[Samba] Samba 3.0.2x with trusted domains.

Vincent.Badier at alcatel.fr Vincent.Badier at alcatel.fr
Tue Feb 28 11:52:03 GMT 2006 

Hello all, 

we have a samba server on a SLES9 linux box. It is connected to an active 
directory with multiple trusted domains. 
With this server, we have strange problems with users/groups in others 
domains. The users/groups listed in smb.conf that are part of trusted 
domains are not take in account to access the shares. We cannot as well 
set ACL correctly on filesystem. 

This is not an architectrure problem, since another samba box (3.0.2), 
connected to the same domain, with the same config file, work perfectly. 

So here is a summary of troubles. Note that after thoses checks, i've 
upgraded to 3.0.21c (suse rpm packages) without any amelioration on 
following points : 

masters# rpm -qa | grep -i samba
yast2-samba-server-2.9.33-0.3
samba-client-3.0.20b-3.4
samba-3.0.20b-3.4
samba-doc-3.0.20b-3.4
kdebase3-samba-3.2.1-68.46
yast2-samba-client-2.9.17-1.3
samba-winbind-3.0.20b-3.4

Said that the samba server is linked to Domain1, and there are trusted 
Domain2, Domain3, etc....

masters# wbinfo -t
checking the trust secret via RPC calls succeeded

masters# wbinfo -m
Domain1
Domain2
Domain3
....

masters# wbinfo -n Domain1+user1
S-1-5-21-1220945662-796845957-725345543-21380 User (1)

masters# wbinfo -s S-1-5-21-1220945662-796845957-725345543-21380
Domain1+user1 1

masters# wbinfo -r Domain1+user1
10000
10000
10001
10002
10003
....

masters# wbinfo -n Domain2+user2
S-1-5-21-2035491313-1038499582-81669161-1396 User (1)
masters# wbinfo -s S-1-5-21-2035491313-1038499582-81669161-1396
Domain2+user2
masters# wbinfo -S S-1-5-21-2035491313-1038499582-81669161-1396
10002
masters# wbinfo -r Domain2+user2
Could not get groups for user Domain2+user2


In addition in the log.winbindd i get the following strange record - no 
SID lookup for trusted domains : 

[2006/02/28 11:15:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain Domain1 S-1-5-21-1220945662-796845957-725345543
[2006/02/28 11:15:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain Domain2 S-0-0
[2006/02/28 11:15:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain Domain3 S-0-0
[2006/02/28 11:15:02, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain Domain4 S-0-0

Other strange behaviour, is that on a working share, with a domain account 
which work (primary domain), i can setup ACL on files with users from 
other computer via windows. The getfacl will show the corresponding unix 
gid. However, 


I really don't understand what kind of problem it may come from, so any 
suggestions are welcome. 
I repeat that with a 3.0.2 compiled manually a couple of years ago (Feb 
2004), is correctly working on a debian server.

Best Regard's.
Vincent Badier

More information about the samba mailing list