[Samba] Trust problems after upgrade from 3.5 to 3.6

Oliver Freyd Oliver.Freyd at iontof.com
Fri Feb 8 05:48:15 MST 2013 

Hello,

I think I stumbled over the same issue when testing winbind and 
interdomain trusts on samba 3.6 these days.

It is a bit hard to find, but "man idmap_ldap" says that the secret must 
be stored with

net idmap secret DOMAIN SECRET

and I think I used '*' as DOMAIN (for any domain)
That made winbind with ldap work for me.

Bye,

	Oliver


Am 05.02.2013 09:04, schrieb Andrea Venturoli:
> On 02/04/13 19:25, Andrea Venturoli wrote:
>> Hello.
>>
>> My setup:
>> _ one Samba 3.5 domain (XXXXXXXX), with a PDC and a BDC, both running
>> FreeBSD;
>> _ one AD domain (YYYYYYYY) running on two Windows 2003 DCs;
>> _ bidirectional trust between the two domains.
>>
>>
>> Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to
>> 3.6; now, users from domain YYYYYYYY cannot access the PDC's shares.
>>
>>
>> I used to have in smb.conf:
>>> idmap backend=ldap:ldap://localhost/
>>> idmap alloc backend=ldap
>>> idmap alloc config:ldap_url=ldap://localhost
>>> idmap alloc config:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx
>>> idmap alloc config:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx
>>> idmap cache time=120
>>> idmap uid=150000-200000
>>> idmap gid=150000-200000
>>> template shell=/sbin/nologin
>>> idmap config XXXXXXXX:backend=nss
>>> idmap config XXXXXXXX:range=1000-999999
>>
>> After the upgrade I changed it this way:
>>> idmap config *:backend=ldap
>>> idmap config *:range=150000-200000
>>> idmap config *:ldap_url=ldap://localhost/
>>> idmap config *:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx
>>> idmap config *:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx
>>> idmap cache time=120
>>> template shell=/sbin/nologin
>>> idmap config XXXXXXXX:backend=nss
>>> idmap config XXXXXXXX:range=1000-999999
>>
>>
>>
>> I see many errors like the following in log.winbindd-idmap:
>>> [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain)
>>> idmap initialization returned NT_STATUS_ACCESS_DENIED
>>
>> In log.wb-YYYYYYYY
>>> [2013/02/04 19:20:59.364510, 0]
>>> rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp)
>>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>>
>>
>>
>> Please, any help is appreciated.
>>
>>
>> bye & Thanks
>> av.
>
> P.S.
> I'm also seeing this:
>
>> winbindd[65589]: get_credentials: Unable to fetch auth credentials for
>> cn=root,dc=xxxxxxxx,dc=xx in *
>
> Connection to LDAP works form smbd (for which I had set credentials with
> smbpasswd -w); how whould I do it for winbindd?
>
> bye & Thanks
> av.

More information about the samba mailing list