[Samba] can't auth against more then 1 domain

Doug Tucker tuckerd at lyle.smu.edu
Wed Nov 13 14:34:27 MST 2013


On 11/13/2013 02:30 PM, Dale Schroeder wrote:
> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>> I have 2 samba servers.  One with centos5+samba 3.033 that has been 
>> in service for a few years now. I have installed a centos6+samba 
>> 3.6.9.  I followed the how-to I did with the first one, copied over 
>> the krb5.conf and smb.conf from the working server and all seemed to 
>> go well.  It is a member server of a window AD.  We have 2 DC's that 
>> are part of the same forest: SEAS and SEAS-S.  I joined the new one 
>> like the old one to the SEAS domain.  The problem I have run into is 
>> the new server will only auth users in the domain it is joined to 
>> (SEAS) and cannot get get users from SEAS-S.  If I check for trusted 
>> domains net rpc trustdom SEAS-S shows up under trusted and trusting.  
>> If I do wbinfo -u | grep SEAS I get a full list of users in the SEAS 
>> domain.  But wbinfo -u | grep SEAS-S comes back blank.
>>
>> I don't know what to provide to help solved this so I'll post some 
>> basics I guess.
>>
>> krb5.conf:
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  default_realm = SEAS.ENGR.SMU.EDU
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24h
>>  forwardable = true
>>
>> [realms]
>>  SEAS.ENGR.SMU.EDU = {
>>   kdc = seas.engr.smu.edu:88
>>   admin_server = seas.engr.smu.edu:749
>>   default_domain = engr.smu.edu
>>  }
>>
>>  SEAS-S.ENGR.SMU.EDU = {
>>   kdc = seas-s.engr.smu.edu:88
>>   admin_server = seas-s.engr.smu.edu:749
>>   default_domain = engr.smu.edu
>>  }
>>
>> [domain_realm]
>>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 36000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>>
>> Globals of smb.conf:
>>
>> workgroup = SEAS
>>    realm = SEAS.ENGR.SMU.EDU
>>   security = ADS
>> encrypt passwords = yes
>>   passdb backend = tdbsam
>>   obey pam restrictions = no
>>   invalid users = root
>>  username map = /etc/samba/domain_user.map
>> winbind separator = +
>>    winbind cache time = 600
>>    idmap uid = 19000-20000
>>    idmap gid = 19000-20000
>>
>> Please let me know what else I may provide to help solve this. I 
>> found some threads on this issue that were several years old in 
>> regard to 3.028 having this issue and it was patched in a later 
>> release.  I can't find anything current about this.  Thank you in 
>> advance.
> Doug,
>
> This is most likely related to the idmap syntax changes in recent 
> Samba versions. idmap uid/gid is depracated.  3.6 uses something like 
> the following:
>
>     idmap config * : backend        = tdb
>     idmap config * : range            = 1000000 - 2000000
>     idmap config DOMAIN1 : default     = Yes
>     idmap config DOMAIN1 : backend    = rid
>     idmap config DOMAIN1 : range        = 1000 - 2000
>     idmap config DOMAIN2 : backend    = rid
>     idmap config DOMAIN2 : range        = 3000 - 4000
>
> Range values should not overlap.  Adjust backend and range values to 
> suit your situation.
>
> Dale
>

Sorry, hit send too soon.  Here is the command/log:

[root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
Enter SEAS-S+tuckerd's password:
plaintext password authentication succeeded
Enter SEAS-S+tuckerd's password:
challenge/response password authentication succeeded

  [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
[2013/11/13 15:32:29.093674, 10] winbindd/winbindd.c:679(wb_request_done)
   wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK







More information about the samba mailing list