[Samba] can't auth against more then 1 domain

Doug Tucker tuckerd at lyle.smu.edu
Wed Nov 13 14:30:22 MST 2013 

On 11/13/2013 02:30 PM, Dale Schroeder wrote:
> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>> I have 2 samba servers.  One with centos5+samba 3.033 that has been 
>> in service for a few years now. I have installed a centos6+samba 
>> 3.6.9.  I followed the how-to I did with the first one, copied over 
>> the krb5.conf and smb.conf from the working server and all seemed to 
>> go well.  It is a member server of a window AD.  We have 2 DC's that 
>> are part of the same forest: SEAS and SEAS-S.  I joined the new one 
>> like the old one to the SEAS domain.  The problem I have run into is 
>> the new server will only auth users in the domain it is joined to 
>> (SEAS) and cannot get get users from SEAS-S.  If I check for trusted 
>> domains net rpc trustdom SEAS-S shows up under trusted and trusting.  
>> If I do wbinfo -u | grep SEAS I get a full list of users in the SEAS 
>> domain.  But wbinfo -u | grep SEAS-S comes back blank.
>>
>> I don't know what to provide to help solved this so I'll post some 
>> basics I guess.
>>
>> krb5.conf:
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  default_realm = SEAS.ENGR.SMU.EDU
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24h
>>  forwardable = true
>>
>> [realms]
>>  SEAS.ENGR.SMU.EDU = {
>>   kdc = seas.engr.smu.edu:88
>>   admin_server = seas.engr.smu.edu:749
>>   default_domain = engr.smu.edu
>>  }
>>
>>  SEAS-S.ENGR.SMU.EDU = {
>>   kdc = seas-s.engr.smu.edu:88
>>   admin_server = seas-s.engr.smu.edu:749
>>   default_domain = engr.smu.edu
>>  }
>>
>> [domain_realm]
>>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 36000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>>
>> Globals of smb.conf:
>>
>> workgroup = SEAS
>>    realm = SEAS.ENGR.SMU.EDU
>>   security = ADS
>> encrypt passwords = yes
>>   passdb backend = tdbsam
>>   obey pam restrictions = no
>>   invalid users = root
>>  username map = /etc/samba/domain_user.map
>> winbind separator = +
>>    winbind cache time = 600
>>    idmap uid = 19000-20000
>>    idmap gid = 19000-20000
>>
>> Please let me know what else I may provide to help solve this. I 
>> found some threads on this issue that were several years old in 
>> regard to 3.028 having this issue and it was patched in a later 
>> release.  I can't find anything current about this.  Thank you in 
>> advance.
> Doug,
>
> This is most likely related to the idmap syntax changes in recent 
> Samba versions. idmap uid/gid is depracated.  3.6 uses something like 
> the following:
>
>     idmap config * : backend        = tdb
>     idmap config * : range            = 1000000 - 2000000
>     idmap config DOMAIN1 : default     = Yes
>     idmap config DOMAIN1 : backend    = rid
>     idmap config DOMAIN1 : range        = 1000 - 2000
>     idmap config DOMAIN2 : backend    = rid
>     idmap config DOMAIN2 : range        = 3000 - 4000
>
> Range values should not overlap.  Adjust backend and range values to 
> suit your situation.
>
> Dale

Thanks for the context.  I read and read the man pages and never could 
have constructed that properly.  Mine now reads:
  idmap config * : backend = tdb
    idmap config * : range = 1000000 - 2000000
    idmap config SEAS : default = Yes
    idmap config SEAS : backend = ad
    idmap config SEAS : range = 19000 - 20000
    idmap config SEAS-S : backend = ad
    idmap config SEAS-S : range = 21000 - 22000


However, there is no change.  :(  wbinfo -u | grep SEAS-S gives zero 
results.  Attempting to map a drive using a SEAS-S account the following 
spits out in the logs:

[2013/11/13 15:23:30.613810, 10] winbindd/winbindd.c:644(process_request)
   process_request: request fn DOMAIN_INFO
[2013/11/13 15:23:30.613845,  3] 
winbindd/winbindd_misc.c:226(winbindd_domain_info)
   [ 2613]: domain_info [SEAS-S]
[2013/11/13 15:23:30.613877,  3] 
winbindd/winbindd_misc.c:232(winbindd_domain_info)
   Did not find domain [SEAS-S]


But, if I do this on my samba server:

wbinfo -a SEAS-S+tuckerd

It results in a successful authentication and the logs reflect such.  
Any other ideas?

More information about the samba mailing list