[Samba] Domain trusts in samba3 with openLDAP

Alex Crow acrow at integrafin.co.uk
Mon Jun 2 13:30:31 GMT 2008 

Hi,

I am having the exact same problem as the user quoted below - I have
3.0.28a installed at both ends (I've tried 3.0.30 but that seems to make
wbinfo -t fail with "DOMAIN CONTROLLER NOT FOUND" errors). It's a
bidirectional trust - the end remote to me works fine but the local end
reports as below. wbinfo -u/g fails on both ends with "Error looking up
domain users".

Here is the relevant part of my smb.conf on the local end:

[global]
unix charset = LOCALE
workgroup = IFA_NET
netbios name = PDC
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=ifa,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=ifa,dc=net
ldap ssl = no
ldap timeout = 20
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 6000
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes
#printing = cups
# printer admin = root
wins support = yes
log level = 3
domain logons = yes
domain master = yes
preferred master = yes
logon drive = H:
#os level = 35
passdb expand explicit = yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
enable privileges = Yes
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

and remote:
[global]
#unix charset = LOCALE
workgroup = INTEGRALIFE_NET
netbios name = DC
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
logon drive = H:
logon home = \\%L\%U
logon path = \\%L\%U\profile
os level = 33
#auth methods = guest sam winbind
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
smb ports = 139
name resolve order = wins lmhosts bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = Yes
#add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
enable privileges = Yes
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -a -w '%u'
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
#wins support = Yes
wins server = 192.168.20.137
wins proxy = no
ldap suffix = dc=integralife,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=integralife,dc=net
ldap ssl = no
ldap timeout = 20
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind use default domain = no
winbind trusted domains only = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = Yes
map acl inherit = Yes
ea support = Yes
disable spoolss = No
printing = cups
printer admin = root

Any help I can get gratefully received!

Thanks

Alex

On Wed, 2008-05-07 at 16:43 -0400, Charlie wrote:
> Greetings Sambistas!
> 
>   I can't seem to get domain trusts to work in both directions.  Details follow.
> 
>   I have a network running many OSes on four geographically separate
> sites with an OpenLDAP authentication backbone.  Desktops are windows
> XP authenticating to samba 3.0.25b servers which in turn are
> configured to use LDAP.  Our net has been running samba in various
> flavors and versions for over ten years, and we have been running
> OpenLDAP for about seven years.
> 
>   Each physical site is a separate samba domain but all use the same
> LDAP backend data.  All linux samba servers are running 3.0.25b, some
> of them using Red Hat native packages on RHEL5 and others using my own
> backported RPMs of the same.  HP-UX servers run HP's CIFS9000 product
> which is essentially a samba fork.
> 
>   Each samba server has a local LDAP replica and a local slave BIND
> DNS server.  PAM, NSS, and samba are all configured for automatic LDAP
> failover, this is tested and working.  We use unencrypted LDAP on
> 127.0.0.1 as the primary (for speed) and LDAPS to the master server as
> secondary (for security).  If I kill the local LDAP daemon samba
> continues to work fine, drawing passwords etc. from the master server
> over SSL.
> 
>   From the main site, I can do this:
> 
> # net rpc trustdom list  -Udomadmin
> Password:
> 
> Trusted domains list:
> 
> LA              S-1-5-21-laSIDredacted
> MD             S-1-5-21-mdSIDredacted
> MA             S-1-5-21-maSIDredacted
> none
> 
> Trusting domains list:
> 
> MAIN             S-1-5-21-LocalSIDredacted
> MA                S-1-5-21-maSIDredacted
> LA                 S-1-5-21-laSIDredacted
> MD                S-1-5-21-mdSIDredacted
> 
> But, from the MD server, if I issue the same command, I get this:
> 
> # net rpc trustdom list -Umdadmin
> Password:
> Trusted domains list:
> 
> MAIN             S-1-5-21-LocalSIDredacted
> MA                S-1-5-21-maSIDredacted
> LA                 S-1-5-21-laSIDredacted
> none
> 
> Trusting domains list:
> 
> [2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208)
>   Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED
> 
> I have been unable to find anything on the net that details the LDAP
> entries for interdomain trust accounts.  I do not know if a single
> LDAP dn can be used to establish the trust in both directions or if I
> need two for each link in the mesh.  If anyone could post examples of
> working LDAP accounts used for interdomain trust purposes I would be
> tremendously grateful!
> 
> Thanks,
> --Charlie
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)

More information about the samba mailing list