[Samba] Why do Interdomain trusts try to use kerberos
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri Apr 30 15:15:45 MDT 2010
I have setup a test PDC with samba 3.4.7 on a fedora core 12 linux
machine. I have setup two way interdomain trusts with a Windows 2008
domain. The domain and forest functional levels are Windows 2003.
Since the samba machine is not emulating an Active Domain Controller,
the Windows 2008 machine should think it is talking to an NT4 server.
And since NT4-based domains don't use kerberos, I would have expected
kerberos should not be a factor.
On the Windows 2008 PDC I can grant samba users file access.
I setup up the samba domain to trust the windows domain. I started
the process on the windows PDC first.
------------------------------------------------------------------------------------------------------------
[samba_pdc]# net rpc trustdom establish win_domain
Enter SMB_DOMAIN$'s password:
Could not connect to server WIN_PDC
Trust to domain WIN_DOMAIN established
[samba_pdc]#
------------------------------------------------------------------------------------------------------------
Not sure if the "could not connect" error is a problem- I think I have
seen that even when trusts are OK.
------------------------------------------------------------------------------------------------------------
[samba_pdc# net rpc trustdom list -U Administrator -S samba_pdc
Enter Administrator's password:
Trusted domains list:
WIN_DOMAIN S-1-5-21-......................
Trusting domains list:
WIN_DOMAIN S-1-5-21-.....................
none
[samba_pdc
------------------------------------------------------------------------------------------------------------
On the samba server, "wbinfo -u" and "wbinfo -g" do not return any
entries from the WIN_DOMAIN. Log files show issues with idmap and kerberos.
# cat log.winbindd-idmap
[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
[2010/04/30 15:36:53, 0] winbindd/idmap.c:589(idmap_alloc_init)
ERROR: Initialization failed for alloc backend, deferred!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module ldap already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module tdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module passdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module nss already registered!
[2010/04/30 15:36:53, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
idmap uid missing
[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete
configuration
...
# cat log.wb-WIN_DOMAIN | more
...
[2010/04/30 16:15:19, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password RESEARCH at SSCI.COM failed: Cannot find KDC for
requested realm
[2010/04/30 16:15:19, 1]
winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for
requested realm
------------------------------------------------------------------------------------------------------------
Any thoughts? Can I force samba to not try kerberos? Are the two sets
of errors even related? Or can I just add a krb5.conf entry for the
WIN_DOMAIN even if I am not using kerberos otherwise?
Thanks
More information about the samba
mailing list