[Samba] Winbind + Win2003 ADS + Trusted Domain Issue

Bryan samba at hb-computers.com
Wed Sep 3 15:39:49 GMT 2008


Hello all,
  I am having an issue that I need help with and have been searching the
web high and low for a solution.  It involvs using winbind to
authenticate Linux systems against a 2003 Active Directiry domain with a
one-way trust. Here is the lay out.

Domain "ABC" is the resource domain where the servers are located. Domain
"XYZ" is the domain that the primary user accounts are.

Domain "ABC" has a one way trust with domain "XYZ".

I am able to add the Linux system to domain A and authenticate to that
domain with a user in domain ABC.  I am able to see that domain ABC has a
trust with domain XYZ (and others) and am able to run a wbinfo -a
XYZ+<username>%<password> and it will complete sucessfully.  When I
attempt to log in via ssh, it will not communicate and fail.

This is a Red Hat Enterprise Linux 5 Server (2.6.18-92.1.10.el5) running
samba RPMS: samba-common-3.0.28-1.el5_2.1 samba-3.0.28-1.el5_2.1.

I will also be adding Red Hat Enterprise Linux 4 ES systems to domain ABC
in the future as this is a pilot to get security approval.

Here is my configuration, domain A will be ABC and domain B will be XYZ.

/etc/samba/smb.conf
===================

[global]
        allow trusted domains = yes
        encrypt passwords = yes
        workgroup = abc
        server string = ABC Management Linux System
        security = ads
        passdb backend = tdbsam
        load printers = yes
        cups options = raw
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        template shell = /bin/bash
#       winbind use default domain = yes
#       winbind trusted domains only = yes
        winbind enum users = yes
        winbind enum groups = yes
#       winbind nested groups = yes
        password server = xxx.xxx.208.52 xxx.xxx.208.53
        realm = ABC.ORG
        winbind separator = +
        log level = 2 passdb:2 winbind:10 auth:2
        log file = /var/log/samba/log.smbd
        max log size = 50000
;[homes]

;[printers]

/etc/krb5.conf
==============

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ABC.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 ABC.ORG = {
  kdc = PDC.abc.org
  admin = PDC.abc.org
 }

[domain_realm]
.abc.org = ABC.ORG
abc.org = ABC.ORG

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Here is a portion of the log.smbd file during the attempted login to
domain B.

