[Samba] Trusted domain users unwantedly mapping onto local domain users

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Oct 21 15:02:55 MDT 2010

I have similar issues.   II am running Samba 3.4 (compiled from source) 
on Solaris 10-  so selinux is NOT an issue for me.   Otherwise I have 
similar config (LDAP backend for samba, trusted domains to windows 2003 

thought this used to work but a month or so ago it wasn't.

getent passwd and wbinfo -u showed users from the trusted domain.  
wbinfo -s / wbinfo -n showed uid-to-sid and sid-to-uid mappings were 
ok.  The log seemed to show users in the trusted domain being valid, but 
then complains that that user does not exisit.


[2010/09/13 08:02:04,  3] auth/auth.c:222(check_ntlm_password)

   check_ntlm_password:  Checking password for unmapped user [WINDOMAIN]\[li

nus]@[WINSERVER] with the new password interface

[2010/09/13 08:02:04,  3] auth/auth.c:225(check_ntlm_password)

   check_ntlm_password:  mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]

   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  2] auth/auth.c:320(check_ntlm_password)

   check_ntlm_password:  Authentication for user [winuser] -> [winuser] 
FAILED with e



  I partly resolved this by creating dummy accounts for users 
(/bin/false as the shell)  for the trusted domains (the passwords are 
different.)    The trusted domain only has about 5 or 6 users.

I have not tried ssh'ing in as a trusted domain user (I definately don't 
want that available..)

It is weird, because the trusted users ARE definately authenticating 
using there own passwords.    Maybe it is trying to validate the user 
name via kerberos but then validates the password via NTLM?

Do you have an entry in krb5.conf for the trusted domain?  I think that 
is more of an issue for locating the DC.

At some point I changed the forest and domain modes on the Windows 2003 
DC from mixed to native.  That may have broken something but the end 
users from the trusted domain might not have reported it until several 
weeks later.   (It is apparently a resource they only need occasionally.)

I haven't had a chance to look into this further, since I have a work 

On 10/21/2010 11:59 AM, Bruce Richardson wrote:
> Having set up two way trust between a Samba domain (with LDAP backend)
> and an AD domain, I find that
>   1. Users from the trusted domain are authenticated against the proper
> DC (that is, their regular password works), but only if there is a
> corresponding local domain user.
>   2.  Users from the trusted domain are being mapped onto Samba/POSIX
> users associated with the local Samba domain, despite the fact that the
> correct idmap objects are being created in the directory.   If they
> connect to a share, they connect as the local domain user (although,
> oddly, they can create new files and directories but not delete old
> ones).
> More information:
> The local domain uses an LDAP backend, with ldapsam:editposix and
> ldapsam:trusted set.  LDAP is used for all domain configs (BUILTIN,
> OFFICE domain and external domains).  Winbind is used on the domain
> controllers for GID/UID allocation (and for id mappings for foreign
> domains), but nss_ldap is used on all the servers, DC or member, to
> provide the POSIX user information via nsswitch.conf.  winbind is not
> currently running on the member servers (not needed for a single domain
> because of nss_ldap).
> All this was working perfectly.  Adding the domain trust worked
> flawlessly.  Then I tried - on the PDC  and BDC only - to try have users
> from the trusted domain connecting to shares.  So I changed
> nsswitch.conf from
>    passwd: files ldap
>    group: files ldap
> to
>    passwd: files ldap winbind
>    group: files ldap winbind
> I added details of the AD domain's PDC to krb5.conf, set the auth user
> file and restarted winbindd for luck.
>   * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups.
>   * "getent passwd" returns the trusted users in the list as
>     TRUSTED\user.name.
>   * The idmap OU in the directory now has two dozen
>     entries (the AD domain is only used for one specialist part of the
>     company).
> So far so good.  "getent group" and "getent passwd" shows the TRUSTED
> domain users have been added and are visible as POSIX users.  TRUSTED
> userr can authenticate to any OFFICE member servers using their own
> passwords (with the important caveat mentioned abouve).  At this point,
> I'm at something of a loss.  I can ssh into the domain controller as
> TRUSTED\test.user, whether or not there is a corresponding user in the
> local domain, and the correct UID and GID will be assigned, but I can
> only connect to Samba as that user if there is a corresponding local
> domain user and I am then assigned their UID and GID.
> Can anybody suggest what I may have missed?  I can post the relevant
> domain controller configs.
> I don't know if it's relevant to this, but winbind keeps trying to write
> to krb5.conf and being blocked by selinux.  Haven't had time to
> investigate that.

More information about the samba mailing list