[Samba] AD Auth Trusted Domain issues
Paul Lauss
plauss at protocolgs.com
Tue Mar 30 08:09:09 MDT 2010
Hello,
Thank you so much for your reply! We are using AD 2003 R2 on both the
domain and the child domain. I am using 10000-29999 for IDs on the main
domain (RDOMAIN) and 30000-100000 on the child domain (KID).
Interestingly, in the Unix tab (in AD Users and Computers for any
object) under "NIS Domain" on any of the RDOMAIN servers we get the
pulldown option "RDOMAIN" but on the Trusted domains server the only
option is "KID". I'm not sure if that is expected or would affect this
but I can't seem to get the RDOMAIN option in the KID Trusted domain.
Thanks,
-Paul
On 3/30/2010 2:27 AM, François Legal wrote:
> Hello,
>
> I'm not familiar with this kind of setup, but I wonder whether or not the
> KID domain has the SFU schema extensions setup for idmapping (see idmap
> backend = ad) and if porperly setup, check that the defined uid/gid for
> that domain fall in the idmap uid range
>
> François
>
> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com>
> wrote:
>
>> I have been killing myself on this issue over the last 2 weeks. I have
>> setup pam AD authentication using winbind on our companies email
>> servers. That part is currently working. I have been trying to add an
>> existing "Trusted" child domain and allow authentication from that
>> domain as well. I am part of the way there, but not quite to the
>> functional point as of yet. Our primary domain is rdomainprv or
>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am
>> seeing, followed by my configs. Also, we had to open ports 88, 139 and
>> 389 (I believe those are the correct ports, though the networking guys
>> opened them) from the email/winbind server to the child domain, at the
>> firewall. Any help would be very much appreciated!
>>
>> mailtestbed:~# wbinfo --all-domains
>> BUILTIN
>> MAILTESTBED
>> RDOMAINPRV
>> KID
>>
>> mailtestbed:~# wbinfo -u | grep testuser
>> KID\testuser
>>
>> mailtestbed:~# wbinfo -a KID\\testuser%password
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> Here is where it's falling apart:
>> mailtestbed:~# wbinfo -i KID\\testuser
>> Could not get info for user KID\testuser
>>
>> mailtestbed:~# id KID\\testuser
>> id: KID\testuser: No such user
>>
>> mailtestbed:~# id testuser
>> id: testuser: No such user
>>
>> mailtestbed:~# getent passwd KID\\testuser
>> mailtestbed:~#
>>
>> mailtestbed:~# getent passwd testuser
>> mailtestbed:~#
>>
>> mailtestbed:~# id RDOMAINPRV\\testmer
>> uid=10001(testmer) gid=10001 groups=999(users)
>>
>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer
>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>
>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>
>> Versions (Debian Lenny)
>> samba 2:3.2.5-4lenny9
>> winbind 2:3.2.5-4lenny9
>>
>> smb.conf
>> [global]
>> workgroup = RDOMAINPRV
>> realm = RDOMAIN.PRV
>> server string = %h server
>> dns proxy = no
>> name resolve order = lmhosts host wins bcast
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> security = ADS
>> encrypt passwords = yes
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> allow trusted domains = yes
>> winbind trusted domains only = no
>> idmap backend = ad
>> idmap uid = 10000-1000000
>> idmap gid = 10000-1000000
>> template homedir = /home/%U
>> winbind use default domain = yes
>> winbind nss info = rfc2307
>> winbind nested groups = yes
>> client use spnego = yes
>> client ntlmv2 auth = yes
>> restrict anonymous = 2
>> winbind enum groups = no
>> winbind enum users = no
>> winbind cache time = 30
>>
>> krb5.conf
>> [libdefaults]
>> default_realm = RDOMAIN.PRV
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5
>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5
>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>> permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
>> des-cbc-crc des-cbc-md5
>> v4_instance_resolve = false
>> v4_name_convert = {
>> host = {
>> rcmd = host
>> ftp = ftp
>> }
>> plain = {
>> something = something-else
>> }
>> }
>> fcc-mit-ticketflags = true
>> [realms]
>> RDOMAIN.PRV = {
>> default_domain = RDOMAIN.PRV
>> master_kdc = dc02.rdomain.prv
>> admin_server = dc02.rdomain.prv
>> kdc = aurad.rdomain.prv
>> kdc = addc01.rdomain.prv
>> kdc = addc02.rdomain.prv
>> kdc = addc03.rdomain.prv
>> #kdc = addc04.rdomain.prv
>> kdc = addc05.rdomain.prv
>> kdc = chlddc01.kid.rdomain.prv
>> }
>> KID.RDOMAIN.PRV = {
>> default_domain = KID.RDOMAIN.PRV
>> kdc = chlddc01.kid.rdomain.prv
>> master_kdc = addc02.rdomain.prv
>> admin_server = addc02.rdomain.prv
>> kdc = addc01.rdomain.prv
>> kdc = addc02.rdomain.prv
>> }
>> [domain_realm]
>> .rdomain.prv = RDOMAIN.PRV
>> rdomain.prv = RDOMAIN.PRV
>> .kid.rdomain.prv = KID.RDOMAIN.PRV
>> kid.rdomain.prv = KID.RDOMAIN.PRV
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> validate = true
>> }
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
More information about the samba
mailing list