[Samba] Samba trusts, mapping issue, and pam crap domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Nov 17 12:16:59 MST 2009 



I am running Samba ver 3.0.37 on Solaris 10 (sparc) as a PDC with LDAP for
the backend for both samba and unix accounts.  Assume the samba SMBPDC is
called "PDC."  

I have also set up a trust with an Windows domain- lets call it
WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed mode
for backwards compat.) The SAMBA domain trusts the WINDOWS domain, not not
vice versa.  Assume the Windows PDC is called "WINPDC."


I have winbind enabled. Idmap entries are stored in the backend.


On the Windows domain, I have a login script which maps R: to
\\PDC\dept\common.  The "dept" share does not explicitly set or deny any
users.  The "common" directory has unix perms of "rwxrwxr-t."  




On the SMBPDC

smbpdc# getent passwd | grep linus
WINDOMAIN\linus:*:30197:30037:Linus Van Pelt:/home/ WINDOMAIN
/linus:/bin/false
smbpdc#


smbpdc -3.00# id " WINDOMAIN \linus"
uid=30197(ADMINISTRATION\linus) gid=30037(WINDOMAIN \domain users)
bash-3.00# id linus                 
id: invalid user name: "linus"
smbpdc -3.00#







Smb.conf includes
-------------------------

ntlm auth = Yes

passdb backend = ldapsam:ldap://ldap1.mydomain.com 
ldap suffix=o=mydomain.com 
ldap user suffix=ou=people 
ldap group suffix=ou=smb_groups 
ldap machine suffix=ou=machines 
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap

winbind enum users = Yes
winbind enum groups = no
winbind use default domain = no
winbind trusted domains only = no

#ldap time out default is 15 sec
ldap timeout=30

# idmap domains = WINDOMAIN, TESTDOMAIN
idmap domains = WINDOMAIN


idmap config WINDOMAIN:backend = ldap
idmap config WINDOMAIN:readonly = no
idmap config WINDOMAIN:default=no
idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config
WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range =
30000-39999


#idmap config TESTDOMAIN:backend = ldap
#idmap config TESTDOMAIN:readonly = no
#idmap config TESTDOMAIN:default=no
#idmap config TESTDOMAIN:ldap_base_dn =ou=testdomain,ou=idmap,o=mydomain.com
#idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config
TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range =
40000-49999



idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com 
idmap alloc config:ldap_user_dn = cn=Directory Manager 
idmap alloc config:ldap_url = ldap1.mydomain.com 
idmap alloc config:range = 70000 - 79999



[dept]
        path = /zexport/Dept
        read only = No
        create mask = 0770
        force create mode = 0600
        directory mask = 0775
        force directory mode = 0600
        inherit permissions = Yes
        inherit acls = Yes
        hide special files = Yes
        vfs objects = zfsacl
        zfsacl:acesort = dontcare
        nfs4:mode = special
        nfs4:chown = yes
        nfs4:acedup = merge

--------------------



I have a test user "linus" on the WINDOMAIN domain.  If I log into a
WINDOMAIN account on WINPDC, I am prompted for credentials on the
SAMBA/SMBPDC share and am denied.  This used to work (sort of) -  I recently
added the Solaris patch to update from 3.0.35 to 3.0.37.


The /var/log/samba/WINPDC.log file shows

...


  check_ntlm_password:  Checking password for unmapped user
[WINDOMAIN]\[linus]@[WINPDC] with the new password interface
[2009/11/17 11:54:25, 3] auth/auth.c:(224)
  check_ntlm_password:  mapped user is: [WINDOMAIN]\[linus]@[ WINPDC]
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/uid.c:(408)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/17 11:54:25, 2] auth/auth.c:(319)
  check_ntlm_password:  Authentication for user [linus] -> [linus] FAILED
with error NT_STATUS_NO_SUCH_USER
[2009/11/17 11:54:25, 3] smbd/error.c:(106)
  error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/11/17 11:54:35, 3] smbd/process.c:(1083)
...


The /var/samba/log/log.wb-WINDOMAIN shows

...
[2009/11/17 08:14:48, 3] nsswitch/winbindd_pam.c:(1755)
  [13932]: pam auth crap domain: WINDOMAIN user: lucy
...
  [13932]: pam auth crap domain: WINDOMAIN user: charlie
[2009/11/17 10:59:54, 3] nsswitch/winbindd_pam.c:(1755)
  [13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 10:59:54, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:54, 3] nsswitch/winbindd_ads.c:(1062)
  ads: fetch sequence_number for WINDOMAIN
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
  get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
  Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
  get_dc_list: preferred server list: ", *"
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
  Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/ldap.c:(443)
  Connected to LDAP server 192.168.0.71
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 10:59:54, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 10:59:54, 3] libads/sasl.c:(300)
  ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 10:59:54, 3] libsmb/clikrb5.c:(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file
found)
[2009/11/17 10:59:55, 3] libsmb/clikrb5.c:(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
  sid_to_name [rpc] S-1-5-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-xxxx- 
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
  sid_to_name [rpc] S-1-5-21-xxxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
  sid_to_name [rpc] S-1-5-21-xxxx for domain WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
  sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-512 for domain
WINDOMAIN
[2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-21-xxxx
[2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
  sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-519 for domain
WINDOMAIN
[2009/11/17 11:00:01, 3] nsswitch/winbindd_pam.c:(1755)
  [13932]: pam auth crap domain: WINDOMAIN user: Administrator
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5xxxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-xxxx
[2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
  [13932]: lookupsid S-1-5-xxxx
[2009/11/17 11:28:15, 3] nsswitch/winbindd_ads.c:(1062)
  ads: fetch sequence_number for WINDOMAIN
[2009/11/17 11:28:15, 3] libads/ldap.c:(745)
  ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) ->
Timelimit exceeded
[2009/11/17 11:28:15, 3] libads/ldap_utils.c:(76)
  Reopening ads connection to realm WINDOMAIN.DOMAIN.COM' after error
Timelimit exceeded
[2009/11/17 11:28:15, 3] libsmb/namequery.c:(1557)
  get_dc_list: preferred server list: ", *"
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
  Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/ldap.c:(443)
  Connected to LDAP server 192.168.0.71
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/11/17 11:28:15, 3] libads/sasl.c:(291)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/11/17 11:28:15, 3] libads/sasl.c:(300)
  ads_sasl_spnego_bind: got server principal name = SMBPDC$@
WINDOMAIN.DOMAIN.COM
[2009/11/17 11:28:15, 3] libsmb/clikrb5.c:(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Tue, 17 Nov 2009 20:59:55 EST
[2009/11/17 11:28:15, 3] nsswitch/winbindd_rpc.c:(342)
...




I am not using kerberos for anything.    As far as I know,  this should be
an "NT4" type trust.   NTLM a  It seems to be some sort of mapping error?


It looks like it doesn't handle the domain component properly, so strips it
off, and then tries to authenticate just the user name-  which of course it
can't.  

Thoughts?

Thanks

More information about the samba mailing list