[Samba] Winbind authenticating its default domain but not trusted domains

Thomas Munn symgryph at gmail.com
Tue May 16 14:43:27 GMT 2006

Dear Samba Team/Readers:

I have been reading the mailing lists looking for a solution to a particular
problem that I am having:

The Setup:

centos 4.3 (redhat enterprise server clone) running kerberos, samba Version
3.0.10-1.4E.2, 32 bit system.  Running stock kernel 2.6.9-22.  I am
authenticating to a windows 2003 server, standard edition, with all service
packs and patches applied.  I am using winbind and AD integration to allow
linux workstations to authenticate to our NT domains.

What Works:

I have two 'realms' here.com and corp.here.com, which correspond to the
domains of 'here' and 'corp', respectively.  Corp trusts 'here'.

If the linux box is a member of 'corp' people from the corp domain can login

What Doesn't work

 But people in the 'trusted' domain 'here' cannot login.  The system reports
the user as not existing.

I tried changing the smb.conf and the krb5.conf files to use 'here' domain,
e.g. here.com while logging into corp.here.com domain controller.  It worked
miserably, nothing worked.  I also listed my 'trusted domains' using the
wbinfo command, and it lists corp as being trusted.  I also have the allow
trusted domains = yes and the use default domains = yes (tried no on this
with NO luck!).

I have looked at the list, and I saw a recent flame war in which an
individual seemed to be trying to do what I am, and he was told politely
that he 'should seek help  elsewhere'.  I am not sure exactly if my problem
corresponds to his,  but I list it to prove that I have at least tried
reading the list.  I haven't included all of .conf files, for brevity, but
will include relevant parts of files:


nsswitch.conf is setup to use winbind

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
protocols:  files winbind
services:   files winbind
netgroup:   files winbind
automount:  files winbind


My krb5.conf file

 default_realm = CORP.HERE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

  kdc = server1.corp.here.com:88
  admin.server = server1.corp.here.com:749
  default_domain = corp.here.com

 .corp.here.com = CORP.HERE.COM
 corp.here.com = CORP.HERE.COM

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


Finally, the [global] section of my smb.conf file:[global]

   workgroup = CORP
   netbios name=MYCOMPUTER
   server string = Samba Server
   printcap name = /etc/printcap
   load printers = yes
   cups options = raw
   log file = /var/log/samba/%m.log
   max log size = 50
   security = ads
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
   allow trusted domains = Yes
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
   pam password change = yes
   obey pam restrictions = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind use default domain = yes
   winbind separator = #
   winbind enum users = yes
   winbind enum groups = yes
   template shell=/bin/bash
   template homedir = /home/%U


Lastly, My system-auth file from my /etc/pam.d directory

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
account     [default=bad success=ok user_unknown=ignore]
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so skel=etc/skel/
session     optional      /lib/security/$ISA/pam_krb5.so

I thank you for your time and patience.


Thomas J. Munn

More information about the samba mailing list