[Samba] Multiple domains issue
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Feb 1 07:32:31 MST 2011
I haven't set up a trusts involving Windows PDC's and a Samba member
server. I have set up trusts Samba based domains (Samba PDC, Samba
BDC and Samba member server) and Active Directory based domains
(Windows 200x PDC.)
In general, a samba server will see trusted users in the output of
wbinfo -u (courtesy of the winbindd daemon.) Samba should also
allocate unix uid and gid numbers. The nsswitch.conf file will
include "passwd: winbind..." so that file permissions can be allocated
at the underlying unix file system. smb.conf would also have to include
idmap settings for each trusted domain.
My guess is that your samba machine never "knew" about trusted domain,
and was just mapping "TRUSTEDDOMAIN\user" to local "user" for file
system access. And since the pw's were the same, everything was OK.
If you type "testparm -v " what is "map untrusted to domain" set to?
You may also want to change the file shares to be "everyone" and then
rely on file permissions for the security.
On 01/31/2011 05:53 PM, Ron García-Vidal wrote:
> Thanks for your reply.
>
> On 01/31/2011 05:22 PM, Gaiseric Vandal wrote:
>> Did you reestablish the domain trusts between your NT domain and your AD
>> domain?
>
> No, but I never broke the trust, only removed and re-added the single
> machine into the old NT domain. If I break and re-establish the trust
> relationship, I'm worried about what else might break in the process.
> Don't want to make a problem worse in the process of fixing it.
>
>
>> Does "wbinfo -u" and "wbinfo -g" on your samba server show the users and
>> groups from the trusted AD domain?
>> Does "getent passwd" and "getent group" on your samba server show the
>> users and groups from the trusted AD domain?
>
> Both wbinfo and getent passwd only show the info from the NTDOMAIN.
> My username is actually the same on both, but NTDOMAIN is the default
> domain on this box. Shoud it have shown "user" and "ADDOMAIN+user"?
> I don't remember the latter being in the output of getent passwd
> before making this change either though.
>
> It should also be noted that in auth.log, it does show the user
> ADDOMAIN+user being granted access, and session opened, so PAM seems
> ok with these users, it's smbd that's balking.
>
>> Do your AD users still have accounts in the NT domain? Are the passwords
>> the same? Maybe they can connect as "NT\username" instead (e.g net use
>> \\samba1\share1 /user:nt\username) that could probably put in the login
>> script) and skip domain trusts altogether since this is a short terms
>> solution.
>
> This does work, but I guess I would like to better understand why this
> broke in the first place. Thanks a lot. I really appreciate your time.
>
>
> -Ron
>
>
>
>>
>>
>> On 01/31/2011 04:25 PM, Ron García-Vidal wrote:
>>> Sorry to nudge, but does anyone have any ideas of how to resolve this?
>>> During the migration period to our AD server, it's crucial that users
>>> on both the old and new domain see the Samba server.
>>>
>>> On 01/24/2011 04:40 PM, Ron García-Vidal wrote:
>>>> Here's some more info. This is an excerpt from the log on a connection
>>>> attempt:
>>>>
>>>> [2011/01/24 15:30:55, 1] smbd/service.c:make_connection_snum(950)
>>>> CLIENT_STATION (X.X.X.46) connect to service USERNAME initially as
>>>> user
>>>> ADDOMAIN+USERNAME (uid=10000, gid=10000) (pid 18741)
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:59, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:30:59, 0] smbd/service.c:set_current_service(150)
>>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>>> [2011/01/24 15:31:05, 1] smbd/service.c:close_cnum(1150)
>>>> CLIENT_STATION (X.X.X.46) closed connection to service USERNAME
>>>>
>>>>
>>>> As I said, prior to Friday's domain drop and rejoin, this worked
>>>> properly. I think there just needs to be able to say
>>>> ADDOMAIN+USERNAME=NTDOMAIN+USERNAME.
>>>>
>>>> -Ron
>>>>
>>>> On 01/24/2011 06:52 AM, Ron García-Vidal wrote:
>>>>> Understood and agreed, but since we're migrating to the AD in a
>>>>> piecemeal fashion must get this to work for users in both domains
>>>>> until
>>>>> the migration is complete. Any suggestions?
>>>>>
>>>>> -Ron
>>>>>
>>>>> On 01/23/2011 01:05 PM, tms3 at tms3.com wrote:
>>>>>>
>>>>>>>
>>>>>>> I encountered a strange problem recently when changing the IP of my
>>>>>>> Samba server. We are in the process of moving from an ancient NT4
>>>>>>> domain to an AD domain. We did a full migration of all the
>>>>>>> users, and
>>>>>>> up until Friday, our AD users were able to access the Samba server
>>>>>>> (which is still on the NT domain) with full permissions, etc.
>>>>>>>
>>>>>>> On Friday for reasons completely unrelated, we had to change the
>>>>>>> IP of
>>>>>>> the Samba server. When we brought it up on the new IP, it gave an
>>>>>>> error
>>>>>>> bringing up the Samba daemons. I was rushed and didn't pay to much
>>>>>>> attention to the error, but instead took the easy route of removing
>>>>>>> Samba from the NT domain, and re-joining.
>>>>>>>
>>>>>>> That got the Samba daemons up and running and we mostly had no
>>>>>>> problem,
>>>>>>> except now the AD users aren't allowed to access their home
>>>>>>> directories.
>>>>>> Home directories in a trusted domain is probably a bad idea, and
>>>>>> likely
>>>>>> has some permission issues. It might be best to join the samba
>>>>>> server to
>>>>>> the AD domain instead.
>>>>>>>
>>>>>>>
>>>>>>> The AD and NT domains have a mutual trust relationship, and all
>>>>>>> SSIDs
>>>>>>> for the users on both domains are the same. As I said, prior to
>>>>>>> Friday,
>>>>>>> these users were able to access.
>>>>>>>
>>>>>>> I'm not entirely sure how Samba handles multiple domains, etc.
>>>>>>> and I
>>>>>>> have no idea how to even begin to trouble shoot this problem. Any
>>>>>>> suggestions would be welcome.
>>>>>>>
>>>>>>> -Ron
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>
More information about the samba
mailing list