[Samba] AD Auth Trusted Domain issues
Paul Lauss
plauss at protocolgs.com
Mon Mar 29 16:54:37 MDT 2010
I have been killing myself on this issue over the last 2 weeks. I have
setup pam AD authentication using winbind on our companies email
servers. That part is currently working. I have been trying to add an
existing "Trusted" child domain and allow authentication from that
domain as well. I am part of the way there, but not quite to the
functional point as of yet. Our primary domain is rdomainprv or
rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am
seeing, followed by my configs. Also, we had to open ports 88, 139 and
389 (I believe those are the correct ports, though the networking guys
opened them) from the email/winbind server to the child domain, at the
firewall. Any help would be very much appreciated!
mailtestbed:~# wbinfo --all-domains
BUILTIN
MAILTESTBED
RDOMAINPRV
KID
mailtestbed:~# wbinfo -u | grep testuser
KID\testuser
mailtestbed:~# wbinfo -a KID\\testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Here is where it's falling apart:
mailtestbed:~# wbinfo -i KID\\testuser
Could not get info for user KID\testuser
mailtestbed:~# id KID\\testuser
id: KID\testuser: No such user
mailtestbed:~# id testuser
id: testuser: No such user
mailtestbed:~# getent passwd KID\\testuser
mailtestbed:~#
mailtestbed:~# getent passwd testuser
mailtestbed:~#
mailtestbed:~# id RDOMAINPRV\\testmer
uid=10001(testmer) gid=10001 groups=999(users)
mailtestbed:~# getent passwd RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash
mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash
Versions (Debian Lenny)
samba 2:3.2.5-4lenny9
winbind 2:3.2.5-4lenny9
smb.conf
[global]
workgroup = RDOMAINPRV
realm = RDOMAIN.PRV
server string = %h server
dns proxy = no
name resolve order = lmhosts host wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
allow trusted domains = yes
winbind trusted domains only = no
idmap backend = ad
idmap uid = 10000-1000000
idmap gid = 10000-1000000
template homedir = /home/%U
winbind use default domain = yes
winbind nss info = rfc2307
winbind nested groups = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
winbind enum groups = no
winbind enum users = no
winbind cache time = 30
krb5.conf
[libdefaults]
default_realm = RDOMAIN.PRV
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
RDOMAIN.PRV = {
default_domain = RDOMAIN.PRV
master_kdc = dc02.rdomain.prv
admin_server = dc02.rdomain.prv
kdc = aurad.rdomain.prv
kdc = addc01.rdomain.prv
kdc = addc02.rdomain.prv
kdc = addc03.rdomain.prv
#kdc = addc04.rdomain.prv
kdc = addc05.rdomain.prv
kdc = chlddc01.kid.rdomain.prv
}
KID.RDOMAIN.PRV = {
default_domain = KID.RDOMAIN.PRV
kdc = chlddc01.kid.rdomain.prv
master_kdc = addc02.rdomain.prv
admin_server = addc02.rdomain.prv
kdc = addc01.rdomain.prv
kdc = addc02.rdomain.prv
}
[domain_realm]
.rdomain.prv = RDOMAIN.PRV
rdomain.prv = RDOMAIN.PRV
.kid.rdomain.prv = KID.RDOMAIN.PRV
kid.rdomain.prv = KID.RDOMAIN.PRV
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
[login]
krb4_convert = true
krb4_get_tickets = false
More information about the samba
mailing list