[Samba] Winbind authentication over transitive trusts between
multiple W2k3 Domains
Sandra.Geigenmueller at kion-ims.com
Sandra.Geigenmueller at kion-ims.com
Fri Oct 5 08:07:07 GMT 2007
Hallo,
we use Samba 3.0.22 with MIT Kerberos and winbind on Ubuntu edgy in a
Windows2003 ADS enviroment. Everything works fine like kinit, net ads
join, getting the Domain accounts from the own and other domains, but one
important thing fails - obviously winbind cannot resolve name to sid, when
the account is in another domain, where is only a transitive trust, not a
direct.
Lets say there are 3 AD domains in one tree: NIRVANA.ROM as top,
CA.NIRVANA.ROM and PO.NIRVANA.ROM as 2 child domains. Our Samba server
IDEFIX is in domain PO.
Our configuration ...
krb5.conf:
[libdefaults]
default_realm = PO.NIRVANA.ROM
ticket_lifetime = 36000
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 300
[realms]
CA.NIRVANA.ROM = {
kdc = castor.ca.nirvana.rom
admin_server = castor.ca.nirvana.rom
default_domain = CA
}
PO.NIRVANA.ROM = {
kdc = pollux.po.nirvana.rom
admin_server = pollux.po.nirvana.rom
default_domain = PO
}
NIRVANA.ROM = {
kdc = thor.nirvana.rom
admin_server = thor.nirvana.rom
default_domain = NIRVANA
}
[domain_realm]
.ca.nirvana.rom = CA.NIRVANA.ROM
ca.nirvana.rom = CA.NIRVANA.ROM
.po.nirvana.rom = PO.NIRVANA.ROM
po.nirvana.rom = PO.NIRVANA.ROM
.nirvana.rom = NIRVANA.ROM
nirvana.rom = NIRVANA.ROM
smb.conf:
[global]
workgroup = PO
security = ADS
realm = PO.NIRVANA.ROM
netbios name = IDEFIX
password server = *
idmap uid = 10000-200000
idmap gid = 10000-200000
template shell = /bin/false
allow trusted domains = Yes
winbind trusted domains only = No
winbind use default domain = No
winbind nested groups = Yes
winbind separator = +
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
client use spnego = yes
...
wbinfo -t says ok
wbinfo --sequence get sequence numbers for all 3 domains
wbinfo -u get all accounts from all 3 domains with the correct prefix
getent passwd looks like wbinfo -u
But users from the other child domain cannot be authenticated. We traced
it down to the name-to-sid function.
wbinfo -n PO+administrator
> S-1-5-21-1669369028-1636446635-1573960127-500 User (1)
wbinfo -n NIRVANA+administrator
> S-1-5-21-1755308885-1021831964-821464085-500 User (1)
wbinfo -n CA+administrator
> Could not lookup name CA+administrator
winbindd with debug7 shows this
...
00001c smb_io_dom_rid2
001c type : 08
0020 rid : 00000000
0024 rid_idx: ffffffff
0028 mapped_count: 00000000
002c status : NT_STATUS_NONE_MAPPED
lookup_name returned an error
lookupname returned an error
While the other queries show an NT_STATUS_OK and mapped_count 1 and so on.
The only way we could make it work was to build a shortcut trust between
the 2 child domains CA and PO, but since we have in productive enviroment
more then 3 domains it wouldn't be a quite nice solution.
Has anybody seen this behavior too? Is that really a bug or missing
feature in the current samba version? Or do we have any missconfiguration
(I hope)?
Any help would be much appreciated.
Thanks in advance.
Mit freundlichen Grüßen
With kind regards
Sandra Geigenmüller
KION Information Management Services GmbH, Sitz der Gesellschaft: Wiesbaden, Registergericht: Wiesbaden HRB 22949, USt-Id-Nr. DE 252065348, Geschäftsführung: Helmut Draxler, Holger Pudzich
More information about the samba
mailing list