[Samba] Winbind authenticating its default domain but not trusted domains

Thomas Munn symgryph at gmail.com
Tue May 16 14:43:27 GMT 2006 

Dear Samba Team/Readers:

I have been reading the mailing lists looking for a solution to a particular
problem that I am having:

The Setup:

centos 4.3 (redhat enterprise server clone) running kerberos, samba Version
3.0.10-1.4E.2, 32 bit system.  Running stock kernel 2.6.9-22.  I am
authenticating to a windows 2003 server, standard edition, with all service
packs and patches applied.  I am using winbind and AD integration to allow
linux workstations to authenticate to our NT domains.

What Works:

I have two 'realms' here.com and corp.here.com, which correspond to the
domains of 'here' and 'corp', respectively.  Corp trusts 'here'.

If the linux box is a member of 'corp' people from the corp domain can login
fine.

What Doesn't work

 But people in the 'trusted' domain 'here' cannot login.  The system reports
the user as not existing.

I tried changing the smb.conf and the krb5.conf files to use 'here' domain,
e.g. here.com while logging into corp.here.com domain controller.  It worked
miserably, nothing worked.  I also listed my 'trusted domains' using the
wbinfo command, and it lists corp as being trusted.  I also have the allow
trusted domains = yes and the use default domains = yes (tried no on this
with NO luck!).

I have looked at the list, and I saw a recent flame war in which an
individual seemed to be trying to do what I am, and he was told politely
that he 'should seek help  elsewhere'.  I am not sure exactly if my problem
corresponds to his,  but I list it to prove that I have at least tried
reading the list.  I haven't included all of .conf files, for brevity, but
will include relevant parts of files:

---------------

nsswitch.conf is setup to use winbind

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
protocols:  files winbind
services:   files winbind
netgroup:   files winbind
automount:  files winbind

-----------------

My krb5.conf file

[libdefaults]
 default_realm = CORP.HERE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 CORP.HERE.COM = {
  kdc = server1.corp.here.com:88
  admin.server = server1.corp.here.com:749
  default_domain = corp.here.com
 }

[domain_realm]
 .corp.here.com = CORP.HERE.COM
 corp.here.com = CORP.HERE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

----------------

Finally, the [global] section of my smb.conf file:[global]

   workgroup = CORP
   netbios name=MYCOMPUTER
   server string = Samba Server
   printcap name = /etc/printcap
   load printers = yes
   cups options = raw
   log file = /var/log/samba/%m.log
   max log size = 50
   security = ads
   realm=CORP.HERE.COM
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
   allow trusted domains = Yes
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   pam password change = yes
   obey pam restrictions = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind use default domain = yes
   winbind separator = #
   winbind enum users = yes
   winbind enum groups = yes
   template shell=/bin/bash
   template homedir = /home/%U

-----------------

Lastly, My system-auth file from my /etc/pam.d directory

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so skel=etc/skel/
umask=0027
session     optional      /lib/security/$ISA/pam_krb5.so
------------

I thank you for your time and patience.

Sincerely,

Thomas J. Munn

More information about the samba mailing list