[Samba] Trusted Domain's users not authenticating properly.

Sven Wells sven.wells at wilm.ppdi.com
Thu May 5 13:56:21 GMT 2005 

I have a Samba-3, v3.0.10-1.4E installation on RedHat Enterprise 4.  The
server has successfully joined a Native Windows 2003 Active Directory
Domain as a member.  All users within the Samba server's domain
authenticat successfully via AD and can access Samba shares on this
server fine.  When running the wbinfo -t command it is successful.  The
wbinfo -m command lists 14 trusted domains and the Samba server itself.
wbinfo -u and wbinfo -g show a lot of users and groups.  The getent
passwd and getent group commands show a lot of users and groups as well.

The problem is that users within one of the trusted domains cannot
access the shares, even though I have given them permissions to do so.
The domains have a two-way trust between them and windows shares
functions correctly.

My smb.conf, krb5.conf and nsswitch.conf files are shown below:
smb.conf:
[global]
  workgroup = AMERICAS
   realm = AMERICAS.PPDI.LOCAL
   netbios name = wilbids01
  server string = Samba 3.0.10-1.4E
  printcap name = /etc/printcap
   load printers = yes
  cups options = raw
  guest account = pcguest
  max log size = 1000
 log level = 1
 syslog = 0
 security = ads
 password server = *
encrypt passwords = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
remote announce = 172.17.90.72 172.17.91.255
local master = no
os level = 33
wins server = 172.17.90.72
dns proxy = no
 ldap ssl = no
   idmap uid = 10000-200000
   idmap gid = 10000-200000
   template shell = /bin/bash
   template primary group = "Domain Users"
   winbind separator = +
   winbind use default domain = yes
   winbind enum groups = yes
   winbind enum users = yes
   winbind gid = 10000-200000
   winbind cache time = 3600
   winbind trusted domains only = no
   winbind nested groups = yes
   allow trusted domains = yes
   use spnego = yes
   client schannel = no

[homes]
 comment = Home Directories
 browseable = no
 writeable = yes
 create mode = 066
 directory mode = 0775
 valid users = %S

[BC]
      comment = Bids & Contracts Share
      path = /bids/Bids
      browseable = yes
      valid users = @"AMERICAS+WIL_Bids" @"AMERICAS+RTP_BIDS"
@"AMERICAS+WIL_CTXGCM" @"AMERICAS+AUS_CTXGCM" @"AMERICAS+RTP_CTXGCM"
@"AMERICAS+WIL_C&PD PDQ" @"EUROPE+CTXPDQG" @"CAMBRIDGE_NT+CAMGGCTX PDG"
"AMERICAS+Parkertr" "CAMBRIDGE_NT+hyndsg" "EUROPE+lancasr"
"EUROPE+gordons" @"AMERICAS+Wilmington Admins" "EUROPE+hyndsg"
"EUROPE+alexansp" "CAMBRIDGE_NT+alexansp" "EUROPE+xdummy" hyndsg xdummy
      write list = @"AMERICAS+wellssh" @"AMERICAS+cuthrese"
@"AMERICAS+tomcsasm"
      public = yes
      writable = yes
      admin users = @"AMERICAS+wellssh" @"AMERICAS+cuthrese"
@"AMERICAS+tomcsasm"
      create mask = 0777

krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AMERICAS.PPDI.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = false

[realms]
 AMERICAS.PPDI.LOCAL = {
  kdc = wildc01.americas.ppdi.local:88
  admin_server = wildc01.americas.ppdi.local:749
  default_domain = americas.ppdi.local
 }

[domain_realm]
 .americas.ppdi.local = AMERICAS.PPDI.LOCAL
 americas.ppdi.local = AMERICAS.PPDI.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

nsswitch.conf:
passwd:     compat winbind
shadow:     files
group:      compat winbind
hosts:      wins dns files
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files

As stated, users within the same domain as the Samaba server are able to
authenticate and access shares just fine, users within trusted domains
are not able to access the shares at all, they can't see them, nor use
them.

A sample error log file states the following:
[2005/05/05 09:49:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username EUROPE.PPDI.LOCAL+xdummy is invalid on this system
[2005/05/05 09:52:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username EUROPE+xdummy is invalid on this system

Thanks,
Sven


______________________________________________________________________
This email transmission and any documents, files or previous email 
messages attached to it may contain information that is confidential or 
legally privileged. If you are not the intended recipient or a person 
responsible for delivering this transmission to the intended recipient, 
you are hereby notified that you must not read this transmission and 
that any disclosure, copying, printing, distribution or use of this 
transmission is strictly prohibited. If you have received this 
transmission in error, please immediately notify the sender by telephone 
or return email and delete the original transmission and its attachments 
without reading or saving in any manner.

More information about the samba mailing list