[Samba] Why do Interdomain trusts try to use kerberos - updated

Gaiseric Vandal gaiseric.vandal at gmail.com
Sun May 2 11:43:24 MDT 2010

On my test Samba PDC, I updated the krb5.conf file to add realm info for the
Windows 2008.  This seems to have resolved my "wbinfo" issue.  "getent
passwd" is still not working (I did update nsswitch.conf) but I suspect this
is because of an idmap allocation issue.    The syntax for idmap allocation
in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4. 

I have also tried setting up a similar trust between the Windows 2008 and my
production Samba environment.  The production samba environment had a 3.0.x
PDC (DC1) and BDC and a 3.4.x BDC.  3.0.x seems to be incompatible with Win
2008 so   I promoted the 3.4.x BDC to PDC.  However, the Windows PDC cannot
validate the trust

The verification of the incoming trust failed with the following error(s):
The target system  DC1 does not support NetLogon trust password
A secure channel reset will be attempted.
The secure channel reset failed with error 1355: The specified domain either
does not exist or could not be contacted.

I suspect I need to reboot the Windows 2008 PDC to make it locate the new
samba PDC.

So why am I still using Samba 3.0.x?   Because I am running Solaris and Sun
(now Oracle) seems to have lost interest in anything besides being a server
platform for oracle and has provided a production build of Samba 3.4. 

-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Friday, April 30, 2010 5:16 PM
To: Samba
Subject: Why do Interdomain trusts try to use kerberos

I have setup a test PDC with samba 3.4.7 on a  fedora core 12 linux 
machine.   I have setup two way interdomain trusts with a Windows 2008 
domain.  The domain and forest functional levels are Windows 2003.

Since the samba machine is not emulating an Active Domain Controller, 
the Windows 2008 machine should think it is talking to an NT4 server.  
And since NT4-based domains don't use kerberos, I would have expected 
kerberos should not be a factor.

On the Windows 2008 PDC I can grant samba users file access.

I setup  up the samba domain to trust the windows domain.   I started 
the process on the windows PDC first.

[samba_pdc]# net rpc trustdom establish win_domain

Enter SMB_DOMAIN$'s password:
Could not connect to server WIN_PDC
Trust to domain WIN_DOMAIN established


Not sure if the "could not connect" error is a problem-  I think I have 
seen that even when trusts are OK.

[samba_pdc# net rpc  trustdom list -U Administrator  -S samba_pdc

Enter Administrator's password:
Trusted domains list:

WIN_DOMAIN                 S-1-5-21-......................

Trusting domains list:

WIN_DOMAIN                 S-1-5-21-.....................


On the samba server, "wbinfo -u" and "wbinfo -g" do not return any 
entries from the WIN_DOMAIN.  Log files show issues with idmap and kerberos.

# cat log.winbindd-idmap

[2010/04/30 15:36:53,  0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
   idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
[2010/04/30 15:36:53,  0] winbindd/idmap.c:589(idmap_alloc_init)
   ERROR: Initialization failed for alloc backend, deferred!
[2010/04/30 15:36:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
   idmap_alloc module ldap already registered!
[2010/04/30 15:36:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
   idmap_alloc module tdb already registered!
[2010/04/30 15:36:53,  0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module passdb already registered!
[2010/04/30 15:36:53,  0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module nss already registered!
[2010/04/30 15:36:53,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
   idmap uid missing
[2010/04/30 15:36:53,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
   Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete 


# cat log.wb-WIN_DOMAIN | more

[2010/04/30 16:15:19,  0] libads/kerberos.c:333(ads_kinit_password)
   kerberos_kinit_password RESEARCH at SSCI.COM failed: Cannot find KDC for 
requested realm
[2010/04/30 16:15:19,  1] 
   ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for 
requested realm


Any thoughts?  Can I force samba to not try kerberos?   Are the two sets 
of errors even related?     Or can I just add a krb5.conf entry for the 
WIN_DOMAIN even if I am not using kerberos otherwise?


More information about the samba mailing list