[Samba] kerberos error when users in trusted win2k domain
try to browse samba server
Don Meyer
dlmeyer at uiuc.edu
Thu Feb 16 23:36:14 GMT 2006
We have the same situation here. Apparently, users from domain-A
can properly connect/browse/etc. a server in domain-B (assuming
permissions OK, W2K3-based ADS) if the domains have a two-way trust
in place. But users from a "trusted" domain cannot access
Samba-server based resources, generating the errors you note below.
To me, these errors seem to indicate that the "trusted" domain is
rejecting the servers credentials, as they are from the "trusting"
domain, which by definition it does not "trust" in a one-way relationship.
In the windows world, the Windows admin gui usually pops up a dialog
to ask an admin for proper credentials on the "trusted" domain when
initiating actions such as adding a user from the "trusted" domain to
a domain local group in the "trusting" domain.
There needs to be some mechanism identified to supply satisfactory
credentials for the server to use to communicate with the "trusted"
domain, in this one-way trust situation.
Cheers,
-D
At 11:39 AM 2/16/2006, Dale Wishner wrote:
>I have users from Domain A trying to browse a domain member samba server in
>Domain B. Domain A and Domain B are both Windows 2k domains. Domain B has
>a one way trust to A. A users can browse Domain B Windows server with no
>problem so I no the trust is fine. Samba version is 3.0.21b on RH Linux ES
>3.
>
>The winbindd log is giving me the following error:
>
>[2006/02/16 08:28:50, 0] nsswitch/winbindd_dual.c:child_read_request(49)
> Got invalid request length: 0
>[2006/02/16 09:20:32, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487)
> ads_krb5_mk_req: krb5_get_credentials failed for
>isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database)
>[2006/02/16 09:20:32, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
> spnego_gen_negTokenTarg failed: Server not found in Kerberos database
>[2006/02/16 09:21:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487)
> ads_krb5_mk_req: krb5_get_credentials failed for
>isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database)
>[2006/02/16 09:21:02, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain ONTARIOPD failed: Server not found in Kerberos
>database
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
> error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
> error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>[2006/02/16 09:21:02, 1]
>nsswitch/winbindd_user.c:winbindd_dual_userinfo(157)
> error getting user info for sid
>S-1-5-21-1813802168-3123542457-4032405765-1223
>
>Both Domain A and Domain B realms are defined in the krb5.conf file. Users
>from Domain B browse the samba server just fine.
>
>I have been working on this problems for three days. I have searched the
>'Net and found people with similar issues but no solution.
>
>Any help would be appreciated.
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list