[Samba] Samba and trusted domains

Michael Gasch gasch at eva.mpg.de
Mon Jul 3 14:53:11 GMT 2006


nir, i´m sorry now...
please follow the samba howto guide line regarding section idmap backend.

your setup is working for me here.
if nothing is written to winbindd, you have a major and substantial 
problem, which i cannot fix from here...

sometimes restarting my linux machine fixed a problem of winbindd/nss 
not working after i installed samba. after reboot everything worked like 
a charme (think it was lib-related, that older ones still were cached or so)

greez


Nir Barkan wrote:
> I disabled the nscd.
> Restarted winbind (with debug=5)
> 
> Running id give the same results = id: invalid user name: "EU15\test1"
> Nothing written on the winbind debug
> 
> Nir 
> 
> -----Original Message-----
> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
> Sent: Monday, July 03, 2006 5:32 PM
> To: Nir Barkan
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba and trusted domains
> 
> if you´re running winbindd there´s no need to run nscd.
> it´s a common problem and you should really avoid using it, unless you 
> have a real reason.
> 
> disable it and run id again
> 
> greez
> 
> Nir Barkan wrote:
>> Nscd is running
>>
>> This is my nsswitch.conf:
>>
>> # /etc/nsswitch.nis:
>> #
>> # An example file that could be copied over to /etc/nsswitch.conf; it
>> # uses NIS (YP) in conjunction with files.
>> #
>> # "hosts:" and "services:" in this file are used only if the
>> # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
>>
>> # the following two lines obviate the "+" entry in /etc/passwd and
>> /etc/group.
>> passwd:     files winbind nis
>> group:      files winbind nis
>>
>> # consult /etc "files" only if nis is down.
>> hosts:      files nis dns
>> ipnodes:    files
>> # Uncomment the following line and comment out the above to resolve
>> # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
>> # IPv4 addresses are searched in all of the ipnodes databases before
>> # searching the hosts databases. Before turning this option on, consult
>> # the Network Administration Guide for more details on using IPv6.
>> #ipnodes:    nis [NOTFOUND=return] files
>>
>> networks:   nis [NOTFOUND=return] files
>> protocols:  nis [NOTFOUND=return] files
>> rpc:        nis [NOTFOUND=return] files
>> ethers:     nis [NOTFOUND=return] files
>> netmasks:   nis [NOTFOUND=return] files
>> bootparams: nis [NOTFOUND=return] files
>> publickey:  nis [NOTFOUND=return] files
>>
>> netgroup:   nis
>>
>> automount:  files nis
>> aliases:    files nis
>>
>> # for efficient getservbyname() avoid nis
>> services:   files nis
>> sendmailvars:   files
>> printers:       user files nis
>>
>> auth_attr:  files nis
>> prof_attr:  files nis
>> project:    files nis
>> project:    files nis
>>
>> -----Original Message-----
>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>> Sent: Monday, July 03, 2006 4:06 PM
>> To: Nir Barkan
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba and trusted domains
>>
>>  > When running the id command, nothing written on the winbind debug
>> looks like a prob with NSS and winbindd...
>> what looks your nsswitch.conf like?
>> do you use nscd?
>>
>> greez
>>
>> Nir Barkan wrote:
>>> id EU15\\test1
>>>
>>> gives:
>>>
>>> id: invalid user name: "EU15\test1"
>>>
>>> When running the id command, nothing written on the winbind debug
>>>
>>> Nir
>>>
>>> -----Original Message-----
>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>> Sent: Monday, July 03, 2006 2:31 PM
>>> To: Nir Barkan
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba and trusted domains
>>>
>>> looks good, but the log isn´t very informative.
>>>
>>> what does now "id EU15\\test1" on the member server say?
>>> winbindd has to allocate an uidnumber for this user.
>>>
>>> greez
>>>
>>>
>>>
>>> Nir Barkan wrote:
>>>> Now I don't have idmap errors, but the user from the trusted domain
> still
>>>> can't connect, this is what the debug logs when the user from the
> trusted
>>>> domain tries to connect:
>>>>
>>>> Added domain EU15 wineur.EU15.com
>> S-1-5-21-2139401007-2349514585-891123631
>>>> [    0]: request interface version
>>>> [    0]: request location of privileged pipe
>>>> [    0]: domain_info [EU15]
>>>> [ 8520]: Get DC name for EU15
>>>> cm_get_ipc_userpass: No auth-user defined
>>>> Doing spnego session setup (blob length=122)
>>>> got OID=1 2 840 48018 1 2 2
>>>> got OID=1 2 840 113554 1 2 2
>>>> got OID=1 2 840 113554 1 2 2 3
>>>> got OID=1 3 6 1 4 1 311 2 2 10
>>>> got principal=eur-dc04-lon$@WINEUR.EU15.COM
>>>> Doing kerberos session setup
>>>> Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28
>>> IDT
>>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
>>>> request returned ok.
>>>> rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
>>>> request returned ok.
>>>> lsa_io_sec_qos: length c does not match size 8
>>>> [    0]: pam auth crap domain: [EU15] user: test1
>>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>> [    0]: request interface version
>>>> [    0]: request location of privileged pipe
>>>> [    0]: domain_info [EU15]
>>>> [    0]: pam auth crap domain: [EU15] user: test1
>>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>> [    0]: request interface version
>>>> [    0]: request location of privileged pipe
>>>> [    0]: domain_info [EU15]
>>>> [    0]: pam auth crap domain: [EU15] user: test1
>>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>> [    0]: request interface version
>>>> [    0]: request location of privileged pipe
