[Samba] Samba and trusted domains
Nir Barkan
nirb at itgil.com
Mon Jul 3 11:26:08 GMT 2006
Now I don't have idmap errors, but the user from the trusted domain still
can't connect, this is what the debug logs when the user from the trusted
domain tries to connect:
Added domain EU15 wineur.EU15.com S-1-5-21-2139401007-2349514585-891123631
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 8520]: Get DC name for EU15
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=122)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=eur-dc04-lon$@WINEUR.EU15.COM
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Tue, 04 Jul 2006 00:07:28 IDT
rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xe bind
request returned ok.
rpc_pipe_bind: Remote machine EUR-DC04-LON pipe \lsarpc fnum 0xf bind
request returned ok.
lsa_io_sec_qos: length c does not match size 8
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
[ 0]: domain_info [EU15]
[ 0]: pam auth crap domain: [EU15] user: test1
[ 8520]: pam auth crap domain: EU15 user: test1
-----Original Message-----
From: Michael Gasch [mailto:gasch at eva.mpg.de]
Sent: Monday, July 03, 2006 1:19 PM
To: Nir Barkan
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba and trusted domains
for trusted domains to work you have to use either tdbsam or ldap
backend. don´t know whether ad works, though.
this should work for you:
# idmap backend = # please comment out for tdbsam
idmap uid = 10000-100000
idmap gid = 10000-100000
winbind use default domain = Yes # your choice
winbind trusted domains only = no # must
allow trusted domains = yes # must
greez
Nir Barkan wrote:
>
> I tried all the combinations on the "idmap backend" line and still have
> errors.
>
> What is the exact "idmap backend" line that I should add to my smb.conf
file
> when "ITGIL" = my domain and "EU15" = my trusted domain?
>
> Thanks,
>
> Nir
>
> -----Original Message-----
> From: Michael Gasch [mailto:gasch at eva.mpg.de]
> Sent: Monday, July 03, 2006 11:22 AM
> To: Nir Barkan
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba and trusted domains
>
> :)
>
> > idmap backend = ITGIL=10000-19999,EU15=20000-30000
> this is not correct semantic ;)
>
> example:
> idmap backend = rid:"BUILTIN=1000-1999,DOMNAME=2000-100000000"
>
> this should work
>
> greez
>
>
> Nir Barkan wrote:
>> I added the idmap backend to my smb.conf as you suggested
>>
>>
>> idmap backend = ITGIL=10000-19999,EU15=20000-30000
>>
>> I get the following (on the winbind debug):
>>
>> idmap_init: using 'ITGIL=10000-19999' as remote backend
>> Error loading module '/opt/local/lib/idmap/ITGIL=10000-19999.so':
ld.so.1:
>> ./winbindd: fatal: /opt/local/lib/idmap/ITGIL=10000-19999.so: open
failed:
>> No such file or directory
>> idmap_init: could not load remote backend 'ITGIL=10000-19999'
>> Could not init idmap -- netlogon proxy only
>>
>> The idmap directory exists; do I need to run something manually?
>>
>> P.S
>>
>> ITGIL = my domain
>> EU15 = my trusted domain
>>
>> Thanks,
>>
>> Nir
>>
>>
>> -----Original Message-----
>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>> Sent: Sunday, July 02, 2006 9:46 PM
>> To: Nir Barkan
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba and trusted domains
>>
>> you should do something like
>>
>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAINNAME=20000-100000000"
>>
>> as i already wrote in a posting before. this won't work with idmap_rid,
>> but with all other backend.
>> i think you can stay with "winbind trusted domains only".
>>
>> you should also run winbindd in interactive mode and debug level 3.
>> then you should see something like "init idmap backend for DOMAIN
>> MYDOMAIN, init idmap backend for DOMAIN TRUSTEDDOMAINNAME"
>>
>> greez
>>
>>
>> Nir Barkan wrote:
>>> Id test1 not working
>>>
>>> Wbinfo -u return DomainName username (EUROPE test1)
>>>
>>> The user is from trusted domain
>>>
>>> I defined idmap uid = 10000-2000 and idmap gid = 10000-20000 on my
>>> smb.conf, Do I need to define something more?
>>>
>>> Thanks,
>>>
>>> Nir
>>>
>>> -----Original Message-----
>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>> Sent: Friday, June 30, 2006 4:12 PM
>>> To: Nir Barkan
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] Samba and trusted domains
>>>
>>> > Id test1 not working
>>> but wbinfo -u shows it?
>>> if so you have a problem with with mapping samba accounts to unix
>> accounts.
>>> is it a user from a trusted domain (to get back to the thread title)?
>>>
>>> > My dc is windows 2003 DC, do I need to install something on it?
>>> no
>>>
>>> greez
>>>
>>> Nir Barkan wrote:
>>>
>>>> Id test1 not working
>>>>
>>>> I tried without "winbind trusted domains only = Yes" and got the same
>>>> results.
>>>>
>>>> My dc is windows 2003 DC, do I need to install something on it?
>>>>
>>>> P.S
>>>>
>>>> Thanks much for your help :-)
>>>>
>>>> -----Original Message-----
>>>> From: Michael Gasch [mailto:gasch at eva.mpg.de]
>>>> Sent: Thursday, June 29, 2006 1:19 PM
>>>> To: Nir Barkan
>>>> Cc: samba at lists.samba.org
>>>> Subject: Re: [Samba] Samba and trusted domains
>>>>
>>>>
>>>>> "Id <username_from_local_domain_without_prefix_domainname" give me the
>>>> user
>>>>
>>>>> uid and gid.
>>>> good
>>>>
>>>> some further questions:
>>>> - does "id test1" work?
>>>> - why did you set "winbind trusted domains only = Yes"
>>>>
>>>> for trusted domains to work, you have to use winbind on your DC.
>>>> furthermore on each member server you have to specify an idmap range
for
>
>>>> each domain, like
>>>>
>>>> idmap backend = "MYDOMAIN=10000-19999,TRUSTEDDOMAIN=20000-100000000"
>>>>
>>>> greez
>>>>
>>>>
>>>>
>>
>>
>>
>
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
More information about the samba
mailing list