[Samba] Does Samba3 support AD trusts?

Richard Cardwell ricc at hplb.hpl.hp.com
Mon Jan 17 15:35:59 GMT 2005


So this must be down to some error in our configuration then, as we
can't get this to work, and we have tried pretty much everything we can
think of and its still refuses to play ball.

In our environment we have two Windows 2003 forests. The forest that
contains the Samba servers and client Windows workstations is
RESOURCE.COMPANY.COM. The
forest that contains the account used to access the Samba servers is
COMPANY.NET. A one way transitive forest trust exists between the root
domains (realms) of each forest where RESOURCE.COMPANY.COM trusts
COMPANY.NET

RESOURCE.COMPANY.COM --(forest trust)--> COMPANY.NET

The Windows accounts used to access the Samba server are from a
sub-domain (realm) in the COMPANY.NET forest, specifically
ACCOUNTS.COMPANY.NET

All is well when using accounts, workstations & Samba servers all from
the RESOURCE.COMPANY.COM. Seamless access to the Samba provided shares
from the Windows workstations when logged into the workstations consoles
using RESOURCE.COMPANY.COM accounts is possible. The problems start when
you log onto the console of the RESOURCE.COMPANY.COM member workstations
with accounts from the other side of the forest trust, specifically
ACCOUNTS.COMPANY.NET accounts. Under these circumstances, when trying to
mount the Samba share access is prevented due to a no such users error
(NT_STATUS_NO_SUCH_USER). It appears that the Samba server is trying to
authenticate a user RESOURCE\username rather than ACCOUNTS\username
(RESOURCE\username does not exist). The Samba server is able to 'kinit'
the user ACCOUNTS\username principle and net ads status returns the
Samba servers RESOURCE domain principle properties without error. 

So has anyone else seen this problem? or have any ideas on how to get
this working?

Thanks in advance.

Rich Cardwell

=---

By way of an example:

Samba server = SAMBA-SRV
Windows Client = WINXP-WKS
Resource domain domain controller = dc.resource.company.com
Account domain account = ACCOUNT\username
(username at ACCOUNTS.COMPANY.NET)
Connection command = "net use * \\SAMBA-SRV\username"

Logfile extract:

