[Samba] Winbind with one-way trusts?

Ian Masterson ianm at u.washington.edu
Thu Jan 31 22:34:44 GMT 2008

Winbind works very well for most of the domains with which we have trusts. 
But for one domain, 'groups DOMAIN\user' returns only gid 0, and I see 
kerberos errors in winbind logs:

[2008/01/31 13:51:12, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602) ads_krb5_mk_req: krb5_get_credentials failed for foo$@THEIRDOMAIN (Server  not found in Kerberos database)
[2008/01/31 13:51:12, 1] nsswitch/winbindd_ads.c:ads_cached_connection(128)  ads_connect for domain THEIRDOMAIN failed: Server not found in Kerberos database
[2008/01/31 13:51:12, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)  error getting user info for sid S-1-[...]

Don McCall appears to have had the same problem:


Jerry confirmed that a two-way trust is required between the domain that 
the winbind host belongs to and any trusted domains. Is there any 
workaround to this at all?

Is it perhaps possible have winbind use credentials from the trusted 
domain to bind to the DC for looking up user information?

Thank you,

Ian Masterson
University of Washington Libraries

More information about the samba mailing list