[Samba] Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains

Jason Haar Jason.Haar at trimble.co.nz
Tue Dec 5 07:04:18 GMT 2006 

Hi there

We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100%
fine when connected to from users who are members of the same ADS domain
our Samba servers are members of. However, users from other ADS domains
(we are all W2K3-based) on our network cannot connect - they get
NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have
no share-level permission checks - we want any valid account to be able
to connect.

auth methods = "sam, winbind", winbind is used and "wbinfo -m" shows the
domains we trust. And yet people in those domains cannot login.

ntlm_auth - which uses winbind - is able to authenticate such accounts -
but it looks like Samba "doesn't care" what winbind thinks - it must be
blocking for another reason. The logs show Samba starts as expected by
looking up "otherDom\username", but it always falls back to doing
Get_Pwnam_internals calls to winbind on the username by itself, and
obviously receives a "no such user" error from winbind.

winbind settings in smb.conf are:

        auth methods = winbind
        winbind separator = \
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = No
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No

We have tried this with both "security = domain" and "security = ADS" -
no difference.

"finger myDomain\\username" works, but "finger otherDomain\\username"
immediately fails, with log.wb-otherDomain reporting

error getting user info for sid
S-1-5-21-1644491937-1078081533-682003330-6760

...and yet "wbinfo --sid-to-name" maps that back to the correct
username, and "wbinfo --name-to-sid" maps the username to the same SID.
As mentioned earlier, ntlm_auth with such an account and correct
password returns OK.


Any ideas? It smells so close to working...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list