/var/log/samba/log.smbd
=======================
[2008/09/03 11:10:56, 2] lib/interface.c:add_interface(81)
  added interface ip=10.78.208.92 bcast=xxx.xxx.208.127
nmask=255.255.255.128
[2008/09/03 11:10:56, 2] lib/interface.c:add_interface(81)
  added interface ip=10.78.208.92 bcast=xxx.xxx.208.127
nmask=255.255.255.128
[2008/09/03 11:10:56, 10] nsswitch/idmap_cache.c:idmap_cache_init(60)
  Opening cache file at /var/cache/samba/idmap_cache.tdb
[2008/09/03 11:10:56, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
  Registered MSG_REQ_POOL_USAGE
[2008/09/03 11:10:56, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2008/09/03 11:10:56, 0]
nsswitch/winbindd_cache.c:initialize_winbindd_cache(2227)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 1
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain ABC ABC.ORG S-1-5-21-965218773-1353315313-3067293786
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cm.c:set_domain_online_request(417)
  set_domain_online_request: called for domain ABC
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cm.c:set_domain_online_request(437)
  set_domain_online_request: domain ABC was globally offline.
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain LINUX1 S-1-5-21-3701797475-2312480056-3909096447
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain BUILTIN  S-1-5-32
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_util.c:open_winbindd_socket(921)
  open_winbindd_socket: opened socket fd 12
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_util.c:open_winbindd_priv_socket(933)
  open_winbindd_priv_socket: opened socket fd 13
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15001
[2008/09/03 11:10:56, 5] nsswitch/winbindd_util.c:init_child_recv(419)
  Received child initialization response for domain ABC
[2008/09/03 11:10:56, 8] nsswitch/winbindd_cm.c:connection_ok(1496)
  connection_ok: Connection to  for domain ABC has NULL cli!
[2008/09/03 11:10:56, 10] nsswitch/winbindd_cm.c:cm_open_connection(1336)
  cm_open_connection: saf_servername is PDC.ABC.ORG for domain ABC
[2008/09/03 11:10:56, 10] nsswitch/winbindd_cm.c:cm_open_connection(1366)
  cm_open_connection: dcname is 'PDC.ABC.ORG' for domain ABC
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cm.c:cm_prepare_connection(654)
  cm_prepare_connection: connecting to DC PDC.ABC.ORG for domain ABC
[2008/09/03 11:10:56, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(733)
  connecting to PDC.ABC.ORG from LINUX1 with kerberos principal
[LINUX1$@ABC.ORG]
[2008/09/03 11:10:56, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(615)
  Doing kerberos session setup
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cache.c:set_global_winbindd_state_online(2692)
  set_global_winbindd_state_online: online requested.
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cache.c:set_global_winbindd_state_online(2695)
  set_global_winbindd_state_online: rejecting.
[2008/09/03 11:10:56, 10] nsswitch/winbindd_cm.c:set_domain_online(359)
  set_domain_online: called for domain DSA
[2008/09/03 11:10:56, 5]
nsswitch/winbindd_cm.c:set_dc_type_and_flags(1589)
  set_dc_type_and_flags: domain DSA
[2008/09/03 11:10:56, 5]
nsswitch/winbindd_cm.c:set_dc_type_and_flags(1705)
  set_dc_type_and_flags: domain DSA is in native mode.
[2008/09/03 11:10:56, 5]
nsswitch/winbindd_cm.c:set_dc_type_and_flags(1708)
  set_dc_type_and_flags: domain DSA is running active directory.
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15001
[2008/09/03 11:10:56, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2327)
  Retrieving extra data length=495
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain XYZ XYZ.ORG S-1-5-21-266690176-277487647-1704157037
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN1 domain1.abc.org
S-1-5-21-676974648-3565341295-2177681970
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN2 domain3.abc.org
S-1-5-21-703798019-1850511075-1572904292
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN3 domain3.abc.org
S-1-5-21-196453861-3054152632-3676303883
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN4 domain4.abc.org
S-1-5-21-343818398-839522115-725345543
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN5 domain5.abc.org
S-1-5-21-2487492328-1375672958-281685340
[2008/09/03 11:10:56, 2] nsswitch/winbindd_util.c:add_trusted_domain(171)
  Added domain DOMAIN6 domain6.abc.org
S-1-5-21-3516912911-3241761273-3555923892
[2008/09/03 11:11:18, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 19
[2008/09/03 11:11:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/09/03 11:11:18, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [15004]: request interface version
[2008/09/03 11:11:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/09/03 11:11:18, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [15004]: request location of privileged pipe
[2008/09/03 11:11:18, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 20
