[Samba] Re: Trusting and trusted domain (home mapping) problem

Adrian Chow achow at uwcsea.edu.sg
Thu Nov 4 02:36:23 GMT 2004 

Hi Igor,

Just to let you now that the "smbclient //domain_b_pdc/shared -U 
domain_a/domain_a_user" is working.

To make it work, I have to put winbind in the nsswitch.conf.  The reason 
why it did not work is 2 fold:-
1.  The Domain Users in the domain_A is very large (397 users).  When I 
did "getent group" on domain_b, it does not actually show up 
"domain_A\domain users".  But after a while after restarting the daemon, 
it will appear.  Maybe through out my testing, every change in the 
smb.conf file, I will restart the winbind daemon and hence have lots of 
problem.
2.  I did not test the smbclient on domain_b_pdc.  "smbclient 
//domain_a_pdc/shared -U domain_b/domain_b_user" would also have work 
earlier as the domain users in domain_b is very small.

Also to let you know that I have upgraded to samba 3.07 for both PDCs. 
I think partial to the problem I had earlier, it is because of using 
different versions (3.04 and 3.07).

HOWEVER, the original problem of mapping the home directory still exist.

adrian

Igor Belyi wrote:
> Adrian Chow wrote:
> 
>> Hi Igor,
>>
>> Do you have trustdomains in your "auth methods"?
>>
>> Currently I removed the winbind from nsswitch.conf.  And "smbclient 
>> //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
> 
> 
> Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U 
> domain_A_user"?
> 
>> If I put winbind in the nsswitch.conf, then I will be able to 
>> authenticated but cannot connect to shared folder with the following 
>> error:-
>> Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> 
> I would also guess that since "valid users" and "write list" accept only 
> UNIX and NIS groups you will need to have winbind in your nsswitch.conf 
> for @"Domain_A\Domain Users" to work...
> 
> Does Samba allows Domain_A\domain_a_user to access this share if you 
> list the user without domain specification: "valid users = domain_a_user"?
> 
>> The log file from the Domain_B_PDC:-
>>
>> [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
>>   Client requested device type [?????] for share [SHARED]
>> [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
>>   making a connection to 'normal' service shared
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>   Unable to get default yp domain
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>   Unable to get default yp domain
>> [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
>>   user 'Domain_A\domain_a_user' (from session setup) not permitted to 
>> access this share (Shared)
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
>>   error string = No such file or directory
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
>>   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
>> NT_STATUS_ACCESS_DENIED
>>
>> --------------
>>
>> My smb.conf :-
>>
>> [Shared]
>>         path = /shared
>>         valid users = @"Domain Users", @"Domain_A\Domain Users"
>>         write list = @"Domain Users", @"Domain_A\Domain Users"
>>         browsable = yes
>>         guest ok = no
>>         writeable =no
>>
>>
>> ---------------
>>
>>
>> Do you have winbind in your nsswitch.conf?
> 
> 
> No, I don't.
> 
>> How did you managed to get the mapped home directory for domain_a_user 
>> when he log on to the joined_domain_B_computer?
> 
> 
> Yes, I have XP computer joined domain_A and this domain has mutual trust 
> with domain_B. I can login on this computer as user_a into domain_A and 
> as user_b into domain_B and their corresponding home directories get 
> correctly mapped into drive H:
> 
> dn: uid=user_a,ou=People,dc=domain_A,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_A\homes
> 
> dn: uid=user_b,ou=People,dc=domain_B,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_B\homes
> 
>>
>> Hope to hear from you on this... thanks a lot.
>>
>> adrian
>>
>> p/s: hope you got my previous mail cos I forgotten to cc to sambalists
> 
> 
> Yes, I did. I apologize for delays - I work with Samba only in my spare 
> time.
> 
> Igor
> 
>> Igor Belyi wrote:
>>
>>> ====== (Header) e-mail Filtrado ======
>>> I would guess that it means that DomainA trust DomainB but DomainB 
>>> does not trust DomainA. Can you verify that trust is mutual between 
>>> them? Check 'net rpc trustom list' on both machines.
>>>
>>> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
>>> Winbind is used only by Samba when it maps users from trust domain 
>>> into local space.
>>>
>>> Adrian Chow wrote:
>>>
>>>> Hi Igor,
>>>>
>>>> I got stuck now.  I did my best.  I got stuck at the winbind which I 
>>>> suspected is the reason why the domainA_computer cannot map the 
>>>> domain_B user's home directory.
>>>>
>>>> 1.  What are the settings of your winbind?
>>>>  
>>>>
>>> I have the following winbind related entries in smb.conf:
>>>  ldap idmap suffix = ou=Idmap
>>>  idmap backend = ldap:ldap://localhost
>>>  idmap uid = 10000-20000
>>>  idmap gid = 10000-20000
>>>
>>> To see if winbind works you can also try to resolve a name into SID 
>>> and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. 
>>> Try to do the following:
>>> wbinfo -n 'STAFF\wheel'
>>> wbinfo -Y <SID return in a previous command>
>>>
>>>> 2.  Do you use only "winbind" in your libnss_ldap or use "ldap" as 
>>>> well?
>>>>  
>>>>
>>> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far 
>>> as I understand this, winbind usage via NSS can confuse Samba into 
>>> thinking that those users and groups are defined locally and maybe 
>>> allowing Samba to use winbind directly is a better approach for trust 
>>> between domains.
>>>
>>> I don't know why would you want to put winbind into libnss_ldap which 
>>> is configuration for LDAP interface for NSS (when you use 'ldap' in 
>>> /etc/nssswitch.conf file)
>>>
>>>> 3.  My winbind works with :-
>>>> (For both sides)
>>>> wbinfo -t
>>>> wbinfo -p
>>>> wbinfo -u
>>>> wbinfo -g
>>>> getent passwd
>>>> (For DomainA)
>>>> "getent group" shows all the local groups and also the groups shown 
>>>> in "wbinfo -g"
>>>> (For DomainB)
>>>> "getent group" shows all the local groups and only the GUESTs 
>>>> group.  Very weird.  The rest of the groups in "wbinfo -g" does not 
>>>> come up.
>>>> The logs is something like this:-
>>>> -----------------------------------
>>>>
>>>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>>>  could not lookup membership for group rid 
>>>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: 
>>>> NT_STATUS_NO_SUCH_GROUP)
>>>> [2004/11/01 00:13:10, 0] 
>>>> nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>>>  could not lookup domain group STAFF\wheel
>>>>
>>>> ---------------------------------------
>>>>  
>>>>
>>> Do you mean that this error message was reported during "getent 
>>> group" in DomainB? Because, without this error message I would assume 
>>> that you have winbind written in /etc/nsswithc.conf on your DomainA 
>>> server but not on your DomainB server.
>>>
>>> The error message means that Samba thinks that 'wheel' is a Domain 
>>> group of the 'STAFF' domain and fails to find its mapping. I would 
>>> expect this error to come up during login of a Domain user whose 
>>> primary group is a local 'wheel' group instead of a Domain group. If 
>>> this user is supposed to have 'wheel' as a primary group you probably 
>>> forgot to create a groupmap from a Domain group for it.
>>>
>>> Igor
>>
>>
> 
>

More information about the samba mailing list