[Samba] Joining a trusted domain

Don Meyer dlmeyer at uiuc.edu
Thu Feb 16 20:37:25 GMT 2006


This sounds like it might be somewhat related to the problem I posted 
a query about earlier this week -- where domain local groups in 
domain-A that contain users from (trusted/trusting) domain-B, are not 
having the domain-B users being enumerated by winbind  as group 
members on Samba/winbind systems in domain-A.  It appears that only 
domain-A users can be enumerated as group members by winbind, even if 
the group is defined as a domain local group, which can contain users 
defined in a foreign, trusted domain.  (On windows systems within the 
domain, users from domain-B show up as group members just fine -- 
Samba appears to be dropping them off the list, though.)

It seems like there might be some sort of common inability to deal 
with references to users in another (trusted) domain from within the 
context of the local domain, in certain places at least...

Cheers,
-D


At 01:26 PM 2/16/2006, Devin Morton wrote:
>I've come across a fairly unique situation and after much searching have
>not found a solution. I thought I would see if anyone here has had any
>experience with this before.
>
>I have a location with two ADS domains with a two-way trust configured.
>
>-For this example I will call them corp.company.com and bst.company.com.
>
>-I have a FreeBSD client running Samba version three
>-I want to use an account in corp with privileges over bst to join the
>client to the bst domain.
>
>No matter what format I use to specify the location of the admin account
>process always appends the specified user to the bst I'm attempting to
>join. That domain, of course, cannot find the user and I receive an
>"Invalid credentials" error. Here is an example:
>
>ESPN-IQ-1# net ads join -S bst.company.com -U
>CORP.company.com/domainadmin
>Password:
>[2006/02/16 12:20:42, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
>   krb5_cc_get_principal failed (No credentials cache found)
>[2006/02/16 12:20:42, 0] libads/kerberos.c:ads_kinit_password(133)
>   kerberos_kinit_password CORP.company.com/domainadmin at BST.company.com
>failed: Client not
>  found in Kerberos database
>[2006/02/16 12:20:42, 1] utils/net_ads.c:ads_startup(152)
>   ads_connect: Invalid credentials
>
>
>Is there a way to specify a user account from a different domain when
>attempting to join in this fashion?
>
>Thanks in advance.
>Devin Morton
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list