[2008/09/03 11:11:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn GETPWNAM
[2008/09/03 11:11:18, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [15004]: getpwnam XYZ+user
[2008/09/03 11:11:18, 8] nsswitch/winbindd_cm.c:connection_ok(1496)
  connection_ok: Connection to  for domain XYZ has NULL cli!
[2008/09/03 11:11:18, 10] nsswitch/winbindd_cm.c:cm_open_connection(1366)
  cm_open_connection: dcname is '' for domain XYZ
[2008/09/03 11:11:18, 10]
nsswitch/winbindd_cm.c:get_dc_name_via_netlogon(579)
  rpccli_netlogon_getanydcname returned PDC
[2008/09/03 11:11:18, 10] nsswitch/winbindd_cm.c:get_dcs(1169)
  Retrieved DC PDC.XYZ.ORG at xxx.xxx.65.21 via netlogon
[2008/09/03 11:11:18, 10]
nsswitch/winbindd_cm.c:cm_prepare_connection(654)
  cm_prepare_connection: connecting to DC PDC for domain XYZ
[2008/09/03 11:11:18, 10] nsswitch/winbindd_cm.c:cm_open_connection(1366)
  cm_open_connection: dcname is 'PDC' for domain XYZ
[2008/09/03 11:11:18, 10]
nsswitch/winbindd_cm.c:get_dc_name_via_netlogon(579)
  rpccli_netlogon_getanydcname returned PDC
[2008/09/03 11:11:18, 10] nsswitch/winbindd_cm.c:add_one_dc_unique(884)
  DC ZAS1TY-0311 was in the negative conn cache
[2008/09/03 11:11:25, 1] libads/cldap.c:recv_cldap_netlogon(219)
  no reply received to cldap netlogon
[2008/09/03 11:11:25, 10] nsswitch/winbindd_cm.c:dcip_to_name(1087)
  dcip_to_name: flags = 0x17c
[2008/09/03 11:11:25, 10]
nsswitch/winbindd_cm.c:cm_prepare_connection(654)
  cm_prepare_connection: connecting to DC PDC.XYZ.ORG for domain XYZ
[2008/09/03 11:11:25, 10] nsswitch/winbindd_cm.c:cm_open_connection(1366)
  cm_open_connection: dcname is 'PDC.XYZ.ORG' for domain XYZ
[2008/09/03 11:11:26, 10]
nsswitch/winbindd_cm.c:get_dc_name_via_netlogon(579)
  rpccli_netlogon_getanydcname returned PDC
[2008/09/03 11:11:26, 10] nsswitch/winbindd_cm.c:add_one_dc_unique(884)
  DC ZAS1TY-0311 was in the negative conn cache
[2008/09/03 11:11:26, 10] nsswitch/winbindd_cm.c:dcip_to_name(1087)
  dcip_to_name: flags = 0x17c
[2008/09/03 11:11:26, 10]
nsswitch/winbindd_cm.c:cm_prepare_connection(654)
  cm_prepare_connection: connecting to DC PDC.XYZ.ORG for domain XYZ
[2008/09/03 11:11:26, 10] nsswitch/winbindd_cm.c:set_domain_offline(302)
  set_domain_offline: called for domain XYZ
[2008/09/03 11:11:26, 10] nsswitch/winbindd_cm.c:set_domain_offline(347)
  set_domain_offline: added event handler for domain XYZ
[2008/09/03 11:11:26, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15001
[2008/09/03 11:11:26, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15006
[2008/09/03 11:11:26, 5] nsswitch/winbindd_async.c:query_user_recv(1417)
  query_user returned an error
[2008/09/03 11:11:26, 5]
nsswitch/winbindd_user.c:getpwsid_queryuser_recv(237)
  Could not query domain XYZ SID
S-1-5-21-266690176-277487647-1704157037-40068
[2008/09/03 11:11:35, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn GETPWNAM
[2008/09/03 11:11:35, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [15004]: getpwnam XYZ+user
[2008/09/03 11:11:35, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15001
[2008/09/03 11:11:35, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15006
[2008/09/03 11:11:35, 5] nsswitch/winbindd_async.c:query_user_recv(1417)
  query_user returned an error
[2008/09/03 11:11:35, 5]
nsswitch/winbindd_user.c:getpwsid_queryuser_recv(237)
  Could not query domain XYZ SID
S-1-5-21-266690176-277487647-1704157037-40068
[2008/09/03 11:11:35, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 19
[2008/09/03 11:11:35, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/09/03 11:11:35, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [15004]: request interface version
[2008/09/03 11:11:35, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/09/03 11:11:35, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [15004]: request location of privileged pipe
[2008/09/03 11:11:35, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 22
[2008/09/03 11:11:35, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PAM_AUTH
[2008/09/03 11:11:35, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751)
  [15004]: pam auth XYZ+user
[2008/09/03 11:11:35, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15006
[2008/09/03 11:11:35, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn GETPWNAM
[2008/09/03 11:11:35, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [15004]: getpwnam XYZ+user
[2008/09/03 11:11:35, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15001
[2008/09/03 11:11:35, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2305)
  Retrieving response for pid 15006
[2008/09/03 11:11:35, 5] nsswitch/winbindd_async.c:query_user_recv(1417)
  query_user returned an error
[2008/09/03 11:11:35, 5]
nsswitch/winbindd_user.c:getpwsid_queryuser_recv(237)
  Could not query domain XYZ SID
S-1-5-21-266690176-277487647-1704157037-40068


Any and all suggestions and ideas welcomed.  Please help me as I am
quickly loosing my sanity.

Thanks,
Bryan





More information about the samba mailing list