[Samba] Re: Trusting and trusted domain (home mapping) problem

Adrian Chow achow at uwcsea.edu.sg
Fri Nov 5 03:38:23 GMT 2004 

Hi Igor,

Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B 
user (grade2) logs into domain_B on domain_A_XP.



[2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[UWCSTU]\[grade2]@[ADMINWS3] with the new password interface
[2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [UWCSTU]\[grade2]@[ADMINWS3]
[2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365)
   push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
   pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145)
   rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU
[2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376)
   Connecting to host=GLOIN
[2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752)
   Connecting to 172.16.7.227 at port 445
[2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114)
   User grade2 does not exist, trying to add it
[2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122)
   make_server_info_info3: pdb_init_sam failed!
[2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365)
   push_conn_ctx(100) : conn_ctx_stack_ndx = 0


Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 
(domain_B_user) user and trying to add it!!??

Any ideas?  Thanks.

adrian




Igor Belyi wrote:
> Adrian Chow wrote:
> 
>> Hi Igor,
>>
>> Do you have trustdomains in your "auth methods"?
>>
>> Currently I removed the winbind from nsswitch.conf.  And "smbclient 
>> //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
> 
> 
> Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U 
> domain_A_user"?
> 
>> If I put winbind in the nsswitch.conf, then I will be able to 
>> authenticated but cannot connect to shared folder with the following 
>> error:-
>> Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> 
> I would also guess that since "valid users" and "write list" accept only 
> UNIX and NIS groups you will need to have winbind in your nsswitch.conf 
> for @"Domain_A\Domain Users" to work...
> 
> Does Samba allows Domain_A\domain_a_user to access this share if you 
> list the user without domain specification: "valid users = domain_a_user"?
> 
>> The log file from the Domain_B_PDC:-
>>
>> [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
>>   Client requested device type [?????] for share [SHARED]
>> [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
>>   making a connection to 'normal' service shared
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>   Unable to get default yp domain
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>>   Unable to get default yp domain
>> [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
>>   user 'Domain_A\domain_a_user' (from session setup) not permitted to 
>> access this share (Shared)
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
>>   error string = No such file or directory
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
>>   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
>> NT_STATUS_ACCESS_DENIED
>>
>> --------------
>>
>> My smb.conf :-
>>
>> [Shared]
>>         path = /shared
>>         valid users = @"Domain Users", @"Domain_A\Domain Users"
>>         write list = @"Domain Users", @"Domain_A\Domain Users"
>>         browsable = yes
>>         guest ok = no
>>         writeable =no
>>
>>
>> ---------------
>>
>>
>> Do you have winbind in your nsswitch.conf?
> 
> 
> No, I don't.
> 
>> How did you managed to get the mapped home directory for domain_a_user 
>> when he log on to the joined_domain_B_computer?
> 
> 
> Yes, I have XP computer joined domain_A and this domain has mutual trust 
> with domain_B. I can login on this computer as user_a into domain_A and 
> as user_b into domain_B and their corresponding home directories get 
> correctly mapped into drive H:
> 
> dn: uid=user_a,ou=People,dc=domain_A,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_A\homes
> 
> dn: uid=user_b,ou=People,dc=domain_B,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_B\homes
> 
>>
>> Hope to hear from you on this... thanks a lot.
>>
>> adrian
>>
>> p/s: hope you got my previous mail cos I forgotten to cc to sambalists
> 
> 
> Yes, I did. I apologize for delays - I work with Samba only in my spare 
> time.
> 
> Igor
> 
>> Igor Belyi wrote:
>>
>>> ====== (Header) e-mail Filtrado ======
>>> I would guess that it means that DomainA trust DomainB but DomainB 
>>> does not trust DomainA. Can you verify that trust is mutual between 
>>> them? Check 'net rpc trustom list' on both machines.
>>>
>>> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
>>> Winbind is used only by Samba when it maps users from trust domain 
>>> into local space.
>>>
>>> Adrian Chow wrote:
>>>
>>>> Hi Igor,
>>>>
>>>> I got stuck now.  I did my best.  I got stuck at the winbind which I 
>>>> suspected is the reason why the domainA_computer cannot map the 
>>>> domain_B user's home directory.
>>>>
>>>> 1.  What are the settings of your winbind?
>>>>  
>>>>
>>> I have the following winbind related entries in smb.conf:
>>>  ldap idmap suffix = ou=Idmap
>>>  idmap backend = ldap:ldap://localhost
>>>  idmap uid = 10000-20000
>>>  idmap gid = 10000-20000
>>>
>>> To see if winbind works you can also try to resolve a name into SID 
>>> and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. 
>>> Try to do the following:
>>> wbinfo -n 'STAFF\wheel'
>>> wbinfo -Y <SID return in a previous command>
>>>
>>>> 2.  Do you use only "winbind" in your libnss_ldap or use "ldap" as 
>>>> well?
>>>>  
>>>>
>>> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far 
>>> as I understand this, winbind usage via NSS can confuse Samba into 
>>> thinking that those users and groups are defined locally and maybe 
>>> allowing Samba to use winbind directly is a better approach for trust 
>>> between domains.
>>>
>>> I don't know why would you want to put winbind into libnss_ldap which 
>>> is configuration for LDAP interface for NSS (when you use 'ldap' in 
>>> /etc/nssswitch.conf file)
>>>
>>>> 3.  My winbind works with :-
>>>> (For both sides)
>>>> wbinfo -t
>>>> wbinfo -p
>>>> wbinfo -u
>>>> wbinfo -g
>>>> getent passwd
>>>> (For DomainA)
>>>> "getent group" shows all the local groups and also the groups shown 
>>>> in "wbinfo -g"
>>>> (For DomainB)
>>>> "getent group" shows all the local groups and only the GUESTs 
>>>> group.  Very weird.  The rest of the groups in "wbinfo -g" does not 
>>>> come up.
>>>> The logs is something like this:-
>>>> -----------------------------------
>>>>
>>>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>>>  could not lookup membership for group rid 
>>>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: 
>>>> NT_STATUS_NO_SUCH_GROUP)
>>>> [2004/11/01 00:13:10, 0] 
>>>> nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>>>  could not lookup domain group STAFF\wheel
>>>>
>>>> ---------------------------------------
>>>>  
>>>>
>>> Do you mean that this error message was reported during "getent 
>>> group" in DomainB? Because, without this error message I would assume 
>>> that you have winbind written in /etc/nsswithc.conf on your DomainA 
>>> server but not on your DomainB server.
>>>
>>> The error message means that Samba thinks that 'wheel' is a Domain 
>>> group of the 'STAFF' domain and fails to find its mapping. I would 
>>> expect this error to come up during login of a Domain user whose 
>>> primary group is a local 'wheel' group instead of a Domain group. If 
>>> this user is supposed to have 'wheel' as a primary group you probably 
>>> forgot to create a groupmap from a Domain group for it.
>>>
>>> Igor
>>
>>
> 
>

More information about the samba mailing list