[Samba] Trusted domain issues

Fri Aug 12 13:50:54 GMT 2005

All,

I have a Samba 3.0.4 server running on AIX 5.2.  Samba is configured
with PAM, LDAP and Kerberos.  The server has been joined to an existing
Windows 2003 domain, and wbinfo -u and wbinfo -g works fine.  Users from
the domain that Samba is a member of can authenticate just fine.  The
domain is in a one-way trust relationship with another ADS domain (i.e.
Samba is a member of domain A, users from domain B can access any
machines in domain A, but not vice versa).  When a user from domain B
tries to connect to the Samba share, I get a Kerberos error in the
winbindd logs when the Samba server is trying to set up a session with
the DC in domain B.  

I had this working, and then I made the mistake of running SWAT, which
blew away my smb.conf file.  Can someone tell me if I'm missing
something and if so, what?

Smb.conf:

# Samba config file created using SWAT

# from 162.10.170.129 (162.10.170.129)

# Date: 2005/08/11 14:13:47

# Global parameters

[global]

        workgroup = DEVELOPMENT

        realm = READING.DEVPORTAL.NET

        encrypt passwords = yes

        security = ADS

        password server = usrd106.reading.devportal.net

        winbind uid = 10000-20000

        winbind gid = 10000-20000

        winbind separator = +

        use spnego = yes

        client use spnego = yes

        winbind enum groups = yes

        winbind enum users = yes

        winbind use default domain = true

[public]

        comment = Public data directory

        path = /sambapublic

        username = @"DEVELOPMENT+Domain Users",@"CORP+Domain Users"

        read list = @"DEVELOPMENT+Domain Users",@"CORP+Domain Users"

        read only = No

krb5.conf:

           [libdefaults]

                   default_realm = READING.DEVPORTAL.NET

           [domain_realm]

                   .reading.devportal.net = READING.DEVPORTAL.NET

                   .devportal.net = READING.DEVPORTAL.NET

           [realms]

                   READING.DEVPORTAL.NET = {

                           kdc = usrd106.reading.devportal.net

                           default_domain = reading.devportal.net

                   }

           [logging]

                   kdc = FILE:/var/heimdal/kdc.log

                   kdc = SYSLOG:INFO

                   default = SYSLOG:INFO:USER

Winbindd log:

[2005/08/12 09:07:08, 1] nsswitch/winbindd.c:main(843)

  winbindd version 3.0.4 started.

  Copyright The Samba Team 2000-2004

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0

[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)

  krb5_cc_get_principal failed (A file or directory in the path name
does not ex

ist.)

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain CORP  S-1-5-21-2817246239-1260869369-510543907

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain OZ  S-1-5-21-2070835033-1539587657-2044928816

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain BUILTIN  S-1-5-32

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

  Added domain FLOATER  S-1-5-21-1519954005-851123223-2065552488

[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)

  krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765

328377)

[2005/08/12 09:07:20, 1]
libsmb/cliconnect.c:cli_session_setup_kerberos(541)

  spnego_gen_negTokenTarg failed: Unknown error -1765328377

[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)

  krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765

328377)

[2005/08/12 09:07:20, 1] libsmb/clikrb5.c:ads_krb5_mk_req(314)

  krb5_get_credentials failed for usrd105$@CORP.ANACOMP.COM (Unknown
error -1765

328377)

...skipping...

  Added domain DEVELOPMENT READING.DEVPORTAL.NET S-0-0

[2005/08/12 09:07:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)

  krb5_cc_get_principal failed (A file or directory in the path name
does not exist.)

[2005/08/12 09:07:08, 1]
nsswitch/winbindd_util.c:add_trusted_domain(180)

Thanks,

Ron