[Samba] probleme with samba 3.4.5-5.1 + winbind+ windows 2008 R2 + trusted domain

intartaglia.maximilien max.intartaglia at ch-montperrin.fr
Tue Feb 9 04:33:45 MST 2010


The daemon winbind dont' trusted domains windows 2008 R

Help me please

I've got a probleme. My AD is a windows 2008 R2 (shéma 2003)

I have  tow windows 2008 R2 rodc in my architecture.
The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administratif.

/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
        default = FILE:SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

        default_realm = MEDICAL.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        clockskew = 3000



[realms]


MEDICAL.LOCAL = {
        kdc = 172.22.45.5
    admin_server = 192.168.11.70
        default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
        default_domain = ADMINISTRATIF
}

MEDICAL = {
        kdc = 172.22.45.5
        admin_server = 192.168.11.70
}
ADMINISTRATIF = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
}

[domain_realm]
        medical.local = MEDICAL.LOCAL
        .medical.local = MEDICAL.LOCAL
        administratif.local = ADMINISTRATIF.LOCAL
        .administratif.local = ADMINISTRATIF.LOCAL
        MEDICAL.LOCAL = MEDICAL.LOCAL
        .MEDICAL.LOCAL = MEDICAL.LOCAL
        .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
        ADMINISTRATIF = ADMINISTRATIF.LOCAL
        .ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 1
        use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
        log file = /var/log/samba/%m.log
        allow trusted domains = yes
        idmap gid = 10000-20000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        realm = MEDICAL.LOCAL
        winbind use default domain = no
        dns proxy = no
        printing = cups
        idmap uid = 10000-20000
        local master = no
        domain master = no
        preferred master = no
        template homedir = /home/%D/%U
        workgroup = MEDICAL
        os level = 0
        winbind refresh tickets = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        security = ADS
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        winbind separator = /
        max log size = 1024
        usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded






More information about the samba mailing list