[Samba] [Possibly solved] Trust problems after upgrade from 3.5 to 3.6

Andrea Venturoli ml at netfence.it
Wed Feb 13 03:12:18 MST 2013

On 02/09/13 13:12, Andrea Venturoli wrote:

> There are some message in event viewer which confirm the fact that my
> samba is contacting the Windows servers for authentication (which
> succeeds or fails normally).
> I'm investigating further.

I did some further testing:

_ winbindd authenticates correctly against the trusted domain;

_ smbd, however, won't recognize the user and we have two cases:
   a) if an user with the same name exists in the Samba domain, it will 
be mistakenly choosen; this is enough for browsing (smbclient -L);
   b) if an user with the same name does not exist in the Samba domain, 
browsing will fail;

_ even in case a), no access will be granted to a share.

I searched the web and saw a lot of other people having the same or 
similar problem; I even found bug reports about this and got discouraged.
Since this was happening on a production box and we could not stand this 
trouble anymore, I moved back to Samba 3.5, since

I then prepared a new box, with Samba 3.6, configured as a member of the 
Samba domain and continued my tests there.
A message in the logs finally opened my eyes:
> [2013/02/12 18:11:16.282916,  0] passdb/lookup_sid.c:1684(get_primary_group_sid)
>   Failed to find a Unix account for nagcheckUser nagcheck in passdb, but getpwnam() fails!

So I went in /etc/nsswitch.conf and changed
> passwd: files ldap
> passwd: files ldap winbindd

Everything started working as expected.

Now, before I try again on the production server (which is also the 
PDC), I'm asking for confirmation that this might have been the cause.
This was not needed under Samba 3.5; is it really needed with 3.6?
No way to avoid this, given I won't in any case have any local file 
owned by the trusted domain users?

  bye & Thanks

More information about the samba mailing list