[Samba] interdomain trusts / wbinfo and listent_recv: returned no users

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue May 4 14:16:49 MDT 2010 

As per earlier post, I was having problems getting trusts setup between 
my Samba domain (3.0.x PDC, 3.4.x BDC on Solaris 10) and two Active 
Directory domains (each in a separate forest.)  One domain is a test  
Win 2003 PDC in native Win 2003 mode, the other is a Win 2008 system 
also in native Win 2003 mode.

To summarize some of the progess-  things work better if the Samba 3.4 
is the PDC, master browser and WINS server.

I now appear to have trusts setup between Samba and the two native 
active directory domains.

"wbinfo -u" and "wbinfo -g"  list users from the Win 2008 domain but not 
from the Win 2003 domain.

winbindd.log shows

     listent_recv: WIN_2003_DOMAIN  returned no users


I did not have entries for either active directory domain in 
krb5.conf.   I have tried adding entries for those domains.  (this had 
helped with a test samba domain on fedora core.)   Doesn't seem to 
matter for the solaris PDC.

Any thoughts?

Thanks





On 05/02/2010 01:43 PM, Gaiseric Vandal wrote:
> On my test Samba PDC, I updated the krb5.conf file to add realm info for
> the Windows 2008.  This seems to have resolved my "wbinfo" issue.  "getent
> passwd" is still not working (I did update nsswitch.conf) but I suspect
> this is because of an idmap allocation issue.    The syntax for idmap
> allocation in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4.
>
>
> I have also tried setting up a similar trust between the Windows 2008 and
> my production Samba environment.  The production samba environment had a
> 3.0.x PDC (DC1) and BDC and a 3.4.x BDC.  3.0.x seems to be incompatible
> with Win 2008 so   I promoted the 3.4.x BDC to PDC.  However, the Windows
> PDC cannot validate the trust
>
> The verification of the incoming trust failed with the following error(s):
> The target system  DC1 does not support NetLogon trust password
> verification.
> A secure channel reset will be attempted.
> The secure channel reset failed with error 1355: The specified domain
> either does not exist or could not be contacted.
>
> I suspect I need to reboot the Windows 2008 PDC to make it locate the new
> samba PDC.
>
>
>
> So why am I still using Samba 3.0.x?   Because I am running Solaris and
> Sun (now Oracle) seems to have lost interest in anything besides being a
> server platform for oracle and has provided a production build of Samba
> 3.4.
>
>
>
>
>
> -----Original Message-----
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Friday, April 30, 2010 5:16 PM
> To: Samba
> Subject: Why do Interdomain trusts try to use kerberos
>
> I have setup a test PDC with samba 3.4.7 on a  fedora core 12 linux
> machine.   I have setup two way interdomain trusts with a Windows 2008
> domain.  The domain and forest functional levels are Windows 2003.
>
> Since the samba machine is not emulating an Active Domain Controller,
> the Windows 2008 machine should think it is talking to an NT4 server.
> And since NT4-based domains don't use kerberos, I would have expected
> kerberos should not be a factor.
>
> On the Windows 2008 PDC I can grant samba users file access.
>
>
> I setup  up the samba domain to trust the windows domain.   I started
> the process on the windows PDC first.
>
> --------------------------------------------------------------------------
> ----------------------------------
> [samba_pdc]# net rpc trustdom establish win_domain
>
> Enter SMB_DOMAIN$'s password:
> Could not connect to server WIN_PDC
> Trust to domain WIN_DOMAIN established
> [samba_pdc]#
>
>
> --------------------------------------------------------------------------
> ----------------------------------
>
>
> Not sure if the "could not connect" error is a problem-  I think I have
> seen that even when trusts are OK.
>
>
> --------------------------------------------------------------------------
> ----------------------------------
> [samba_pdc# net rpc  trustdom list -U Administrator  -S samba_pdc
>
> Enter Administrator's password:
> Trusted domains list:
>
> WIN_DOMAIN                 S-1-5-21-......................
>
> Trusting domains list:
>
> WIN_DOMAIN                 S-1-5-21-.....................
>
> none
> [samba_pdc
> --------------------------------------------------------------------------
> ----------------------------------
>
> On the samba server, "wbinfo -u" and "wbinfo -g" do not return any
> entries from the WIN_DOMAIN.  Log files show issues with idmap and
> kerberos.
>
>
>
>
> # cat log.winbindd-idmap
>
> [2010/04/30 15:36:53,  0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
>     idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
> [2010/04/30 15:36:53,  0] winbindd/idmap.c:589(idmap_alloc_init)
>     ERROR: Initialization failed for alloc backend, deferred!
> [2010/04/30 15:36:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
>     idmap_alloc module ldap already registered!
> [2010/04/30 15:36:53,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
>     idmap_alloc module tdb already registered!
> [2010/04/30 15:36:53,  0] winbindd/idmap.c:149(smb_register_idmap)
>     Idmap module passdb already registered!
> [2010/04/30 15:36:53,  0] winbindd/idmap.c:149(smb_register_idmap)
>     Idmap module nss already registered!
> [2010/04/30 15:36:53,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
>     idmap uid missing
> [2010/04/30 15:36:53,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
>     Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete
> configuration
>
>
> ...
>
>
> # cat log.wb-WIN_DOMAIN | more
> ...
>
>
> [2010/04/30 16:15:19,  0] libads/kerberos.c:333(ads_kinit_password)
>     kerberos_kinit_password RESEARCH at SSCI.COM failed: Cannot find KDC for
> requested realm
> [2010/04/30 16:15:19,  1]
> winbindd/winbindd_ads.c:127(ads_cached_connection)
>     ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for
> requested realm
>
>
> --------------------------------------------------------------------------
> ----------------------------------
>
>
> Any thoughts?  Can I force samba to not try kerberos?   Are the two sets
> of errors even related?     Or can I just add a krb5.conf entry for the
> WIN_DOMAIN even if I am not using kerberos otherwise?
>
> Thanks
>
>

More information about the samba mailing list