[Samba] can't auth against more then 1 domain

Wed Nov 13 13:30:26 MST 2013

On 11/13/2013 1:54 PM, Doug Tucker wrote:
> I have 2 samba servers.  One with centos5+samba 3.033 that has been in 
> service for a few years now. I have installed a centos6+samba 3.6.9.  
> I followed the how-to I did with the first one, copied over the 
> krb5.conf and smb.conf from the working server and all seemed to go 
> well.  It is a member server of a window AD.  We have 2 DC's that are 
> part of the same forest: SEAS and SEAS-S.  I joined the new one like 
> the old one to the SEAS domain.  The problem I have run into is the 
> new server will only auth users in the domain it is joined to (SEAS) 
> and cannot get get users from SEAS-S.  If I check for trusted domains 
> net rpc trustdom SEAS-S shows up under trusted and trusting.  If I do 
> wbinfo -u | grep SEAS I get a full list of users in the SEAS domain.  
> But wbinfo -u | grep SEAS-S comes back blank.
>
> I don't know what to provide to help solved this so I'll post some 
> basics I guess.
>
> krb5.conf:
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = SEAS.ENGR.SMU.EDU
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = true
>
> [realms]
>  SEAS.ENGR.SMU.EDU = {
>   kdc = seas.engr.smu.edu:88
>   admin_server = seas.engr.smu.edu:749
>   default_domain = engr.smu.edu
>  }
>
>  SEAS-S.ENGR.SMU.EDU = {
>   kdc = seas-s.engr.smu.edu:88
>   admin_server = seas-s.engr.smu.edu:749
>   default_domain = engr.smu.edu
>  }
>
> [domain_realm]
>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> Globals of smb.conf:
>
> workgroup = SEAS
>    realm = SEAS.ENGR.SMU.EDU
>   security = ADS
> encrypt passwords = yes
>   passdb backend = tdbsam
>   obey pam restrictions = no
>   invalid users = root
>  username map = /etc/samba/domain_user.map
> winbind separator = +
>    winbind cache time = 600
>    idmap uid = 19000-20000
>    idmap gid = 19000-20000
>
> Please let me know what else I may provide to help solve this.  I 
> found some threads on this issue that were several years old in regard 
> to 3.028 having this issue and it was patched in a later release.  I 
> can't find anything current about this.  Thank you in advance.
Doug,

This is most likely related to the idmap syntax changes in recent Samba 
versions. idmap uid/gid is depracated.  3.6 uses something like the 
following:

	idmap config * : backend		= tdb
	idmap config * : range			= 1000000 - 2000000
	idmap config DOMAIN1 : default 	= Yes
	idmap config DOMAIN1 : backend	= rid
	idmap config DOMAIN1 : range		= 1000 - 2000
	idmap config DOMAIN2 : backend	= rid
	idmap config DOMAIN2 : range		= 3000 - 4000

Range values should not overlap.  Adjust backend and range values to 
suit your situation.

Dale