[Samba] AD Auth Trusted Domain issues

Paul Lauss plauss at protocolgs.com
Tue Mar 30 12:23:02 MDT 2010 

The trust check succeeded... I have attached the pertinent logs... it
looks like it is timing out... I am not sure why though.  The link
should be a little slower but it shouldn't be terrible, it is a 2Mb pipe.

mailtestbed:~# wbinfo -t
checking the trust secret via RPC calls succeeded

On 3/30/2010 9:47 AM, François Legal wrote:
> I'm not sure to 100% understand what you mean (it's been a long time since
> I last used an AD server with SFU).
> However, next step now will be to increase winbindd debug level while
> issuing the wbinfo -i command, and see what fails there.
>
> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity.
>
> François
>
> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com>
> wrote:
>   
>> Hello,
>> Thank you so much for your reply!  We are using AD 2003 R2 on both the
>> domain and the child domain.  I am using 10000-29999 for IDs on the main
>> domain (RDOMAIN) and 30000-100000 on the child domain (KID). 
>> Interestingly, in the Unix tab (in AD Users and Computers for any
>> object) under "NIS Domain" on any of the RDOMAIN servers we get the
>> pulldown option "RDOMAIN" but on the Trusted domains server the only
>> option is "KID".  I'm not sure if that is expected or would affect this
>> but I can't seem to get the RDOMAIN option in the KID Trusted domain.
>>
>> Thanks,
>> -Paul
>>
>> On 3/30/2010 2:27 AM, François Legal wrote:
>>     
>>> Hello,
>>>
>>> I'm not familiar with this kind of setup, but I wonder whether or not
>>>       
> the
>   
>>> KID domain has the SFU schema extensions setup for idmapping (see idmap
>>> backend = ad) and if porperly setup, check that the defined uid/gid for
>>> that domain fall in the idmap uid range
>>>
>>> François
>>>
>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com>
>>> wrote:
>>>   
>>>       
>>>> I have been killing myself on this issue over the last 2 weeks.  I
>>>>         
> have
>   
>>>> setup pam AD authentication using winbind on our companies email
>>>> servers.  That part is currently working.  I have been trying to add
>>>>         
> an
>   
>>>> existing "Trusted" child domain and allow authentication from that
>>>> domain as well.  I am part of the way there, but not quite to the
>>>> functional point as of yet.  Our primary domain is rdomainprv or
>>>> rdomain.prv and the child domain is kid.rdomain.prv.  Below is what I
>>>>         
> am
>   
>>>> seeing, followed by my configs.  Also, we had to open ports 88, 139
>>>>         
> and
>   
>>>> 389 (I believe those are the correct ports, though the networking guys
>>>> opened them) from the email/winbind server to the child domain, at the
>>>> firewall.  Any help would be very much appreciated!
>>>>
>>>> mailtestbed:~# wbinfo --all-domains
>>>> BUILTIN
>>>> MAILTESTBED
>>>> RDOMAINPRV
>>>> KID
>>>>
>>>> mailtestbed:~# wbinfo -u | grep testuser
>>>> KID\testuser
>>>>
>>>> mailtestbed:~# wbinfo -a KID\\testuser%password
>>>> plaintext password authentication succeeded
>>>> challenge/response password authentication succeeded
>>>>
>>>> Here is where it's falling apart:
>>>> mailtestbed:~# wbinfo -i KID\\testuser
>>>> Could not get info for user KID\testuser
>>>>
>>>> mailtestbed:~# id KID\\testuser
>>>> id: KID\testuser: No such user
>>>>
>>>> mailtestbed:~# id testuser
>>>> id: testuser: No such user
>>>>
>>>> mailtestbed:~# getent passwd KID\\testuser
>>>> mailtestbed:~#
>>>>
>>>> mailtestbed:~# getent passwd testuser
>>>> mailtestbed:~#
>>>>
>>>> mailtestbed:~# id RDOMAINPRV\\testmer
>>>> uid=10001(testmer) gid=10001 groups=999(users)
>>>>
>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer
>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>
>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>
>>>> Versions (Debian Lenny)
