[Samba] kerberos error when users in trusted win2k domain try to browse samba server

Don Meyer dlmeyer at uiuc.edu
Thu Feb 16 23:36:14 GMT 2006


We have the same situation here.   Apparently, users from domain-A 
can properly connect/browse/etc. a server in domain-B (assuming 
permissions OK, W2K3-based ADS) if the domains have a two-way trust 
in place.   But users from a "trusted" domain cannot access 
Samba-server based resources, generating the errors you note below.

To me, these errors seem to indicate that the "trusted" domain is 
rejecting the servers credentials, as they are from the "trusting" 
domain, which by definition it does not "trust" in a one-way relationship.

In the windows world, the Windows admin gui usually pops up a dialog 
to ask an admin for proper credentials on the "trusted" domain when 
initiating actions such as adding a user from the "trusted" domain to 
a domain local group in the "trusting" domain.

There needs to be some mechanism identified to supply satisfactory 
credentials for the server to use to communicate with the "trusted" 
domain, in this one-way trust situation.

Cheers,
-D


At 11:39 AM 2/16/2006, Dale Wishner wrote:
>I have users from Domain A trying to browse a domain member samba server in
>Domain B.  Domain A and Domain B are both Windows 2k domains.  Domain B has
>a one way trust to A.  A users can browse Domain B Windows server with no
>problem so I no the trust is fine.  Samba version is 3.0.21b on RH Linux ES
>3.
>
>The winbindd log is giving me the following error:
>
>[2006/02/16 08:28:50, 0] nsswitch/winbindd_dual.c:child_read_request(49)
>   Got invalid request length: 0
>[2006/02/16 09:20:32, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487)
>   ads_krb5_mk_req: krb5_get_credentials failed for
>isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database)
>[2006/02/16 09:20:32, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
>   spnego_gen_negTokenTarg failed: Server not found in Kerberos database
>[2006/02/16 09:21:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487)
>   ads_krb5_mk_req: krb5_get_credentials failed for
>isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database)
>[2006/02/16 09:21:02, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
>   ads_connect for domain ONTARIOPD failed: Server not found in Kerberos
>database
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
>   error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
>   error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
>   error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>
>Both Domain A and Domain B realms are defined in the krb5.conf file.  Users
>from Domain B browse the samba server just fine.
>
>I have been working on this problems for three days.  I have searched the
>'Net and found people with similar issues but no solution.
>
>Any help would be appreciated.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list