[Samba] Re: Trusting and trusted domain (home mapping) problem

Igor Belyi sambauser at katehok.ac93.org
Wed Nov 3 20:50:01 GMT 2004 

Adrian Chow wrote:

> Hi Igor,
>
> Do you have trustdomains in your "auth methods"?
>
> Currently I removed the winbind from nsswitch.conf.  And "smbclient 
> //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.

Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U 
domain_A_user"?

> If I put winbind in the nsswitch.conf, then I will be able to 
> authenticated but cannot connect to shared folder with the following 
> error:-
> Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
> tree connect failed: NT_STATUS_ACCESS_DENIED

I would also guess that since "valid users" and "write list" accept only 
UNIX and NIS groups you will need to have winbind in your nsswitch.conf 
for @"Domain_A\Domain Users" to work...

Does Samba allows Domain_A\domain_a_user to access this share if you 
list the user without domain specification: "valid users = domain_a_user"?

> The log file from the Domain_B_PDC:-
>
> [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
>   Client requested device type [?????] for share [SHARED]
> [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
>   making a connection to 'normal' service shared
> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>   Unable to get default yp domain
> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>   Unable to get default yp domain
> [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
>   user 'Domain_A\domain_a_user' (from session setup) not permitted to 
> access this share (Shared)
> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
>   error string = No such file or directory
> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
>   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
> NT_STATUS_ACCESS_DENIED
>
> --------------
>
> My smb.conf :-
>
> [Shared]
>         path = /shared
>         valid users = @"Domain Users", @"Domain_A\Domain Users"
>         write list = @"Domain Users", @"Domain_A\Domain Users"
>         browsable = yes
>         guest ok = no
>         writeable =no
>
>
> ---------------
>
>
> Do you have winbind in your nsswitch.conf?

No, I don't.

> How did you managed to get the mapped home directory for domain_a_user 
> when he log on to the joined_domain_B_computer?

Yes, I have XP computer joined domain_A and this domain has mutual trust 
with domain_B. I can login on this computer as user_a into domain_A and 
as user_b into domain_B and their corresponding home directories get 
correctly mapped into drive H:

dn: uid=user_a,ou=People,dc=domain_A,dc=org
sambaHomeDrive: H:
sambaHomePath: \\server_A\homes

dn: uid=user_b,ou=People,dc=domain_B,dc=org
sambaHomeDrive: H:
sambaHomePath: \\server_B\homes

>
> Hope to hear from you on this... thanks a lot.
>
> adrian
>
> p/s: hope you got my previous mail cos I forgotten to cc to sambalists

Yes, I did. I apologize for delays - I work with Samba only in my spare 
time.

Igor

> Igor Belyi wrote:
>
>> ====== (Header) e-mail Filtrado ======
>> I would guess that it means that DomainA trust DomainB but DomainB 
>> does not trust DomainA. Can you verify that trust is mutual between 
>> them? Check 'net rpc trustom list' on both machines.
>>
>> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
>> Winbind is used only by Samba when it maps users from trust domain 
>> into local space.
>>
>> Adrian Chow wrote:
>>
>>> Hi Igor,
>>>
>>> I got stuck now.  I did my best.  I got stuck at the winbind which I 
>>> suspected is the reason why the domainA_computer cannot map the 
>>> domain_B user's home directory.
>>>
>>> 1.  What are the settings of your winbind?
>>>  
>>>
>> I have the following winbind related entries in smb.conf:
>>  ldap idmap suffix = ou=Idmap
>>  idmap backend = ldap:ldap://localhost
>>  idmap uid = 10000-20000
>>  idmap gid = 10000-20000
>>
>> To see if winbind works you can also try to resolve a name into SID 
>> and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. 
>> Try to do the following:
>> wbinfo -n 'STAFF\wheel'
>> wbinfo -Y <SID return in a previous command>
>>
>>> 2.  Do you use only "winbind" in your libnss_ldap or use "ldap" as 
>>> well?
>>>  
>>>
>> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far 
>> as I understand this, winbind usage via NSS can confuse Samba into 
>> thinking that those users and groups are defined locally and maybe 
>> allowing Samba to use winbind directly is a better approach for trust 
>> between domains.
>>
>> I don't know why would you want to put winbind into libnss_ldap which 
>> is configuration for LDAP interface for NSS (when you use 'ldap' in 
>> /etc/nssswitch.conf file)
>>
>>> 3.  My winbind works with :-
>>> (For both sides)
>>> wbinfo -t
>>> wbinfo -p
>>> wbinfo -u
>>> wbinfo -g
>>> getent passwd
>>> (For DomainA)
>>> "getent group" shows all the local groups and also the groups shown 
>>> in "wbinfo -g"
>>> (For DomainB)
>>> "getent group" shows all the local groups and only the GUESTs 
>>> group.  Very weird.  The rest of the groups in "wbinfo -g" does not 
>>> come up.
>>> The logs is something like this:-
>>> -----------------------------------
>>>
>>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>>  could not lookup membership for group rid 
>>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: 
>>> NT_STATUS_NO_SUCH_GROUP)
>>> [2004/11/01 00:13:10, 0] 
>>> nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>>  could not lookup domain group STAFF\wheel
>>>
>>> ---------------------------------------
>>>  
>>>
>> Do you mean that this error message was reported during "getent 
>> group" in DomainB? Because, without this error message I would assume 
>> that you have winbind written in /etc/nsswithc.conf on your DomainA 
>> server but not on your DomainB server.
>>
>> The error message means that Samba thinks that 'wheel' is a Domain 
>> group of the 'STAFF' domain and fails to find its mapping. I would 
>> expect this error to come up during login of a Domain user whose 
>> primary group is a local 'wheel' group instead of a Domain group. If 
>> this user is supposed to have 'wheel' as a primary group you probably 
>> forgot to create a groupmap from a Domain group for it.
>>
>> Igor
>

More information about the samba mailing list