[Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow
achow at uwcsea.edu.sg
Tue Nov 2 13:00:47 GMT 2004
Hi Igor,
Do you have trustdomains in your "auth methods"?
Currently I removed the winbind from nsswitch.conf. And "smbclient
//domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
If I put winbind in the nsswitch.conf, then I will be able to
authenticated but cannot connect to shared folder with the following
error:-
Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED
The log file from the Domain_B_PDC:-
[2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
Client requested device type [?????] for share [SHARED]
[2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
making a connection to 'normal' service shared
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
user 'Domain_A\domain_a_user' (from session setup) not permitted to
access this share (Shared)
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
error string = No such file or directory
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
--------------
My smb.conf :-
[Shared]
path = /shared
valid users = @"Domain Users", @"Domain_A\Domain Users"
write list = @"Domain Users", @"Domain_A\Domain Users"
browsable = yes
guest ok = no
writeable =no
---------------
Do you have winbind in your nsswitch.conf?
How did you managed to get the mapped home directory for domain_a_user
when he log on to the joined_domain_B_computer?
Hope to hear from you on this... thanks a lot.
adrian
p/s: hope you got my previous mail cos I forgotten to cc to sambalists
Igor Belyi wrote:
> ====== (Header) e-mail Filtrado ======
> I would guess that it means that DomainA trust DomainB but DomainB does
> not trust DomainA. Can you verify that trust is mutual between them?
> Check 'net rpc trustom list' on both machines.
>
> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf).
> Winbind is used only by Samba when it maps users from trust domain into
> local space.
>
> Adrian Chow wrote:
>
>> Hi Igor,
>>
>> I got stuck now. I did my best. I got stuck at the winbind which I
>> suspected is the reason why the domainA_computer cannot map the
>> domain_B user's home directory.
>>
>> 1. What are the settings of your winbind?
>>
>>
> I have the following winbind related entries in smb.conf:
> ldap idmap suffix = ou=Idmap
> idmap backend = ldap:ldap://localhost
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> To see if winbind works you can also try to resolve a name into SID and
> SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to
> do the following:
> wbinfo -n 'STAFF\wheel'
> wbinfo -Y <SID return in a previous command>
>
>> 2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well?
>>
>>
> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I
> understand this, winbind usage via NSS can confuse Samba into thinking
> that those users and groups are defined locally and maybe allowing Samba
> to use winbind directly is a better approach for trust between domains.
>
> I don't know why would you want to put winbind into libnss_ldap which is
> configuration for LDAP interface for NSS (when you use 'ldap' in
> /etc/nssswitch.conf file)
>
>> 3. My winbind works with :-
>> (For both sides)
>> wbinfo -t
>> wbinfo -p
>> wbinfo -u
>> wbinfo -g
>> getent passwd
>> (For DomainA)
>> "getent group" shows all the local groups and also the groups shown in
>> "wbinfo -g"
>> (For DomainB)
>> "getent group" shows all the local groups and only the GUESTs group.
>> Very weird. The rest of the groups in "wbinfo -g" does not come up.
>> The logs is something like this:-
>> -----------------------------------
>>
>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>> could not lookup membership for group rid
>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error:
>> NT_STATUS_NO_SUCH_GROUP)
>> [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795)
>> could not lookup domain group STAFF\wheel
>>
>> ---------------------------------------
>>
>>
> Do you mean that this error message was reported during "getent group"
> in DomainB? Because, without this error message I would assume that you
> have winbind written in /etc/nsswithc.conf on your DomainA server but
> not on your DomainB server.
>
> The error message means that Samba thinks that 'wheel' is a Domain group
> of the 'STAFF' domain and fails to find its mapping. I would expect this
> error to come up during login of a Domain user whose primary group is a
> local 'wheel' group instead of a Domain group. If this user is supposed
> to have 'wheel' as a primary group you probably forgot to create a
> groupmap from a Domain group for it.
>
> Igor
>
More information about the samba
mailing list