>>>> [    0]: domain_info [EU15]
>>>> [    0]: pam auth crap domain: [EU15] user: test1
>>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>> [    0]: domain_info [EU15]
>>>> [    0]: pam auth crap domain: [EU15] user: test1
>>>> [ 8520]: pam auth crap domain: EU15 user: test1
>>>>
>>>> -----Original Message-----
>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>> Sent: Monday, July 03, 2006 1:19 PM
>>>> To: Nir Barkan
>>>> Cc: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>
>>>> for trusted domains to work you have to use either tdbsam or ldap 
>>>> backend. don´t know whether ad works, though.
>>>>
>>>> this should work for you:
>>>> #	idmap backend =		# please comment out for tdbsam
>>>> 	idmap uid = 10000-100000
>>>> 	idmap gid = 10000-100000
>>>>          winbind use default domain = Yes	# your choice
>>>>          winbind trusted domains only = no	# must
>>>>          allow trusted domains = yes		# must
>>>>
>>>>
>>>> greez
>>>>
>>>>
>>>> Nir Barkan wrote:
>>>>> I tried all the combinations on the "idmap backend" line and still have
>>>>> errors.
>>>>>
>>>>> What is the exact "idmap backend" line that I should add to my smb.conf
>>>> file
>>>>> when "ITGIL" = my domain and "EU15" = my trusted domain?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nir
>>>>>
>>>>> -----Original Message-----
>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>> Sent: Monday, July 03, 2006 11:22 AM
>>>>> To: Nir Barkan
>>>>> Cc: samba at lists.samba.org
>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>
>>>>> :)
>>>>>
>>>>>  > idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>>> this is not correct semantic ;)
>>>>>
>>>>> example:
>>>>> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
>>>>>
>>>>> this should work
>>>>>
>>>>> greez
>>>>>
>>>>>
>>>>> Nir Barkan wrote:
>>>>>> I added the idmap backend to my smb.conf as you suggested
>>>>>>
>>>>>>
>>>>>> idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>>>>>
>>>>>> I get the following (on the winbind debug):
>>>>>>
>>>>>> idmap_init: using 'ITGIL=10000-19999' as remote backend
>>>>>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
>>>> ld.so.1:
>>>>>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
>>>> failed:
>>>>>> No such file or directory
>>>>>> idmap_init: could not load remote backend 'ITGIL=10000-19999'
>>>>>> Could not init idmap -- netlogon proxy only
>>>>>>
>>>>>> The idmap directory exists; do I need to run something manually?
>>>>>>
>>>>>> P.S
>>>>>>
>>>>>> ITGIL = my domain
>>>>>> EU15 = my trusted domain
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Nir
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>> Sent: Sunday, July 02, 2006 9:46 PM
>>>>>> To: Nir Barkan
>>>>>> Cc: samba at lists.samba.org
>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>
>>>>>> you should do something like
>>>>>>
>>>>>> idmap backend =
>> "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
>>>>>> as i already wrote in a posting before. this won't work with
> idmap_rid,
>>>>>> but with all other backend.
>>>>>> i think you can stay with "winbind trusted domains only".
>>>>>>
>>>>>> you should also run winbindd in interactive mode and debug level 3.
>>>>>> then you should see something like "init idmap backend for DOMAIN 
>>>>>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
>>>>>>
>>>>>> greez
>>>>>>
>>>>>>
>>>>>> Nir Barkan wrote:
>>>>>>> Id test1 not working
>>>>>>>
>>>>>>> Wbinfo -u return DomainName username (EUROPE test1)
>>>>>>>
>>>>>>> The user is from trusted domain 
>>>>>>>
>>>>>>> I defined idmap uid = 10000-2000 and  idmap gid = 10000-20000 on my
>>>>>>> smb.conf, Do I need to define something more?
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Nir
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>>> Sent: Friday, June 30, 2006 4:12 PM
>>>>>>> To: Nir Barkan
>>>>>>> Cc: samba at lists.samba.org
>>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>>
>>>>>>>  > Id test1 not working
>>>>>>> but wbinfo -u shows it?
>>>>>>> if so you have a problem with with mapping samba accounts to unix
>>>>>> accounts.
>>>>>>> is it a user from a trusted domain (to get back to the thread title)?
>>>>>>>
>>>>>>>  > My dc is windows 2003 DC, do I need to install something on it?
>>>>>>> no
>>>>>>>
>>>>>>> greez
>>>>>>>
>>>>>>> Nir Barkan wrote:
>>>>>>>
>>>>>>>> Id test1 not working
>>>>>>>>
>>>>>>>> I tried without "winbind trusted domains only = Yes" and got the
> same
>>>>>>>> results.
>>>>>>>>
>>>>>>>> My dc is windows 2003 DC, do I need to install something on it?
>>>>>>>>
>>>>>>>> P.S
>>>>>>>>
>>>>>>>> Thanks much for your help :-)
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de] 
>>>>>>>> Sent: Thursday, June 29, 2006 1:19 PM
>>>>>>>> To: Nir Barkan
>>>>>>>> Cc: samba at lists.samba.org
>>>>>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>>>>>
>>>>>>>>
>>>>>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me
>>> the
>>>>>>>> user
>>>>>>>>
>>>>>>>>> uid and gid.
>>>>>>>> good
>>>>>>>>
>>>>>>>> some further questions:
>>>>>>>> - does "id test1" work?
>>>>>>>> - why did you set "winbind trusted domains only = Yes"
>>>>>>>>
>>>>>>>> for trusted domains to work, you have to use winbind on your DC.
>>>>>>>> furthermore on each member server you have to specify an idmap range
>>>> for
>>>>>>>> each domain, like
>>>>>>>>
>>>>>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
>>>>>>>>
>>>>>>>> greez
>>>>>>>>
>>>>>>>>
>>>>>>>>
> 

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399



More information about the samba mailing list