[Samba] Multiple domains issue
Ron García-Vidal
ghstwrtr at evilgenius.net
Mon Jan 31 15:53:37 MST 2011
Thanks for your reply.
On 01/31/2011 05:22 PM, Gaiseric Vandal wrote:
> Did you reestablish the domain trusts between your NT domain and your AD
> domain?
No, but I never broke the trust, only removed and re-added the single
machine into the old NT domain. If I break and re-establish the trust
relationship, I'm worried about what else might break in the process.
Don't want to make a problem worse in the process of fixing it.
> Does "wbinfo -u" and "wbinfo -g" on your samba server show the users and
> groups from the trusted AD domain?
> Does "getent passwd" and "getent group" on your samba server show the
> users and groups from the trusted AD domain?
Both wbinfo and getent passwd only show the info from the NTDOMAIN. My
username is actually the same on both, but NTDOMAIN is the default
domain on this box. Shoud it have shown "user" and "ADDOMAIN+user"? I
don't remember the latter being in the output of getent passwd before
making this change either though.
It should also be noted that in auth.log, it does show the user
ADDOMAIN+user being granted access, and session opened, so PAM seems ok
with these users, it's smbd that's balking.
> Do your AD users still have accounts in the NT domain? Are the passwords
> the same? Maybe they can connect as "NT\username" instead (e.g net use
> \\samba1\share1 /user:nt\username) that could probably put in the login
> script) and skip domain trusts altogether since this is a short terms
> solution.
This does work, but I guess I would like to better understand why this
broke in the first place. Thanks a lot. I really appreciate your time.
-Ron
>
>
> On 01/31/2011 04:25 PM, Ron García-Vidal wrote:
>> Sorry to nudge, but does anyone have any ideas of how to resolve this?
>> During the migration period to our AD server, it's crucial that users
>> on both the old and new domain see the Samba server.
>>
>> On 01/24/2011 04:40 PM, Ron García-Vidal wrote:
>>> Here's some more info. This is an excerpt from the log on a connection
>>> attempt:
>>>
>>> [2011/01/24 15:30:55, 1] smbd/service.c:make_connection_snum(950)
>>> CLIENT_STATION (X.X.X.46) connect to service USERNAME initially as user
>>> ADDOMAIN+USERNAME (uid=10000, gid=10000) (pid 18741)
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:56, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:57, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:59, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:30:59, 0] smbd/service.c:set_current_service(150)
>>> chdir (/opt/ntpublic/users/USERNAME) failed
>>> [2011/01/24 15:31:05, 1] smbd/service.c:close_cnum(1150)
>>> CLIENT_STATION (X.X.X.46) closed connection to service USERNAME
>>>
>>>
>>> As I said, prior to Friday's domain drop and rejoin, this worked
>>> properly. I think there just needs to be able to say
>>> ADDOMAIN+USERNAME=NTDOMAIN+USERNAME.
>>>
>>> -Ron
>>>
>>> On 01/24/2011 06:52 AM, Ron García-Vidal wrote:
>>>> Understood and agreed, but since we're migrating to the AD in a
>>>> piecemeal fashion must get this to work for users in both domains until
>>>> the migration is complete. Any suggestions?
>>>>
>>>> -Ron
>>>>
>>>> On 01/23/2011 01:05 PM, tms3 at tms3.com wrote:
>>>>>
>>>>>>
>>>>>> I encountered a strange problem recently when changing the IP of my
>>>>>> Samba server. We are in the process of moving from an ancient NT4
>>>>>> domain to an AD domain. We did a full migration of all the users, and
>>>>>> up until Friday, our AD users were able to access the Samba server
>>>>>> (which is still on the NT domain) with full permissions, etc.
>>>>>>
>>>>>> On Friday for reasons completely unrelated, we had to change the
>>>>>> IP of
>>>>>> the Samba server. When we brought it up on the new IP, it gave an
>>>>>> error
>>>>>> bringing up the Samba daemons. I was rushed and didn't pay to much
>>>>>> attention to the error, but instead took the easy route of removing
>>>>>> Samba from the NT domain, and re-joining.
>>>>>>
>>>>>> That got the Samba daemons up and running and we mostly had no
>>>>>> problem,
>>>>>> except now the AD users aren't allowed to access their home
>>>>>> directories.
>>>>> Home directories in a trusted domain is probably a bad idea, and
>>>>> likely
>>>>> has some permission issues. It might be best to join the samba
>>>>> server to
>>>>> the AD domain instead.
>>>>>>
>>>>>>
>>>>>> The AD and NT domains have a mutual trust relationship, and all SSIDs
>>>>>> for the users on both domains are the same. As I said, prior to
>>>>>> Friday,
>>>>>> these users were able to access.
>>>>>>
>>>>>> I'm not entirely sure how Samba handles multiple domains, etc. and I
>>>>>> have no idea how to even begin to trouble shoot this problem. Any
>>>>>> suggestions would be welcome.
>>>>>>
>>>>>> -Ron
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>
More information about the samba
mailing list