[Samba] Authentication and trusted domains

Jurjen Oskam jurjen at stupendous.org
Sat Dec 23 09:20:10 GMT 2006 

On Wed, Dec 06, 2006 at 12:32:58PM +0100, Jurjen Oskam wrote:

> This is most likely something very basic which I'm not seeing right now.

Well, it wasn't. :)

> I have a Samba-server, which is running in security = domain, and it's
> a member of that domain (DOMAINA). The domain is a Win2003 domain.
> 
> That domain has established a trust with another domain (DOMAINB). There's
> a Windows terminal server TERMSRV which is a member of DOMAINA, but a user
> from DOMAINB logged in (using the trust). The user wants to reach a share
> on the Samba-server. This is what happens (smbd -i -d 3 output):
> 
> Got user=[MFABER] domain=[DOMAINB] workstation=[TERMSRV] len1=24 len2=24
> check_ntlm_password:  Checking password for unmapped user
> [DOMAINB]\[MFABER]@[TERMSRV] with the new password interface
> check_ntlm_password:  mapped user is: [DOMAINA]\[MFABER]@[TERMSRV]
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> check_ntlm_password:  Authentication for user [MFABER] -> [MFABER] FAILED
> with error NT_STATUS_WRONG_PASSWORD
> 
> As you see, smbd sees that MFABER from DOMAINB tries to access a share,
> but to me it looks like it tries to validate the password in the DOMAINA
> domain. This fails. (It fails with NT_STATUS_WRONG_PASSWORD because there
> is also a (different) user named MFABER in DOMAINA)

I have found out what happened. There's a winbindd on the system, which is
used for authenticating non-local (to the Unix machine) users. All the
shares either are read only or have "force user" enabled, so there won't be
any files written on the system which would have the Windows-account as
owner. Therefore, I don't care about the SID <> UID-mapping being the same
on each machine.

Anyway, why you see the unmapped user DOMAINB\MFABER being mapped to
DOMAINA\MFABER (which is not correct), was because winbind did realize that
it should try to authenticate against a DOMAINB domain controller, but it
failed because it couldn't resolve the domain controllers' address using
WINS, broadcast or LMHOSTS. Then, it gave up. I have "solved" this by
creating an "LMHOSTS" file with the IP-adresses of all domain controllers
of DOMAINB. When I did that, everything started working.

Of course, this is an ugly hack, and I only did this because the situation
is temporary: DOMAINA will eventually be destroyed and there will only be
DOMAINB, which Samba will then be a member of. No trusts are involved
anymore, then.

All this probably wouldn't be a problem if Samba were compiled with the
Kerberos libraries, and it would be in "security = ads" mode. Then it would
just use DNS to find the domain controllers (right?).


(I am now a bit curious how this would have worked in NT4 style domains.
I'm no Windows-guy, but it seems the underlying problem was cross-subnet
browsing for machines in the trusted domain didn't work. When creating
trusts between domains, should the WINS server of the trusting domain
be set up so that it can resolve names for machines in the trusted domain?)


-- 
Jurjen Oskam

Savage's Law of Expediency:
        You want it bad, you'll get it bad.

More information about the samba mailing list