>>>> samba    2:3.2.5-4lenny9
>>>> winbind  2:3.2.5-4lenny9
>>>>
>>>> smb.conf
>>>> [global]
>>>>    workgroup = RDOMAINPRV
>>>>    realm = RDOMAIN.PRV
>>>>    server string = %h server
>>>>    dns proxy = no
>>>>    name resolve order = lmhosts host wins bcast
>>>>    log file = /var/log/samba/log.%m
>>>>    max log size = 1000
>>>>    syslog = 0
>>>>    panic action = /usr/share/samba/panic-action %d
>>>>    security = ADS
>>>>    encrypt passwords = yes
>>>>    passdb backend = tdbsam
>>>>    obey pam restrictions = yes
>>>>    unix password sync = yes
>>>>    passwd program = /usr/bin/passwd %u
>>>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>    pam password change = yes
>>>>    allow trusted domains = yes
>>>>    winbind trusted domains only = no
>>>>    idmap backend = ad
>>>>    idmap uid = 10000-1000000
>>>>    idmap gid = 10000-1000000
>>>>    template homedir = /home/%U
>>>>    winbind use default domain = yes
>>>>    winbind nss info = rfc2307
>>>>    winbind nested groups = yes
>>>>    client use spnego = yes
>>>>    client ntlmv2 auth = yes
>>>>    restrict anonymous = 2
>>>>    winbind enum groups = no
>>>>    winbind enum users = no
>>>>         
>>     
>>>>    winbind cache time = 30
>>>>
>>>> krb5.conf
>>>> [libdefaults]
>>>>         default_realm = RDOMAIN.PRV
>>>>         krb4_config = /etc/krb.conf
>>>>         krb4_realms = /etc/krb.realms
>>>>         kdc_timesync = 1
>>>>         ccache_type = 4
>>>>         forwardable = true
>>>>         proxiable = true
>>>>         default_tgs_enctypes = aes256-cts arcfour-hmac-md5
>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>         default_tkt_enctypes = aes256-cts arcfour-hmac-md5
>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>         permitted_enctypes = aes256-cts arcfour-hmac-md5
>>>>         
> des3-hmac-sha1
>   
>>>> des-cbc-crc des-cbc-md5
>>>>         v4_instance_resolve = false
>>>>         v4_name_convert = {
>>>>                 host = {
>>>>                         rcmd = host
>>>>                         ftp = ftp
>>>>                 }
>>>>                 plain = {
>>>>                         something = something-else
>>>>                 }
>>>>         }
>>>>         fcc-mit-ticketflags = true
>>>> [realms]
>>>>         RDOMAIN.PRV = {
>>>>                 default_domain = RDOMAIN.PRV
>>>>                 master_kdc = dc02.rdomain.prv
>>>>                 admin_server = dc02.rdomain.prv
>>>>                 kdc = aurad.rdomain.prv
>>>>                 kdc = addc01.rdomain.prv
>>>>                 kdc = addc02.rdomain.prv
>>>>                 kdc = addc03.rdomain.prv
>>>>                 #kdc = addc04.rdomain.prv
>>>>                 kdc = addc05.rdomain.prv
>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>         }
>>>>         KID.RDOMAIN.PRV = {
>>>>                 default_domain = KID.RDOMAIN.PRV
>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>                master_kdc = addc02.rdomain.prv
>>>>                 admin_server = addc02.rdomain.prv
>>>>                 kdc = addc01.rdomain.prv
>>>>                 kdc = addc02.rdomain.prv
>>>>         }
>>>> [domain_realm]
>>>>         .rdomain.prv = RDOMAIN.PRV
>>>>         rdomain.prv = RDOMAIN.PRV
>>>>         .kid.rdomain.prv = KID.RDOMAIN.PRV
>>>>         kid.rdomain.prv = KID.RDOMAIN.PRV
>>>> [kdc]
>>>>  profile = /var/kerberos/krb5kdc/kdc.conf
>>>> [appdefaults]
>>>>  pam = {
>>>>    debug = false
>>>>    ticket_lifetime = 36000
>>>>    renew_lifetime = 36000
>>>>    forwardable = true
>>>>    krb4_convert = false
>>>>    validate = true
>>>>  }
>>>> [login]
>>>>         krb4_convert = true
>>>>         krb4_get_tickets = false
>>>>
>>>>         
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ADlogs.text
URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/ea13781c/attachment.text>

More information about the samba mailing list