[Samba] can't auth against more then 1 domain

Doug Tucker tuckerd at lyle.smu.edu
Wed Nov 13 12:54:47 MST 2013 

I have 2 samba servers.  One with centos5+samba 3.033 that has been in 
service for a few years now. I have installed a centos6+samba 3.6.9.  I 
followed the how-to I did with the first one, copied over the krb5.conf 
and smb.conf from the working server and all seemed to go well.  It is a 
member server of a window AD.  We have 2 DC's that are part of the same 
forest: SEAS and SEAS-S.  I joined the new one like the old one to the 
SEAS domain.  The problem I have run into is the new server will only 
auth users in the domain it is joined to (SEAS) and cannot get get users 
from SEAS-S.  If I check for trusted domains net rpc trustdom SEAS-S 
shows up under trusted and trusting.  If I do wbinfo -u | grep SEAS I 
get a full list of users in the SEAS domain.  But wbinfo -u | grep 
SEAS-S comes back blank.

I don't know what to provide to help solved this so I'll post some 
basics I guess.

krb5.conf:
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = SEAS.ENGR.SMU.EDU
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = true

[realms]
  SEAS.ENGR.SMU.EDU = {
   kdc = seas.engr.smu.edu:88
   admin_server = seas.engr.smu.edu:749
   default_domain = engr.smu.edu
  }

  SEAS-S.ENGR.SMU.EDU = {
   kdc = seas-s.engr.smu.edu:88
   admin_server = seas-s.engr.smu.edu:749
   default_domain = engr.smu.edu
  }

[domain_realm]
  .engr.smu.edu = SEAS.ENGR.SMU.EDU
  engr.smu.edu = SEAS.ENGR.SMU.EDU

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

Globals of smb.conf:

workgroup = SEAS
    realm = SEAS.ENGR.SMU.EDU
   security = ADS
encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = no
   invalid users = root
  username map = /etc/samba/domain_user.map
winbind separator = +
    winbind cache time = 600
    idmap uid = 19000-20000
    idmap gid = 19000-20000

Please let me know what else I may provide to help solve this.  I found 
some threads on this issue that were several years old in regard to 
3.028 having this issue and it was patched in a later release.  I can't 
find anything current about this.  Thank you in advance.

-- 
Sincerely,

Doug Tucker

More information about the samba mailing list