[Samba] Samba and cross forest domain trust

Joe Ammann joe at pyx.ch
Wed May 13 21:28:13 GMT 2009


I'm trying to get a setup working with 2 separate AD forests (both 2003 R2 
based). Let's call them PROD.x.ch and DEV.x.ch. There is a one way cross 
forest trust from DEV to PROD (hope I said this the right way), so that 
authenticated principals in PROD can access resources from DEV.

The setup works in principle, a user logged into a PROD Windows PC can access 
Shares from a DEV Windows Server (given the correct access rights, etc.)

Now I tried to also access shares from a Samba server (SuSE Linux Enterprise 
10, SP1). The linux server is successfully joined into the DEV domain, user 
authentication for logging into the linux system with winbind into the DEV 
domain works like a charm.

But accessing the shares does not work. I asked Google, and some posting 
seemed to suggest that such setups really only work from Samba 3.2 onwards 
(SLES 10 has 3.0.32) So I ugpraded to the 3.3.4 RPMs from Sernet, still no 
luck. The errors I see are something like

[2009/05/13 13:29:57,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
  ads_krb5_mk_req: krb5_get_credentials failed for dc1$@PROD.X.CH (Server not 
found in Kerberos database)
[2009/05/13 13:29:57,  1] libsmb/cliconnect.c:cli_session_setup_kerberos(624)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found 
in Kerberos database

Before I go on and try to isolate the error: Do I have any chance to get such 
a setup to work?

Many thanks for listening.

	CU, Joe

More information about the samba mailing list