[Samba] Samba member server and trusted domains question

Carsten Maul carsten_maul at gmx.de
Thu Jan 10 03:53:05 MST 2013


I have two Windows Domains, DOMA and DOMB. A Samba 3.6 Server is a member server in DOMA.
DOMA has a (unidirectional) trust relationship to DOMB.
Users from DOMB should be able to connect and authenticate at the Samba server.

The domain controller of DOMB has the IP

During authentication of a DOMB user at a share I get the following log entries:

  get_dc_list: preferred server list: ", *"
[2013/01/10 11:24:59.816974,  3] libads/ldap.c:640(ads_connect)
  Successfully contacted LDAP server
[2013/01/10 11:24:59.818216,  3] libads/ldap.c:640(ads_connect)
  Successfully contacted LDAP server
[2013/01/10 11:24:59.819284,  3] libads/ldap.c:694(ads_connect)
  Connected to LDAP server dc01.domb
[2013/01/10 11:24:59.821064,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2013/01/10 11:24:59.821196,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2013/01/10 11:24:59.821296,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.
[2013/01/10 11:24:59.821354,  3] libads/sasl.c:869(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=
[2013/01/10 11:24:59.821478,  3] libads/sasl.c:878(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = dc01$@DOMB
[2013/01/10 11:24:59.822188,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
Ignoring unknown parameter "idmap domains"
[2013/01/10 11:25:00.883025,  1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
  ads_krb5_mk_req: smb_krb5_get_credentials failed for ldap/dc01.domb at DOMB (Server not found in Kerberos database)
[2013/01/10 11:25:00.883184,  0] libads/sasl.c:908(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
[2013/01/10 11:25:00.883536,  1] winbindd/idmap_ad.c:149(ad_idmap_cached_connection_internal)
  ad_idmap_cached_connection_internal: failed to connect to AD

First you have to know that the users can successfully authenticate to the samba server. But there are error messages in the log I don´t understand, especially the "failed to connect to AD" error message.
Why is this AD connection to DOMB necessary? What exactly is the samba server trying to do with the DOMB domain controller?

Kind regards


More information about the samba mailing list