[Samba] Re: Trusting and trusted domain (home mapping) problem

Fri Nov 5 17:03:46 GMT 2004

Adrian Chow wrote:

> Hi Igor (and samba team),
>
> I have done the following:-
> -I have upgraded the samba versions of the both servers to be the same.
> -The ldap servers are in the same version.
> -DomainAPDC and DomainBPDC has winbind in nsswitch
> -wbinfo all works.
> -"getent group" and "getent passwd" shows ldap entries of local domain 
> and winbind entries of the remote domain.
> -However I still cannot map the home directory of the Domain_B_user 
> when I log into Domain_B on Domain_A_XP computer.
> - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working.
>
> The command I run on the command prompt (which will work) if I am 
> Domain_A_user into Domain_A on Domain_A_XP_computer is "net use x: 
> /home".  But before I map it, the home directory is already mapped 
> based on the sambahomepath and sambahomedrive in the ldap entries.  I 
> am using the "net use" command to do testing.
> If I were to run the same "net use x: /home" command as a 
> Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home 
> directory never gets mapped.  Igor has make it work on his server but 
> I am still stuck.  (Igor, if you run "net use z: /home" command as the 
> Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?)

I think there's some miscommunication involved. :)

User's home directory does get mapped during login according to 
sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by 
looking at the "net use" output. However, when I run "net use x: /home" 
it gives me an error: "The user's home directory could not be 
determined." Accroding to DomainA log during this call the user's home 
share get created on ServerA (PDC for DomainA) instead of using the one 
specified as sambaHomePath:

[2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341)
  adding home's share [testA] for user 'DOMAINA\testA' at 
'/home/DOMAINA/testA'

I'm still investigating if this is based solely on XP request (XP side 
problem) of if this is a way Samba responds on a general "net use x: 
/home" request (Samba side problem).

>
> On my winbind log on Domain_A_PDC, I get the following :-
>
> legend:-
> uwcstu is domain_B
> grade2 is domain_B_user
> 10000 is gid of DomainB\Domain Users group on Domain_A_PDC.
> staff is domain A
>
> -----------------------------------------
>
> [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124)
>   [29440]: getpwnam uwcstu\grade2
> [2004/11/05 19:10:16, 3] 
> nsswitch/winbindd_group.c:winbindd_getgroups(1030)
>   [29440]: getgroups UWCSTU\grade2
> [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374)
>   [29440]: gid to sid 10000
> [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124)
>   [29440]: getpwnam uwcstu\grade2
> [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243)
>   [29440]: getgrnam grade2
> [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008)
>   ldapsam_getgroup: Did not find group
> [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298)
>   group grade2 in domain STAFF does not exist
>
> ----------------------------------------------------------------
>
> Questions:-
> 1. Why domain_A_PDC will try to getgrnam "grade2"? How did grade2 
> ended up as a group and not a user?
>
> 2.  Isn't it supposed to be getgrnam "UWCSTU\Domain Users" since 
> winbindd_gid_to_sid is converting 10000 to "UWCSTU\Domain Users"?
>
> 3.  Any commands for me to test getgroups?
>
> 4.  Any ideas how to proceed on?

I have similar problem - the same errors in winbind log. I'm 
investigating this as well. I actually have 2 groups for userA and one 
gets mapping into user's name with domain stripped out, another into 
'tty'. I suspect it's a Samba bug. But, again - it does not cause 
problems with automatic map of user home.

The only suggestion I have at the moment is to look into the source...

Igor