[Samba] ADS / Domain problems
Kelley, Tim
Tim.Kelley at mms.gov
Wed May 24 12:20:59 GMT 2006
I have some serious problems with samba 3.0.21c ...
Samba is configured "security = ads" and I am also using winbind so that
the AD accounts also exist on the unix system.
"wbinfo -t" succeeds, and "wbinfo -m" gives a list of the trusted
domains. However, the only users this system knows about are the ones in
the primary domain, i.e., the one set by "workgroup = " in smb.conf.
"wbinfo -u --domain OTHER" does not work, where "OTHER" is a trusted
domain. (This worked fine with "security = domain", BTW). "password
server" is set to "*".
Wbinfo -u --domain OTHER returns "Error looking up domain users"
wbinfo --domain-info=OTHER returns "Could not get domain info"
All this works fine for the primary domain.
The ADS side is all windows; unix systems running samba are all either
domain members or ADS.
As far as I can tell, Kerberos works fine, and kinit
user at BLAH.SOME.OTHER.REALM works fine and I get a ticket.
Whenever a user from a foreign domain tries to access a share on the
samba server, I get:
[2006/05/23 14:13:43, 3] smbd/sesssetup.c:reply_spnego_kerberos(202)
Ticket name is [someuser at SOME.OTHER.REALM]
[2006/05/23 14:13:43, 3] smbd/sesssetup.c:reply_spnego_kerberos(224)
Ticket for foreign realm someuser at SOME.OTHER.REALM
[2006/05/23 14:13:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(303)
Username OTHER+curranj is invalid on this system
[2006/05/23 14:13:43, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(308) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
I'm not sure what is wrong here ...
The output (sanitized) of testparm -v can be found at:
http://pastebin.com/734897
It should be there until June 24 06.
More information about the samba
mailing list