[Samba] interdomain trusts: known to work on v3.5.4?

Eric S. Hvozda hvozda at ack.org
Thu Aug 18 11:57:22 MDT 2011 

Greetings!

I'm having problems with winbind and interdomain trusts.

I've done alot of searching on the topic and there appears to be alot of folk out there with the same problem, but not any solutions.

Environment is CentOS v5.6 with yumable samba3x-winbind-3.5.4-0.70 on x86_64.

Specifically, the host is joined (successfully) to A:

[ehvozda at AD-test samba]$ sudo wbinfo -t
checking the trust secret for domain A via RPC calls succeeded
[ehvozda at AD-test samba]$

A trusts B.

I can kinit and get valid tickets for principles in each, no problem.

winbind appears to see both A & B:

[ehvozda at AD-test samba]$ sudo wbinfo -u
A\administrator
A\guest
A\krbtgt
A\aselwyn
A\ehvozda
A\hvozdae
A\b$
B\administrator
B\guest
B\krbtgt
B\ehvozda
B\ehvozda_xxx
[ehvozda at AD-test samba]$

users in A can authenticate via winbind:

[ehvozda at AD-test samba]$ sudo wbinfo -a A\\hvozdae
Enter A\hvozdae's password: 
plaintext password authentication succeeded
Enter A\hvozdae's password: 
challenge/response password authentication succeeded
[ehvozda at AD-test samba]$

users in B cannot.

[ehvozda at AD-test samba]$ sudo wbinfo -a B\\ehvozda
Enter B\ehvozda's password: 
plaintext password authentication failed
Could not authenticate user B\ehvozda with plaintext password
Enter B\ehvozda's password: 
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user B\ehvozda with challenge/response
[ehvozda at AD-test samba]$ 

However, clearly the user exists (see above).

winbind sees the trust:

[ehvozda at AD-test samba]$ sudo wbinfo -m
BUILTIN
AD-TEST
A
B
[ehvozda at AD-test samba]$ 

However, for whatever reason, B is considered offline:

[ehvozda at AD-test samba]$ sudo wbinfo --online-status
BUILTIN : online
AD-TEST : online
A : online
B : offline
[ehvozda at AD-test samba]$ 

Cranking debug level = 10 does not show anything obvious.

A few questions:

* Is interdomain trusts working in v3.5.4?
* Is there specific documentation or a recipe that works for folk?
* What are some debugging techniques I could try?
*  Why is domain B is offline?

I've included my smb.conf file below:

[global]
   workgroup = A
   realm = A.LOCAL
   security = ads
   idmap backend = tdb
   idmap uid = 1000-9999
   idmap gid = 1000-9999
   idmap config A : backend  = ad
   idmap config A : range = 1000-2999
   idmap config B : backend  = ad
   idmap config B : range = 3000-4999
   template shell = /bin/false
   winbind offline logon = false
   log level = 10

	server string = Samba Server Version %v
	
	log file = /var/log/samba/log.%m
	max log size = 50
	
	passdb backend = tdbsam
	
	load printers = yes
	cups options = raw
	
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	
[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

More information about the samba mailing list