[Samba] interdomain trusts: known to work on v3.5.4?
Eric S. Hvozda
hvozda at ack.org
Wed Sep 7 05:32:14 MDT 2011
Is anyone using interdomain trusts at all...?
On Aug 18, 2011, at 1:57 PM, "Eric S. Hvozda" <hvozda at ack.org> wrote:
> Greetings!
>
> I'm having problems with winbind and interdomain trusts.
>
> I've done alot of searching on the topic and there appears to be alot of folk out there with the same problem, but not any solutions.
>
> Environment is CentOS v5.6 with yumable samba3x-winbind-3.5.4-0.70 on x86_64.
>
> Specifically, the host is joined (successfully) to A:
>
> [ehvozda at AD-test samba]$ sudo wbinfo -t
> checking the trust secret for domain A via RPC calls succeeded
> [ehvozda at AD-test samba]$
>
> A trusts B.
>
> I can kinit and get valid tickets for principles in each, no problem.
>
> winbind appears to see both A & B:
>
> [ehvozda at AD-test samba]$ sudo wbinfo -u
> A\administrator
> A\guest
> A\krbtgt
> A\aselwyn
> A\ehvozda
> A\hvozdae
> A\b$
> B\administrator
> B\guest
> B\krbtgt
> B\ehvozda
> B\ehvozda_xxx
> [ehvozda at AD-test samba]$
>
> users in A can authenticate via winbind:
>
> [ehvozda at AD-test samba]$ sudo wbinfo -a A\\hvozdae
> Enter A\hvozdae's password:
> plaintext password authentication succeeded
> Enter A\hvozdae's password:
> challenge/response password authentication succeeded
> [ehvozda at AD-test samba]$
>
> users in B cannot.
>
> [ehvozda at AD-test samba]$ sudo wbinfo -a B\\ehvozda
> Enter B\ehvozda's password:
> plaintext password authentication failed
> Could not authenticate user B\ehvozda with plaintext password
> Enter B\ehvozda's password:
> challenge/response password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user B\ehvozda with challenge/response
> [ehvozda at AD-test samba]$
>
> However, clearly the user exists (see above).
>
> winbind sees the trust:
>
> [ehvozda at AD-test samba]$ sudo wbinfo -m
> BUILTIN
> AD-TEST
> A
> B
> [ehvozda at AD-test samba]$
>
> However, for whatever reason, B is considered offline:
>
> [ehvozda at AD-test samba]$ sudo wbinfo --online-status
> BUILTIN : online
> AD-TEST : online
> A : online
> B : offline
> [ehvozda at AD-test samba]$
>
> Cranking debug level = 10 does not show anything obvious.
>
> A few questions:
>
> * Is interdomain trusts working in v3.5.4?
> * Is there specific documentation or a recipe that works for folk?
> * What are some debugging techniques I could try?
> * Why is domain B is offline?
>
> I've included my smb.conf file below:
>
> [global]
> workgroup = A
> realm = A.LOCAL
> security = ads
> idmap backend = tdb
> idmap uid = 1000-9999
> idmap gid = 1000-9999
> idmap config A : backend = ad
> idmap config A : range = 1000-2999
> idmap config B : backend = ad
> idmap config B : range = 3000-4999
> template shell = /bin/false
> winbind offline logon = false
> log level = 10
>
> server string = Samba Server Version %v
>
> log file = /var/log/samba/log.%m
> max log size = 50
>
> passdb backend = tdbsam
>
> load printers = yes
> cups options = raw
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list