[2005/01/17 14:22:24, 5] auth/auth_util.c:make_user_info_map(225)
  make_user_info_map: Mapping user [ACCOUNTS]\[username] from
workstation [WINXP-WKS]
[2005/01/17 14:22:24, 4] libsmb/namequery_dc.c:ads_dc_name(43)
  ads_dc_name: domain=RESOURCE
[2005/01/17 14:22:24, 3] libsmb/namequery.c:resolve_lmhosts(855)
  resolve_lmhosts: Attempting lmhosts lookup for name
dc.resource.company.com<0x20>
[2005/01/17 14:22:24, 4] libsmb/namequery.c:startlmhosts(548)
  startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No
such file or directory
[2005/01/17 14:22:24, 3] libsmb/namequery.c:resolve_wins(752)
  resolve_wins: Attempting wins lookup for name
dc.resource.company.com<0x20>
[2005/01/17 14:22:24, 4] lib/wins_srv.c:wins_srv_is_dead(109)
  wins_srv_is_dead: 26.57.7.253 is alive
[2005/01/17 14:22:24, 4] lib/wins_srv.c:wins_srv_is_dead(109)
  wins_srv_is_dead: 26.57.7.253 is alive
[2005/01/17 14:22:24, 3] libsmb/namequery.c:resolve_wins(791)
  resolve_wins: using WINS server 26.57.7.253 and tag '*'
[2005/01/17 14:22:24, 4] libsmb/nmblib.c:debug_nmb_packet(109)
  nmb packet from 26.57.7.253(137) header: id=19141 opcode=Query(0)
response=Yes
      header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No
auth=Yes
      header: rcode=3 qdcount=0 ancount=0 nscount=0 arcount=0
[2005/01/17 14:22:24, 3] libsmb/namequery.c:name_query(440)
  Negative name query response, rcode 0x03: The name requested does not
exist.
[2005/01/17 14:22:24, 3] libsmb/namequery.c:resolve_hosts(917)
  resolve_hosts: Attempting host lookup for name
dc.resource.company.com<0x20>
[2005/01/17 14:22:24, 4] libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 1 ip addresses in an ordered list
[2005/01/17 14:22:24, 4] libsmb/namequery.c:get_dc_list(1407)
  get_dc_list: 25.144.25.21:389 
[2005/01/17 14:22:24, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 25.144.25.21
[2005/01/17 14:22:24, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name dc at RESOURCE.COMPANY.COM, using bind path:
dc=RESOURCE,dc=COMPANY,dc=COM
[2005/01/17 14:22:24, 4] libads/ldap.c:ads_server_info(2438)
  time offset is 24 seconds
[2005/01/17 14:22:24, 4] libsmb/namequery_dc.c:ads_dc_name(63)
  ads_dc_name: using server='dc' IP=25.144.25.21
[2005/01/17 14:22:24, 3] libsmb/cliconnect.c:cli_start_connection(1382)
  Connecting to host=dc
[2005/01/17 14:22:24, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 25.144.25.21 at port 445
[2005/01/17 14:22:24, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
  lsa_io_sec_qos: length c does not match size 8
[2005/01/17 14:22:24, 5] auth/auth_util.c:make_user_info(133)
  attempting to make a user_info for username (username)
[2005/01/17 14:22:24, 5] auth/auth_util.c:make_user_info(143)
  making strings for username's user_info struct
[2005/01/17 14:22:24, 5] auth/auth_util.c:make_user_info(185)
  making blobs for username's user_info struct
[2005/01/17 14:22:24, 10] auth/auth_util.c:make_user_info(201)
  made an encrypted user_info for username (username)
[2005/01/17 14:22:24, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[ACCOUNTS]\[username]@[WINXP-WKS] with the new password interface
[2005/01/17 14:22:24, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is:
[RESOURCE]\[username]@[WINXP-WKS]
[2005/01/17 14:22:24, 10] auth/auth.c:check_ntlm_password(231)
  check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2005/01/17 14:22:24, 10] auth/auth.c:check_ntlm_password(233)
  challenge is: 
[2005/01/17 14:22:24, 10] auth/auth.c:check_ntlm_password(259)
  check_ntlm_password: guest had nothing to say
[2005/01/17 14:22:24, 6] auth/auth_sam.c:check_samstrict_security(358)
  check_samstrict_security: RESOURCE is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2005/01/17 14:22:24, 10] auth/auth.c:check_ntlm_password(259)
  check_ntlm_password: sam had nothing to say
[2005/01/17 14:22:24, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/01/17 14:22:24, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/01/17 14:22:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/01/17 14:22:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/17 14:22:24, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(289)
  Using cleartext machine password
[2005/01/17 14:22:24, 4] libsmb/namequery_dc.c:ads_dc_name(43)
  ads_dc_name: domain=RESOURCE
[2005/01/17 14:22:24, 4] libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 1 ip addresses in an ordered list
[2005/01/17 14:22:24, 4] libsmb/namequery.c:get_dc_list(1407)
  get_dc_list: 25.144.25.21:389 
[2005/01/17 14:22:24, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server 25.144.25.21
[2005/01/17 14:22:24, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name dc at RESOURCE.COMPANY.COM, using bind path:
dc=RESOURCE,dc=COMPANY,dc=COM
[2005/01/17 14:22:24, 4] libads/ldap.c:ads_server_info(2438)
  time offset is 24 seconds
[2005/01/17 14:22:24, 4] libsmb/namequery_dc.c:ads_dc_name(63)
  ads_dc_name: using server='dc' IP=25.144.25.21
[2005/01/17 14:22:24, 3] libsmb/cliconnect.c:cli_start_connection(1382)
  Connecting to host=dc
[2005/01/17 14:22:24, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 25.144.25.21 at port 445
[2005/01/17 14:22:24, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
  cli_net_req_chal: LSA Request Challenge from SAMBA-SRV to dc:
993B487306F22906
[2005/01/17 14:22:24, 4] libsmb/credentials.c:cred_session_key(59)
  cred_session_key
[2005/01/17 14:22:24, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2005/01/17 14:22:24, 4] rpc_client/cli_netlogon.c:cli_net_auth2(108)
  cli_net_auth2: srv:\\dc acct:SAMBA-SRV$ sc:2 mc: SAMBA-SRV chal
AB8CC83B95214C58 neg: 400701ff
[2005/01/17 14:22:24, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2005/01/17 14:22:24, 4] libsmb/credentials.c:cred_assert(121)
  cred_assert
[2005/01/17 14:22:24, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2005/01/17 14:22:24, 0] auth/auth_domain.c:domain_client_validate(199)
  domain_client_validate: unable to validate password for user username
in domain RESOURCE to Domain controller \\dc. Error was
NT_STATUS_NO_SUCH_USER.
[2005/01/17 14:22:24, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [username] FAILED
with error NT_STATUS_NO_SUCH_USER
[2005/01/17 14:22:24, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [username] -> [username]
FAILED with error NT_STATUS_NO_SUCH_USER
[2005/01/17 14:22:24, 5] auth/auth_util.c:free_user_info(1318)
  attempting to free (and zero) a user_info structure
[2005/01/17 14:22:24, 10] auth/auth_util.c:free_user_info(1321)
  structure was created for username

and heres the testparm output.

# Global parameters
[global]
        workgroup = RESOURCE
        realm = RESOURCE.COMPANY.COM
        server string = %h server (Samba %v)
        security = ADS
        obey pam restrictions = Yes
        password server = dc.resource.company.com
        passdb backend = tdbsam, guest
        log level = 4 auth:10
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 1000
        domain master = No
        dns proxy = No
        wins server = x.x.x.x
        panic action = /usr/share/samba/panic-action %d
        invalid users = root

[homes]
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700



"Gerald (Jerry) Carter" wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Richard Cardwell wrote:
> | Hi,
> |
> | I was wondering, does anyone know if Samba 3 support
> | Windows 2003 Active directory forest trusts ?
> |
> | We have been trying to make Samba 3 (3.0.10) in
> | an environment that has 2 Windows 2003 Active directory
> | forests connected by a 'Forest Trust'. Does Samba 3
> | support 'Forest trusts' and if so are their any limitations
> | on their use.
> 
> As a domain member in security =ads, yes.  This will all work.
> 
> cheers, jerry
> =====================================================================
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "I never saved anything for the swim back."     Ethan Hawk in Gattaca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFB6CfPIR7qMdg1EfYRAjLrAKDcyzbG3rwrRm4PbqNlKKA5naJ4ygCg8QKy
> KisK/hxpAtYRKhLNH0FUEcY=
> =FscF
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 

Richard Cardwell		-	H-P Labs
ricc at hpl.hp.com (email) 	-	RIT
312-9375         (phone)	-	Bristol
IT Professional 		- 	United Kingdom


More information about the samba mailing list