[Samba] Trust problems after upgrade from 3.5 to 3.6

Oliver Freyd Oliver.Freyd at iontof.com
Fri Feb 8 11:18:39 MST 2013

Am 08.02.2013 17:54, schrieb Andrea Venturoli:
> On 02/08/13 13:48, Oliver Freyd wrote:
>> Hello,
>> I think I stumbled over the same issue when testing winbind and
>> interdomain trusts on samba 3.6 these days.
>> It is a bit hard to find, but "man idmap_ldap" says that the secret must
>> be stored with
>> net idmap secret DOMAIN SECRET
>> and I think I used '*' as DOMAIN (for any domain)
>> That made winbind with ldap work for me.
> Hello.
> First off, thanks for answering.
> After my previous message, I had already found out the above and did it.
> I saw some improvement:
> _ the logs about winbind not being "able to fetch auth credentials" are
> gone;
> _ "smbclient -L ..." succeeds, so authentication is in fact working;
> _ however, access to shares still is denied to users from the trusted
> domain.
> It looks like Samba authenticates the user (against the DCs of the
> trusted domain) and accepts it, but somehow fails to recognize him, so
> he won't be correctly matched against "valid users".
> Just to be clear: users from the trusted domain can access public
> shares, as long as they provide a correct password.
> I'm still investigating this and I'll report anything I'll find.
> Any further suggestion is still appreciated.
> bye & Thanks
> av.


does "wbinfo -u" list the users of the trusted domain?
and getent passwd, too?

By valid users you mean the parameter in smb.conf?
I'm usually using ACLs on shares (in the filesystem),
so I haven't tried that. But I suppose it worked before...



More information about the samba mailing list