[Samba] cant access shares on members of samba domain from windows domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Dec 5 09:00:37 MST 2011

On 12/02/2011 03:44 AM, damiien wrote:
> Hi,
> I have a network with two domains. DOMAIN A has samba 3.0.28 as PDC
> (I know its old but it cant be updated due to political reasons).
> DOMAIN B is a Windows 2003 domain. Samba PDC (domain A) has few shares
> on it and everyone can access those shares (everyone from domain A and
> domain B). In domain A there are also few windows machines which also
> have shares. I'd like for those shares to be available to everyone.
> Currently, everyone on domain A can access those windows shares (which
> are on domain A). I'd like for those shares to be available to domain
> B users but currently only Domain Administrator from domain B has
> access. I'd appreciate any help on getting this to work.
> To sum up,
> Domain A:  1.  Samba as PDC - share "Groups" shared to everyone and
> available to everyone
>                   2.   Windows 2003 - share  "Data" shared to everyone
> but available to everyone in domain A and only to Domain Administrator
> from domain B
> Domain B:  1. Windows 2003 Active directory
>                   2. Windows XP clients
> ---share "Data" needs to be available to everyone

If you edit the Share or NTFS perms of a Domain A WIndows machine 
directory, are you able to view or select users/groups from domain B?  
When you log in to a Domain A Windows machine are you able to select 
"Domain B" as a login domain?    Are you sure domain trusts really are 
set up properly on your PDC?  Does "wbinfo -u" and "wbinfo -g" show the 
trusted domain users and groups?  Does "getent passwd" or "getent passwd 
DOMAINB\\someuser" work?

My guess is that domain trusts are not working properly.    Trusted 
domain users need to map to a local unix id.   Domain B Administrator is 
probably able to log in to domain A since there is a matching unix name 
(i.e. Administrator.)     Assuming that samba can match the trusted 
domain user's name to a local unix id, it will then validate the user 
against the trusted domain PDC.     If you have "jsmith" in both 
domains, but with different passwords, if would appear to user "jsmith" 
that domain trusts were working properly.

I think you will not get this working properly with Samba 3.0.28.  I had 
a similar setup-  I would get it working for a short time but the idmap 
cache would expire and not renew.

More information about the samba mailing list