[Samba] Authenticate users through an AD trust

Josh josh2780 at yahoo.com
Fri Jul 14 12:40:14 GMT 2006 

I've recently connected a Samba server to our domain
(ourdomain.dom) and configured it to send
authentication requests to AD.  I can successfully
authenticate ourdomain.com users from the Samba
server.

ourdomain.com has a trust with a sister company
(theirdomain.com). With this trust we can assign NTFS
permissions to users within theirdomain.com to, for
example, file servers on ourdomain.com.  We also have
numerous groups on ourdomain.com that include many
users from theirdomain.com.

The Samba server does not have access (due to a
firewall on theirdomain.com) to send auth reqeusts
directly to DCs on theirdomain.com.  However,
ourdomain.com DCs can query theirdomain.com DCs (that
hole has been punched).  In addition, our XP machines
can see and select theirdomain.com from the windows
login dropdown and authenticate with a theirdomain.com
user -- since the machines are "connected" to
ourdomain.com the auth request is sent through our DCs
to theirdomain.com.

I'm attempting to do something simliar with Samba:
allow users from theirdomain.com to authenticate even
though the Samba server is "connected" to
ourdomain.com (thus, the auth requests will flow
through ourdomain.com DCs to theirdomain.com DCs). 
However, it doesn't appear to be working.

Here's the [global] section from smb.conf:

[global]
workgroup = OURDOMAIN
realm = OURDOMAIN.COM
preferred master = no
server string = Samba Server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

And here's my krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OURDOMAIN.COM

[realms]
 THEIRDOMAIN.COM = {
  kdc = dc1.ourdomain.com
 }
 OURDOMAIN.COM = {
  kdc = dc1.ourdomain.com
 }

[domain_realms]
 .kerberos.server = OURDOMAIN.COM


I've been testing authentication by using:

> kinit tester at MYDOMAIN.COM
This asks me for a password and then successfully
authenticates.

> kinit someuser at THEIRDOMAIN.COM
This gives me the following error:
kinit(v5): KRB5 error code 68 while getting initial
credentials


Sorry this is so long winded... I wanted to be sure to
give you the whole scenario.  Thanks for any
assistance you can offer.

Josh



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the samba mailing list