[Samba] Trusted domain user login
Jay Santillan
nasyaj at gmail.com
Fri Jan 25 15:35:37 GMT 2008
Greetings,
We are currently experiencing logon problems with a trusted domain user(s).
Example: We have DomainA and DomainB
DomainA and DomainB both have workstations joined on their respective
domain.
DomainA and DomainB both have trust relationships. DomainA trusts DomainB
and vise versa.
DomainA is where being served by a Samba PDC, while DomainB has a PDC using
Windows NT 4.0 Server
When users from DomainA logs in to DomainA using the workstation joined
under DomainA and/or DomainB, they can login without any problems.
The problem occurs when users from DomainB logs in to a workstation joined
under DomainA. The logon script is not executed and the user profile is not
loaded.
This problem does not occur when users logs in from DomainB workstations.
(their logon script is executed and profiles are loaded properly)
-We've checked that DomainB user can access the netlogon share from the
workstation (DomainA). Running it manually works.
-We've checked that DomainB user can access the profile share from the
workstation (DomainA).
-Tried different user and workstation but still same problems.
-We've tried updating samba to 3.0.28 but still same problem (we went back
to 3.0.23c please see reason below).
-Tried searching the net for same issue and tried some solutions, but still
did not work.
-Tried looking at log files, but could not find obvious errors.
The Samba version were using is 3.0.23c
The server is running CentOS 5.1 x86_64 version.
The original Samba version (3.0.25b) which came with the distro had some
problems. Changing passwords from Windows does not seem to fix it.
Downgrading to 3.0.23c seems to work.
If posting of the log files is needed, please tell us which log file to
look/post.
Thank you very much for taking time to read this post.
Regards,
Jay
Below is our smb.conf file
=========================================
[global]
netbios name = aphrodite
workgroup = RLDP_DESIGN3A
server string = ""
security = user
passdb backend = ldapsam:ldap://ldapserver
enable privileges = yes
encrypt passwords = yes
allow trusted domains = yes
host msdfs = no
browse list = true
os level = 65
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
logon path = \\%L\profiles\%U
logon drive = G:
logon home = \\%L\home\%U
logon script = default.bat
log level = 3
log file = /var/log/samba/%m.log
max log size = 100
wins server = 192.168.3.2
dns proxy = no
name resolve order = wins host bcast
ldap suffix = dc=design3,dc=rldp,dc=com
ldap machine suffix = ou=computers
ldap user suffix = ou=People
ldap group suffix = ou=group
ldap idmap suffix = ou=idmap
ldap admin dn = cn=root,dc=design3,dc=rldp,dc=com
ldap passwd sync = only
idmap backend = ldap:ldap://ldapserver
idmap uid = 50000-65000
idmap gid = 50000-65000
template shell = /bin/bash
winbind use default domain = no
add user script = /opt/smbldap-tools/smbldap-useradd -m "%u"
delete user script = /opt/smbldap-tools/smbldap-userdel "%u"
add group script = /opt/smbldap-tools/smbldap-groupadd -p "%g"
delete group script = /opt/smbldap-tools/smbldap-groupdel "%g"
add user to group script = /opt/smbldap-tools/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /opt/smbldap-tools/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/smbldap-tools/smbldap-usermod -g "%g"
"%u"
add machine script = /opt/smbldap-tools/smbldap-useradd -w "%u"
printer admin = administrator
#============================ Share Definitions
==============================
[netlogon]
path = /smbshare/netlogon
read only = yes
[profiles]
path = /smbshare/profile
read only = no
create mask = 0600
directory mask = 0700
[profiled]
path = /smbshare/profile_data
read only = no
create mask = 0600
directory mask = 0700
[home]
path = /smbshare/home
read only = no
create mask = 0600
directory mask = 0700
[teamd3]
path = /smbshare/workdir
read only = no
create mask = 0660
directory mask = 0770
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
[print$]
path = /smbshare/print_drivers
browseable = yes
guest ok = no
read only = yes
write list = administrator
More information about the samba
mailing list