[Samba] External trust / DMZ (nsswitch vs wbinfo)

Elijah Buck elijah.buck at gmail.com
Tue Mar 13 14:29:54 MDT 2012 

Hello,

Summary: a Linux server joined to domain GODMZ (which trusts another domain
GOCORP), without network access to GOCORP domain controllers can
authenticate but not retrieve user information (id) even though wbinfo -n
can resolve a name to SID.

Long:
We have two domains, both at server 2003 functional level. GOCORP contains
users and intranet servers. GODMZ contains servers in the DMZ (web servers,
etc). There is a one-way external trust -- GODMZ trusts GOCORP. GODMZ
domain controllers can talk to GOCORP domain controllers, but member
servers in the dmz cannot talk to GOCORP domain controllers. This mostly
works for Windows servers in the DMZ to authorize GOCORPS users who are in
GODMZ groups for resources in GODMZ (using magic MSRPC tunnels of some
sort).

I'm trying to get similar functionality for our Linux (RHEL 6.2) servers in
the DMZ. When I connect the Linux server to a network that has access to
domain controllers in both GODMZ and GOCORP, I can authenticate and get
user info. When I connect the Linux server to a network that has access to
domain controllers in GODMZ, but not GOCORP, I can authenticate (using
ntlm_auth), but cannot get user info (id GOCORP\\me). Interestingly, wbinfo
-n GOCORP\\me works.

I realize this is a pretty odd setup, but any way to make this work?

Thanks,
Elijah

[root at sambatest ~]# wbinfo -t
checking the trust secret for domain GODMZ via RPC calls succeeded
[root at sambatest ~]# net ads testjoin
Join is OK

[root at sambatest ~]# ntlm_auth --domain=GOCORP --username=me
password:
NT_STATUS_OK: Success (0x0)

[root at sambatest ~]# wbinfo -n GOCORP\\me
S-1-5-21-906331755-3892439966-4211215107-5803 SID_USER (1)

[root at sambatest ~]# id GOCORP\\me
id: GOCORP\me: No such user

[root at sambatest ~]# id GODMZ\\notme
uid=2107(GODMZ\notme)...

[root at sambatest ~]# smbd  --version
Version 3.5.10-114.el6

#relevant /etc/smb.conf
security = domain
realm = GODMZ
password server = *
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind use default domain = no
winbind trusted domains only = no
client ntlmv2 auth = yes
encrypt passwords = yes
invalid users = root
allow trusted domains = yes
idmap backend = idmap_rid:GOCORP=10000-100000000
idmap backend = idmap_rid:GODMZ=1000-9999 #there are only a handful of users
idmap uid = 1000-100000000
idmap gid = 1000-100000000

More information about the samba mailing list