[Samba] Authentication and trusted domains

Jurjen Oskam jurjen at stupendous.org
Wed Dec 6 11:32:58 GMT 2006

Hi there,

This is most likely something very basic which I'm not seeing right now.

I have a Samba-server, which is running in security = domain, and it's
a member of that domain (DOMAINA). The domain is a Win2003 domain.

That domain has established a trust with another domain (DOMAINB). There's
a Windows terminal server TERMSRV which is a member of DOMAINA, but a user
from DOMAINB logged in (using the trust). The user wants to reach a share
on the Samba-server. This is what happens (smbd -i -d 3 output):

Got user=[MFABER] domain=[DOMAINB] workstation=[TERMSRV] len1=24 len2=24
check_ntlm_password:  Checking password for unmapped user
[DOMAINB]\[MFABER]@[TERMSRV] with the new password interface
check_ntlm_password:  mapped user is: [DOMAINA]\[MFABER]@[TERMSRV]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password:  Authentication for user [MFABER] -> [MFABER] FAILED

As you see, smbd sees that MFABER from DOMAINB tries to access a share,
but to me it looks like it tries to validate the password in the DOMAINA
domain. This fails. (It fails with NT_STATUS_WRONG_PASSWORD because there
is also a (different) user named MFABER in DOMAINA)

I'd like users from DOMAINB to access resources on the Samba server.
Winbindd, smbd and nmbd are all running. Samba version is 3.0.21c.

Am I missing something obvious here?

        workgroup = DOMAINA
        netbios name = smb-lpar
        security = domain
        encrypt passwords = Yes
        password server = *
        client use spnego = Yes
        restrict anonymous = Yes
        lanman auth = No
        min protocol = NT1
        mangling method = hash2
        os level = 0
        lm announce = No
        preferred master = No
        local master = No
        domain master = No
        wins server =
        allow trusted domains = Yes
        idmap uid = 2000-100000000
        idmap gid = 2000-100000000
        template shell = /bin/ksh
        template homedir = /home/%U
        winbind use default domain = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = Yes
        log level = 1

Jurjen Oskam

More information about the samba mailing list