[Samba] InterDomain Trust Issue;
Active directory domain does not return users and groups
Linsey Smeltzer
lsmeltzer at rinehartengineering.com
Thu Aug 21 00:53:14 GMT 2008
I have created a two way Interdomain Trust between a Samba 3.21 Domain and a Windows 2003 Server Domain. I am able to log into the Active Directory domain with my Samba users and I am able to access shares set up in the AD Domain. However, when I attempt to log into the samba domain with a user from the Windows 2003 domain, I get an error saying the username/password is not correct. From the Samba server, I run the command:
Trusted domains list:
POWERTECH S-1-5-21-1030712963-4274246568-774726483
none
Trusting domains list:
POWERTECH S-1-5-21-1030712963-4274246568-774726483
I can also validate both Trusts from the Server 2003 domain.
On the Samba server, I have been able to successfully authenicate Active Directory users using the command:
wbinfo -a 'ADDomain\username'%password
However, when I run wbinfo -u or wbinfo -g, I only get the list of users and groups from the Samba domain. I do not see any of the users or groups from the Active Directory Domain. In the winbindd log after running the command wbinfo -u, I see the following:
[2008/08/20 17:33:37, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893)
rpc_api_pipe: Remote machine FILESRV pipe \lsarpc fnum 0x4001 returned 408 bytes.
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
out: struct lsa_QueryInfoPolicy2
info : *
info : *
info : union lsa_PolicyInformation(case 12)
dns: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
string : 'POWERTECH'
dns_domain: struct lsa_StringLarge
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'powertech.local'
dns_forest: struct lsa_StringLarge
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'powertech.local'
domain_guid : d4dbb4cc-6dca-4701-8715-4875aaf5ce9c
sid : *
sid : S-1-5-21-1030712963-4274246568-774726483
result : NT_STATUS_OK
[2008/08/20 17:33:37, 5] winbindd/winbindd_cm.c:set_dc_type_and_flags_connect(1841)
set_dc_type_and_flags_connect: domain POWERTECH is NOT in native mode.
[2008/08/20 17:33:37, 5] winbindd/winbindd_cm.c:set_dc_type_and_flags_connect(1844)
set_dc_type_and_flags_connect: domain POWERTECH is running active directory.
[2008/08/20 17:33:37, 6] libsmb/clientgen.c:write_socket(236)
write_socket(16,45)
[2008/08/20 17:33:37, 6] libsmb/clientgen.c:write_socket(239)
write_socket(16,45) wrote 45
[2008/08/20 17:33:37, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118)
got smb length of 35
[2008/08/20 17:33:37, 5] lib/util.c:show_msg(645)
[2008/08/20 17:33:37, 5] lib/util.c:show_msg(655)
size=35
smb_com=0x4
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=2049
smb_pid=1767
smb_uid=2049
smb_mid=12
smt_wct=0
smb_bcc=0
[2008/08/20 17:33:37, 10] libsmb/clientgen.c:cli_rpc_pipe_close(567)
cli_rpc_pipe_close: closed pipe \lsarpc to machine FILESRV
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/547561
[2008/08/20 17:33:37, 10] lib/events.c:event_add_timed(128)
Added timed event "async_request_timeout": 94f3a90
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/547500
[2008/08/20 17:33:37, 10] lib/events.c:timed_event_destructor(65)
Destroying timed event 94f3798 "async_request_timeout"
[2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442)
Retrieving response for pid 2155
[2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2464)
Retrieving extra data length=820
[2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(193)
listent_recv: RGGNET returned users.
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/442396
[2008/08/20 17:33:37, 10] lib/events.c:timed_event_destructor(65)
Destroying timed event 94f3a90 "async_request_timeout"
[2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442)
Retrieving response for pid 2452
[2008/08/20 17:33:37, 5] winbindd/winbindd_async.c:listent_recv(465)
list_ent() failed!
[2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(206)
listent_recv: POWERTECH returned no users.
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/430000
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/429965
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/429916
[2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 175/374344
[2008/08/20 17:34:07, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 145/380895
[2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 115/379055
[2008/08/20 17:34:37, 10] lib/events.c:event_add_timed(128)
Added timed event "async_request_timeout": 94dad98
[2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 115/378721
[2008/08/20 17:34:37, 10] lib/events.c:timed_event_destructor(65)
Destroying timed event 94dad98 "async_request_timeout"
[2008/08/20 17:34:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442)
Retrieving response for pid 2155
[2008/08/20 17:34:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2464)
Retrieving extra data length=61
[2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 115/374757
[2008/08/20 17:35:07, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 85/380467
[2008/08/20 17:35:37, 10] lib/events.c:get_timed_events_timeout(318)
timed_events_timeout: 55/379323
It shows the errors:
[2008/08/20 17:33:37, 5] winbindd/winbindd_async.c:listent_recv(465)
list_ent() failed!
[2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(206)
listent_recv: POWERTECH returned no users.
I see the same errors when running the wbinfo -g command.
Following is my smb.conf file:
# Global parameters
[global]
# Domain Settings
workgroup = rggnet
netbios name = auth1
interfaces = 192.168.134.5
username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
name resolve order = wins lmhosts hosts bcast
#Maximum time to live in seconds for a requested NetBIOS Name
# Default is 518400 (6 days)
max wins ttl = 36000
# Specifies the minimum time to live in seconds for NetBIOS names
# given out by Samba as a WINS server; default is 21600(6 hours)
min wins ttl = 14400
obey pam restrictions = No
# passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
passwd program = /usr/sbin/smbldap-passwd %u
ldap passwd sync = Yes
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script =
logon drive =
logon home =
logon path =
# LDAP setup for Winbind for Trust to 2003
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 20000 - 30000
idmap gid = 20000 - 30000
#LDAP Database information
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
ldap admin dn = "cn=Manager,dc=rggnet,dc=com"
ldap suffix = dc=rggnet,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = no
ldap delete dn = Yes
# Scripts to add,delete users, groups and PCs
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -a -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# Add Share Scripts; will not use because removes entries from
# smb.conf file; will add any shares through Linux
#add share command = /usr/local/bin/modify_samba_config.pl
#delete share command = /usr/local/bin/modify_samba_config.pl
#change share command = /usr/local/bin/modify_samba_config.pl
# printers configuration
# printer admin = @"Print Operators",root
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = Yes
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Never
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
Any help resolving this problem would be greatly appreciated.
Thank you.
Linsey Smeltzer
More information about the samba
mailing list