[Samba] Cannot connect to Samba-3.0.23d (and earlier) from other
trusted AD domains
Jason Haar
Jason.Haar at trimble.co.nz
Tue Dec 5 07:04:18 GMT 2006
Hi there
We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100%
fine when connected to from users who are members of the same ADS domain
our Samba servers are members of. However, users from other ADS domains
(we are all W2K3-based) on our network cannot connect - they get
NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have
no share-level permission checks - we want any valid account to be able
to connect.
auth methods = "sam, winbind", winbind is used and "wbinfo -m" shows the
domains we trust. And yet people in those domains cannot login.
ntlm_auth - which uses winbind - is able to authenticate such accounts -
but it looks like Samba "doesn't care" what winbind thinks - it must be
blocking for another reason. The logs show Samba starts as expected by
looking up "otherDom\username", but it always falls back to doing
Get_Pwnam_internals calls to winbind on the username by itself, and
obviously receives a "no such user" error from winbind.
winbind settings in smb.conf are:
auth methods = winbind
winbind separator = \
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
We have tried this with both "security = domain" and "security = ADS" -
no difference.
"finger myDomain\\username" works, but "finger otherDomain\\username"
immediately fails, with log.wb-otherDomain reporting
error getting user info for sid
S-1-5-21-1644491937-1078081533-682003330-6760
...and yet "wbinfo --sid-to-name" maps that back to the correct
username, and "wbinfo --name-to-sid" maps the username to the same SID.
As mentioned earlier, ntlm_auth with such an account and correct
password returns OK.
Any ideas? It smells so close to working...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list