[Samba] Samba trusts, mapping issue, and pam crap domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Nov 17 12:16:59 MST 2009
I am running Samba ver 3.0.37 on Solaris 10 (sparc) as a PDC with LDAP for
the backend for both samba and unix accounts. Assume the samba SMBPDC is
called "PDC."
I have also set up a trust with an Windows domain- lets call it
WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed mode
for backwards compat.) The SAMBA domain trusts the WINDOWS domain, not not
vice versa. Assume the Windows PDC is called "WINPDC."
I have winbind enabled. Idmap entries are stored in the backend.
On the Windows domain, I have a login script which maps R: to
\\PDC\dept\common. The "dept" share does not explicitly set or deny any
users. The "common" directory has unix perms of "rwxrwxr-t."
On the SMBPDC
smbpdc# getent passwd | grep linus
WINDOMAIN\linus:*:30197:30037:Linus Van Pelt:/home/ WINDOMAIN
/linus:/bin/false
smbpdc#
smbpdc -3.00# id " WINDOMAIN \linus"
uid=30197(ADMINISTRATION\linus) gid=30037(WINDOMAIN \domain users)
bash-3.00# id linus
id: invalid user name: "linus"
smbpdc -3.00#
Smb.conf includes
-------------------------
ntlm auth = Yes
passdb backend = ldapsam:ldap://ldap1.mydomain.com
ldap suffix=o=mydomain.com
ldap user suffix=ou=people
ldap group suffix=ou=smb_groups
ldap machine suffix=ou=machines
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap
winbind enum users = Yes
winbind enum groups = no
winbind use default domain = no
winbind trusted domains only = no
#ldap time out default is 15 sec
ldap timeout=30
# idmap domains = WINDOMAIN, TESTDOMAIN
idmap domains = WINDOMAIN
idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config
WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range =
30000-39999
#idmap config TESTDOMAIN:backend = ldap
#idmap config TESTDOMAIN:readonly = no
#idmap config TESTDOMAIN:default=no
#idmap config TESTDOMAIN:ldap_base_dn =ou=testdomain,ou=idmap,o=mydomain.com
#idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config
TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range =
40000-49999
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:ldap_url = ldap1.mydomain.com
idmap alloc config:range = 70000 - 79999
[dept]
path = /zexport/Dept
read only = No
create mask = 0770
force create mode = 0600
directory mask = 0775
force directory mode = 0600
inherit permissions = Yes
inherit acls = Yes
hide special files = Yes
vfs objects = zfsacl
zfsacl:acesort = dontcare
nfs4:mode = special
nfs4:chown = yes
nfs4:acedup = merge
--------------------
I have a test user "linus" on the WINDOMAIN domain. If I log into a
WINDOMAIN account on WINPDC, I am prompted for credentials on the
SAMBA/SMBPDC share and am denied. This used to work (sort of) - I recently
added the Solaris patch to update from 3.0.35 to 3.0.37.
The /var/log/samba/WINPDC.log file shows
...
check_ntlm_password: Checking password for unmapped user
[WINDOMAIN]\[linus]@[WINPDC] with the new password interface
[2009/11/17 11:54:25, 3] auth/auth.c:(224)
check_ntlm_password: mapped user is: [WINDOMAIN]\[linus]@[ WINPDC]
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/uid.c:(408)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 2] auth/auth.c:(319)
check_ntlm_password: Authentication for user [linus] -> [linus] FAILED
with error NT_STATUS_NO_SUCH_USER
[2009/11/17 11:54:25, 3] smbd/error.c:(106)
error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/11/17 11:54:35, 3] smbd/process.c:(1083)
...
The /var/samba/log/log.wb-WINDOMAIN shows
...
[2009/11/17 08:14:48, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: lucy
...
[13932]: pam auth crap domain: WINDOMAIN user: charlie
[2009/11/17 10:59:54, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 10:59:54, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:54, 3] nsswitch/winbindd_ads.c:(1062)
ads: fetch sequence_number for WINDOMAIN
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 10:59:54, 3] libads/sasl.c:(300)
ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 10:59:54, 3] libsmb/clikrb5.c:(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file
found)
[2009/11/17 10:59:55, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx-
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-xxxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-512 for domain
WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-519 for domain
WINDOMAIN
[2009/11/17 11:00:01, 3] nsswitch/winbindd_pam.c:(1755)
[13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5xxxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
[13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:28:15, 3] nsswitch/winbindd_ads.c:(1062)
ads: fetch sequence_number for WINDOMAIN
[2009/11/17 11:28:15, 3] libads/ldap.c:(745)
ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) ->
Timelimit exceeded
[2009/11/17 11:28:15, 3] libads/ldap_utils.c:(76)
Reopening ads connection to realm WINDOMAIN.DOMAIN.COM' after error
Timelimit exceeded
[2009/11/17 11:28:15, 3] libsmb/namequery.c:(1557)
get_dc_list: preferred server list: ", *"
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 11:28:15, 3] libads/sasl.c:(300)
ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 11:28:15, 3] libsmb/clikrb5.c:(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 11:28:15, 3] nsswitch/winbindd_rpc.c:(342)
...
I am not using kerberos for anything. As far as I know, this should be
an "NT4" type trust. NTLM a It seems to be some sort of mapping error?
It looks like it doesn't handle the domain component properly, so strips it
off, and then tries to authenticate just the user name- which of course it
can't.
Thoughts?
Thanks
More information about the samba
mailing list