[Samba] Domain trust relationship between Samba 3.0.21c and AD 2003

Cedric Delfosse cedric.delfosse at linbox.com
Fri Apr 21 14:16:07 GMT 2006 

Hello,

I have two domains:
  - a domain FRANCE on a SAMBA PDC called "SARGE"
  - a domain DOMAINTEST on a Active Directory called "SRV2003-2"

I followed the samba howto chapter on setting a domain trust 
relationship between this two domains.
For now, I just want DOMAINTEST users to log on shares of the FRANCE domain.

On Windows 2003 side, with the MMC I can check/revalidate the trust 
relationship with the samba PDC. And windows tells me that it's OK.

On SAMBA side, looks like it's OK:
# net rpc trustdom list
Trusted domains list:

DOMAINTEST          S-1-5-21-769731554-1856840314-4054211777

Trusting domains list:

DOMAINTEST          S-1-5-21-769731554-1856840314-4054211777

I installed winbind, and I can get the user and group list from DOMAINTEST:
# wbinfo -gu
DOMAINTEST\admins du domaine
DOMAINTEST\utilisa. du domaine
DOMAINTEST\invitDOMAINTEST\ordinateurs du domaine
DOMAINTEST\contrDOMAINTEST\administrateurs du 
schDOMAINTEST\administrateurs de l'entreprise
DOMAINTEST\propriDOMAINTEST\dnsupdateproxy
BUILTIN\administrators
BUILTIN\print operators
BUILTIN\backup operators
BUILTIN\replicators
DOMAINTEST\administrateur
DOMAINTEST\anonymous
DOMAINTEST\cedric
DOMAINTEST\invitDOMAINTEST\krbtgt
DOMAINTEST\sshd
DOMAINTEST\sshd_server
DOMAINTEST\support_388945a0


Now, from the AD, if I try to log in as an AD user on a FRANCE domain 
share, it doesn't work (access denied).

Here is what I have in log.smbd:

[2006/04/21 15:30:08, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(633)
   Doing spnego session setup
[2006/04/21 15:30:08, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664)
   NativeOS=[Windows Server 2003 3790] NativeLanMan=[] 
PrimaryDomain=[Windows Server 2003 5.2]
[2006/04/21 15:30:08, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(662)
   Got user=[Administrateur] domain=[DOMAINTEST] workstation=[SRV2003-2] 
len1=24 len2=24
...
[2006/04/21 15:30:08, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[DOMAINTEST]\[Administrateur]@[SRV2003-2] with the new password interface
[2006/04/21 15:30:08, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: 
[DOMAINTEST]\[Administrateur]@[SRV2003-2]
...
[2006/04/21 15:30:08, 3] auth/auth_util.c:make_server_info_info3(1282)
   User Administrateur does not exist, trying to add it
[2006/04/21 15:30:09, 0] auth/auth_util.c:make_server_info_info3(1297)
   make_server_info_info3: pdb_init_sam failed!
[2006/04/21 15:30:09, 2] auth/auth.c:check_ntlm_password(317)
   check_ntlm_password:  Authentication for user [Administrateur] -> 
[Administrateur] FAILED with error NT_STATUS_NO_SUCH_USER


In log.winbind, I don't know what is the conclusion of this log:

[2006/04/21 15:30:08, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
   [    0]: request interface version
[2006/04/21 15:30:08, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
   [    0]: request location of privileged pipe
[2006/04/21 15:30:08, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(519)
   [    0]: pam auth crap domain: [DOMAINTEST] user: Administrateur
[2006/04/21 15:30:08, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
   [    0]: request interface version
[2006/04/21 15:30:08, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
   [    0]: request location of privileged pipe
[2006/04/21 15:30:08, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
   [    0]: getpwnam domaintest\administrateur
[2006/04/21 15:30:08, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
   [    0]: getpwnam DOMAINTEST\administrateur
[2006/04/21 15:30:08, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
   [    0]: getpwnam DOMAINTEST\ADMINISTRATEUR


With "getent passwd", the DOMAINTEST users are not listed. And I have 
these errors in log.winbind when using this command:

[2006/04/21 15:55:30, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(454)
   [    0]: request interface version
[2006/04/21 15:55:30, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(487)
   [    0]: request location of privileged pipe
[2006/04/21 15:55:30, 3] 
nsswitch/winbindd_user.c:winbindd_setpwent_internal(432)
   [    0]: setpwent
[2006/04/21 15:55:30, 3] nsswitch/winbindd_user.c:winbindd_getpwent(626)
   [    0]: getpwent
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-500
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user anonymous
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-1117
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user cedric
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-1121
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user Invité
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-501
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user krbtgt
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-502
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user sshd
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-1114
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user sshd_server
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-1115
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user SUPPORT_388945a0
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
   error getting user id for sid 
S-1-5-21-769731554-1856840314-4054211777-1001
[2006/04/21 15:55:30, 1] nsswitch/winbindd_user.c:winbindd_getpwent(715)
   could not lookup domain user
[2006/04/21 15:55:30, 3] nsswitch/winbindd_user.c:winbindd_endpwent(508)
   [    0]: endpwent

Hmmmm, when I look at the relationship properties with the AD tool, it 
tells me that for security reasons SID filtering is enabled. Maybe 
that's why user SID can't be found. I will try to investigate this.

Does any additional winbind configuration should be done so that AD 
users can be authenticated by Samba ? Here is the content of my smb.conf
  global section:

[global]
         domain logons = Yes
         passdb backend = ldapsam:ldap://127.0.0.1
         log level = 3
         enable privileges = Yes
         lprm command =
         ldap user suffix = ou=Users
         print command =
         map to guest = Bad User
         ldap admin dn = cn=admin,dc=france,dc=fr
         ldap group suffix = ou=Groups
         ldap suffix = dc=france,dc=fr
         printing = cups
         ldap ssl = no
         ldap machine suffix = ou=Computers
         printcap name = cups
         add machine script = /usr/lib/lmc/add_machine_script '%u'
         domain master = Yes
         lpq command = %p
         workgroup = FRANCE
         idmap uid = 20000 - 30000
         idmap gid = 20000 - 30000

Regards,

-- 
Cédric Delfosse                             Linbox / Free&ALter Soft
152, rue de Grigy - Technopole Metz                       57070 METZ
tél : 03 87 50 87 98                               http://linbox.com

More information about the samba mailing list