[Samba] winbind does not list users from trusted domain

Marco Senft m.senft at t2g.ch
Fri Oct 10 12:51:53 GMT 2008 

Hello all.

I've set up a testing environment with two Windows DCs. The first,
called DCA, is serving the domain DOMA and is running Windows 2003. The
second is called DCB and serves DOMB on Windows 2008.

The Samba machine I'm setting up (named ULYSSES) should be able to
authenticate users from both domains for shell login. I've installed
Samba 3.2.3 as a Debian package and closely followed the fine Howto by
Michael Battista
(http://www.ccs.neu.edu/home/battista/documentation/winbind/). Here are
the current settings from my smb.conf, stripped down to the relevant ones:

[global]
    realm = B.NET
    workgroup = B
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
;   winbind enum groups = yes
;   winbind enum users = yes
    winbind use default domain = no
    winbind nested groups = yes
    allow trusted domains = yes

PAM and NSS are configured as well, winbind is installed and running.
The Samba machine has successfully joined DOMB:

> wbinfo -t
checking the trust secret via RPC calls succeeded

Domain trusts seem to work:

> wbinfo -m
BUILTIN
ULYSSES
DOMA
DOMB

So far, everything works as expected. But when I try to get user info,
only users from DOMB (where the Samba machine is a member) are found by
winbind:

> wbinfo -u
ULYSSES\root
ULYSSES\nobody
[...]
DOMB\administrator
DOMB\brian

No entries for DOMA are listed. To track this further down, I issued the
following commands:

> wbinfo -i "DOMA\alvin"
Could not get info for user DOMA\alvin
> wbinfo -i "DOMB\brian"
DOMB\brian:*:10000:10000:Brian:/home/DOMB/brian:/bin/bash

The logfile (log.wb-DOMA) states:
[2008/10/10 12:32:23,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5
error code 68)
[2008/10/10 12:32:23,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5
error code 68)
[2008/10/10 12:32:23,  0] libads/sasl.c:ads_sasl_spnego_bind(819)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: KRB5 error code 68
[2008/10/10 12:32:23,  1] winbindd/winbindd_ads.c:ads_cached_connection(127)
   ads_connect for domain DOMA failed: KRB5 error code 68
[2008/10/10 12:32:23,  1]
winbindd/winbindd_user.c:winbindd_dual_userinfo(150)
   error getting user info for sid
S-1-5-21-1851683558-1272149263-2209706219-1104

So I suspect something with the Kerberos authentication to be wrong; but
why is that, since I can successfully authenticate users with winbind:

> wbinfo -a "DOMA\alvin%alvinpass"
plaintext password authentication succeeded
challenge/response password authentication succeeded
> wbinfo -a "DOMB\brian%brianpass"
plaintext password authentication succeeded
challenge/response password authentication succeeded

Why is winbind able to authenticate users, but cannot get user info
about them? Does anyone have a hint for me?


Thanks in advance,
marco


-- 
Marco Senft
http://www.t2g.ch/

More information about the samba mailing list