT 2004 

I'm setting up Samba in an environment with 2 Active Directory domains setup
with a one way trust (DOMAINA -> DOMAINB).  Samba is in DOMAINA.  From
looking at the logs (see below) it appears that winbind is having troubles
getting the credentials for the domain controller in DOMAINB.

 

I can get tickets, using kinit, for accounts in both domains.  I can join
DOMAINA just fine.  Running wbinfo -m displays the trusts however wbinfo -u
and wbinfo -g hangs.  If I run wbinfo -domain=DOMAINA then run wbinfo -u and
wbinfo -g I get all of the user and group information.

 

The samba server is running on Fedora Core  1 and I have used both the
latest RPM from up2date (3.0.2) and the latest Fedora binary from the samba
download site (3.0.4).

DOMAINA is a Windows 2000 AD Domain and DOMAINB is Windows 2003.

 

Any help will be greatly appreciated.

 

 

This is the relevant information from winbindd.log (machine names changed to
protect the innocent):

 

[2004/05/21 12:16:33, 3] libads/ldap.c:ads_connect(218)

  Connected to LDAP server 172.16.30.1

[2004/05/21 12:16:33, 3] libads/ldap.c:ads_server_info(2030)

  got ldap server name kdcb at DOMAINB.COM, using bind path: dc=DOMAINB,dc=COM

[2004/05/21 12:16:33, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(107)

  IPC$ connections done anonymously

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_start_connection(1337)

  Connecting to host=KDCB

[2004/05/21 12:16:33, 3] lib/util_sock.c:open_socket_out(710)

  Connecting to 172.16.30.1 at port 445

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(676)

  Doing spnego session setup (blob length=107)

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)

  got OID=1 2 840 48018 1 2 2

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)

  got OID=1 2 840 113554 1 2 2

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)

  got OID=1 2 840 113554 1 2 2 3

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)

  got OID=1 3 6 1 4 1 311 2 2 10

[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)

  got principal=kdcb$@DOMAINB.COM

[2004/05/21 12:16:33, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(510)

Doing kerberos session setup

[2004/05/21 12:16:33, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)

  krb5_get_credentials failed for kdcb$@DOMAINB.COM (Server not found in
Kerbe

ros database)

[2004/05/21 12:16:33, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)

  spnego_gen_negTokenTarg failed: Server not found in Kerberos database

[2004/05/21 12:16:33, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)

  lsa_io_sec_qos: length c does not match size 8

[2004/05/21 12:16:33, 3] nsswitch/winbindd_util.c:add_trusted_domain(159)

  add_trusted_domain: DOMAINB is an ADS native mode domain

[2004/05/21 12:16:33, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)

  Added domain DOMAINB domainb.com S-1-5-21-842925246-706699826-1801674531

[2004/05/21 12:16:33, 3] nsswitch/winbindd_ads.c:trusted_domains(852)

  ads: trusted_domains

 

my smb.conf file results form testparm:

 

# Global parameters

[global]

        workgroup = DOMAINA

        realm = DOMAINA.COM

        server string = Samba Server

        security = ADS

        log file = /var/log/samba/%m.log

        max log size = 50

        client signing = Yes

        server signing = Yes

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        printcap name = /etc/printcap

        dns proxy = No

        idmap uid = 10000-200000

        idmap gid = 10000-200000

        template homedir = /home/winnt/%D/%U

        template shell = /bin/bash

        winbind separator = +

 

[homes]

        comment = Home Directories

        read only = No

        browseable = No

 

[printers]

        comment = All Printers

        path = /var/spool/samba

        printable = Yes

        browseable = No

 

[testshare]

        comment = Test samba share

        path = /var/share

        read only = No

        guest ok = Yes

 

 

And my /etc/krb5.conf:

 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 ticket_lifetime = 24000

 default_realm = PASSKEY.CC

 dns_lookup_realm = false

 dns_lookup_kdc = false

 

[realms]

 EXAMPLE.COM = {

  kdc = kerberos.example.com:88

  admin_server = kerberos.example.com:749

  default_domain = example.com

 }

 

 DOMAINA.COM = {

  kdc = kdca.domaina.com:88

  admin_server = kdca.domaina.com:749

 }

 

DOMAINB.COM = {

  kdc = kdcb.domainb.com:88

  admin_server = kdcb.domainb.com:749

 }

 

[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

 .doamina.com = DOMAINA.COM

 domaina.com = DOMAINA.COM

 .domainb.com = DOMAINB.COM

 domainb.com = DOMAINB.COM

 

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

}

More information about the samba mailing list