[Samba] winbind issues with AD domain trust
Anderson, Eli C
Eli.C.Anderson at nhmccd.edu
Fri May 21 19:40:43 GMT 2004
I'm setting up Samba in an environment with 2 Active Directory domains setup
with a one way trust (DOMAINA -> DOMAINB). Samba is in DOMAINA. From
looking at the logs (see below) it appears that winbind is having troubles
getting the credentials for the domain controller in DOMAINB.
I can get tickets, using kinit, for accounts in both domains. I can join
DOMAINA just fine. Running wbinfo -m displays the trusts however wbinfo -u
and wbinfo -g hangs. If I run wbinfo -domain=DOMAINA then run wbinfo -u and
wbinfo -g I get all of the user and group information.
The samba server is running on Fedora Core 1 and I have used both the
latest RPM from up2date (3.0.2) and the latest Fedora binary from the samba
download site (3.0.4).
DOMAINA is a Windows 2000 AD Domain and DOMAINB is Windows 2003.
Any help will be greatly appreciated.
This is the relevant information from winbindd.log (machine names changed to
protect the innocent):
[2004/05/21 12:16:33, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 172.16.30.1
[2004/05/21 12:16:33, 3] libads/ldap.c:ads_server_info(2030)
got ldap server name kdcb at DOMAINB.COM, using bind path: dc=DOMAINB,dc=COM
[2004/05/21 12:16:33, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(107)
IPC$ connections done anonymously
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_start_connection(1337)
Connecting to host=KDCB
[2004/05/21 12:16:33, 3] lib/util_sock.c:open_socket_out(710)
Connecting to 172.16.30.1 at port 445
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(676)
Doing spnego session setup (blob length=107)
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
got OID=1 2 840 48018 1 2 2
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
got OID=1 2 840 113554 1 2 2
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
got OID=1 2 840 113554 1 2 2 3
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(701)
got OID=1 3 6 1 4 1 311 2 2 10
[2004/05/21 12:16:33, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
got principal=kdcb$@DOMAINB.COM
[2004/05/21 12:16:33, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(510)
Doing kerberos session setup
[2004/05/21 12:16:33, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
krb5_get_credentials failed for kdcb$@DOMAINB.COM (Server not found in
Kerbe
ros database)
[2004/05/21 12:16:33, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)
spnego_gen_negTokenTarg failed: Server not found in Kerberos database
[2004/05/21 12:16:33, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
lsa_io_sec_qos: length c does not match size 8
[2004/05/21 12:16:33, 3] nsswitch/winbindd_util.c:add_trusted_domain(159)
add_trusted_domain: DOMAINB is an ADS native mode domain
[2004/05/21 12:16:33, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain DOMAINB domainb.com S-1-5-21-842925246-706699826-1801674531
[2004/05/21 12:16:33, 3] nsswitch/winbindd_ads.c:trusted_domains(852)
ads: trusted_domains
my smb.conf file results form testparm:
# Global parameters
[global]
workgroup = DOMAINA
realm = DOMAINA.COM
server string = Samba Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
client signing = Yes
server signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 10000-200000
idmap gid = 10000-200000
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
winbind separator = +
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[testshare]
comment = Test samba share
path = /var/share
read only = No
guest ok = Yes
And my /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = PASSKEY.CC
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
DOMAINA.COM = {
kdc = kdca.domaina.com:88
admin_server = kdca.domaina.com:749
}
DOMAINB.COM = {
kdc = kdcb.domainb.com:88
admin_server = kdcb.domainb.com:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.doamina.com = DOMAINA.COM
domaina.com = DOMAINA.COM
.domainb.com = DOMAINB.COM
domainb.com = DOMAINB.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
More information about the samba
mailing list