[Samba] Re: Trusting and trusted domain (home mapping) problem

Adrian Chow achow at uwcsea.edu.sg
Tue Nov 2 13:00:47 GMT 2004 

Hi Igor,

Do you have trustdomains in your "auth methods"?

Currently I removed the winbind from nsswitch.conf.  And "smbclient 
//domain_B_PDC//shared -U domain_A/domain_A_user" does not work.

If I put winbind in the nsswitch.conf, then I will be able to 
authenticated but cannot connect to shared folder with the following 
error:-
Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED

The log file from the Domain_B_PDC:-

[2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
   Client requested device type [?????] for share [SHARED]
[2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
   making a connection to 'normal' service shared
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
   Unable to get default yp domain
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
   Unable to get default yp domain
[2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
   user 'Domain_A\domain_a_user' (from session setup) not permitted to 
access this share (Shared)
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
   error string = No such file or directory
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

--------------

My smb.conf :-

[Shared]
         path = /shared
         valid users = @"Domain Users", @"Domain_A\Domain Users"
         write list = @"Domain Users", @"Domain_A\Domain Users"
         browsable = yes
         guest ok = no
         writeable =no


---------------


Do you have winbind in your nsswitch.conf?

How did you managed to get the mapped home directory for domain_a_user 
when he log on to the joined_domain_B_computer?

Hope to hear from you on this... thanks a lot.

adrian

p/s: hope you got my previous mail cos I forgotten to cc to sambalists

Igor Belyi wrote:
> ====== (Header) e-mail Filtrado ======
> I would guess that it means that DomainA trust DomainB but DomainB does 
> not trust DomainA. Can you verify that trust is mutual between them? 
> Check 'net rpc trustom list' on both machines.
> 
> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
> Winbind is used only by Samba when it maps users from trust domain into 
> local space.
> 
> Adrian Chow wrote:
> 
>> Hi Igor,
>>
>> I got stuck now.  I did my best.  I got stuck at the winbind which I 
>> suspected is the reason why the domainA_computer cannot map the 
>> domain_B user's home directory.
>>
>> 1.  What are the settings of your winbind?
>>  
>>
> I have the following winbind related entries in smb.conf:
>  ldap idmap suffix = ou=Idmap
>  idmap backend = ldap:ldap://localhost
>  idmap uid = 10000-20000
>  idmap gid = 10000-20000
> 
> To see if winbind works you can also try to resolve a name into SID and 
> SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to 
> do the following:
> wbinfo -n 'STAFF\wheel'
> wbinfo -Y <SID return in a previous command>
> 
>> 2.  Do you use only "winbind" in your libnss_ldap or use "ldap" as well?
>>  
>>
> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I 
> understand this, winbind usage via NSS can confuse Samba into thinking 
> that those users and groups are defined locally and maybe allowing Samba 
> to use winbind directly is a better approach for trust between domains.
> 
> I don't know why would you want to put winbind into libnss_ldap which is 
> configuration for LDAP interface for NSS (when you use 'ldap' in 
> /etc/nssswitch.conf file)
> 
>> 3.  My winbind works with :-
>> (For both sides)
>> wbinfo -t
>> wbinfo -p
>> wbinfo -u
>> wbinfo -g
>> getent passwd
>> (For DomainA)
>> "getent group" shows all the local groups and also the groups shown in 
>> "wbinfo -g"
>> (For DomainB)
>> "getent group" shows all the local groups and only the GUESTs group.  
>> Very weird.  The rest of the groups in "wbinfo -g" does not come up.
>> The logs is something like this:-
>> -----------------------------------
>>
>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>  could not lookup membership for group rid 
>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: 
>> NT_STATUS_NO_SUCH_GROUP)
>> [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>  could not lookup domain group STAFF\wheel
>>
>> ---------------------------------------
>>  
>>
> Do you mean that this error message was reported during "getent group" 
> in DomainB? Because, without this error message I would assume that you 
> have winbind written in /etc/nsswithc.conf on your DomainA server but 
> not on your DomainB server.
> 
> The error message means that Samba thinks that 'wheel' is a Domain group 
> of the 'STAFF' domain and fails to find its mapping. I would expect this 
> error to come up during login of a Domain user whose primary group is a 
> local 'wheel' group instead of a Domain group. If this user is supposed 
> to have 'wheel' as a primary group you probably forgot to create a 
> groupmap from a Domain group for it.
> 
> Igor
>

More information about the samba mailing list