[Samba] Winbind with one-way trusts?
Ian Masterson
ianm at u.washington.edu
Thu Jan 31 22:34:44 GMT 2008
Winbind works very well for most of the domains with which we have trusts.
But for one domain, 'groups DOMAIN\user' returns only gid 0, and I see
kerberos errors in winbind logs:
[2008/01/31 13:51:12, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602) ads_krb5_mk_req: krb5_get_credentials failed for foo$@THEIRDOMAIN (Server not found in Kerberos database)
[2008/01/31 13:51:12, 1] nsswitch/winbindd_ads.c:ads_cached_connection(128) ads_connect for domain THEIRDOMAIN failed: Server not found in Kerberos database
[2008/01/31 13:51:12, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152) error getting user info for sid S-1-[...]
Don McCall appears to have had the same problem:
http://lists.samba.org/archive/samba-technical/2007-February/051678.html
Jerry confirmed that a two-way trust is required between the domain that
the winbind host belongs to and any trusted domains. Is there any
workaround to this at all?
Is it perhaps possible have winbind use credentials from the trusted
domain to bind to the DC for looking up user information?
Thank you,
Ian Masterson
University of Washington Libraries
More information about the samba
mailing list