[Samba] AD Auth Trusted Domain issues

Paul Lauss plauss at protocolgs.com
Mon Mar 29 16:54:37 MDT 2010


I have been killing myself on this issue over the last 2 weeks.  I have
setup pam AD authentication using winbind on our companies email
servers.  That part is currently working.  I have been trying to add an
existing "Trusted" child domain and allow authentication from that
domain as well.  I am part of the way there, but not quite to the
functional point as of yet.  Our primary domain is rdomainprv or
rdomain.prv and the child domain is kid.rdomain.prv.  Below is what I am
seeing, followed by my configs.  Also, we had to open ports 88, 139 and
389 (I believe those are the correct ports, though the networking guys
opened them) from the email/winbind server to the child domain, at the
firewall.  Any help would be very much appreciated!

mailtestbed:~# wbinfo --all-domains
BUILTIN
MAILTESTBED
RDOMAINPRV
KID

mailtestbed:~# wbinfo -u | grep testuser
KID\testuser

mailtestbed:~# wbinfo -a KID\\testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Here is where it's falling apart:
mailtestbed:~# wbinfo -i KID\\testuser
Could not get info for user KID\testuser

mailtestbed:~# id KID\\testuser
id: KID\testuser: No such user

mailtestbed:~# id testuser
id: testuser: No such user

mailtestbed:~# getent passwd KID\\testuser
mailtestbed:~#

mailtestbed:~# getent passwd testuser
mailtestbed:~#

mailtestbed:~# id RDOMAINPRV\\testmer
uid=10001(testmer) gid=10001 groups=999(users)

mailtestbed:~# getent passwd RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash

mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash

Versions (Debian Lenny)
samba    2:3.2.5-4lenny9
winbind  2:3.2.5-4lenny9

smb.conf
[global]
   workgroup = RDOMAINPRV
   realm = RDOMAIN.PRV
   server string = %h server
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   allow trusted domains = yes
   winbind trusted domains only = no
   idmap backend = ad
   idmap uid = 10000-1000000
   idmap gid = 10000-1000000
   template homedir = /home/%U
   winbind use default domain = yes
   winbind nss info = rfc2307
   winbind nested groups = yes
   client use spnego = yes
   client ntlmv2 auth = yes
   restrict anonymous = 2
   winbind enum groups = no
   winbind enum users = no
   winbind cache time = 30

krb5.conf
[libdefaults]
        default_realm = RDOMAIN.PRV
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        default_tgs_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
        permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true
[realms]
        RDOMAIN.PRV = {
                default_domain = RDOMAIN.PRV
                master_kdc = dc02.rdomain.prv
                admin_server = dc02.rdomain.prv
                kdc = aurad.rdomain.prv
                kdc = addc01.rdomain.prv
                kdc = addc02.rdomain.prv
                kdc = addc03.rdomain.prv
                #kdc = addc04.rdomain.prv
                kdc = addc05.rdomain.prv
                kdc = chlddc01.kid.rdomain.prv
        }
        KID.RDOMAIN.PRV = {
                default_domain = KID.RDOMAIN.PRV
                kdc = chlddc01.kid.rdomain.prv
               master_kdc = addc02.rdomain.prv
                admin_server = addc02.rdomain.prv
                kdc = addc01.rdomain.prv
                kdc = addc02.rdomain.prv
        }
[domain_realm]
        .rdomain.prv = RDOMAIN.PRV
        rdomain.prv = RDOMAIN.PRV
        .kid.rdomain.prv = KID.RDOMAIN.PRV
        kid.rdomain.prv = KID.RDOMAIN.PRV
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   validate = true
 }
[login]
        krb4_convert = true
        krb4_get_tickets = false




More information about the samba mailing list