[Samba] can't auth against more then 1 domain
Doug Tucker
tuckerd at lyle.smu.edu
Wed Nov 13 14:34:27 MST 2013
On 11/13/2013 02:30 PM, Dale Schroeder wrote:
> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>> I have 2 samba servers. One with centos5+samba 3.033 that has been
>> in service for a few years now. I have installed a centos6+samba
>> 3.6.9. I followed the how-to I did with the first one, copied over
>> the krb5.conf and smb.conf from the working server and all seemed to
>> go well. It is a member server of a window AD. We have 2 DC's that
>> are part of the same forest: SEAS and SEAS-S. I joined the new one
>> like the old one to the SEAS domain. The problem I have run into is
>> the new server will only auth users in the domain it is joined to
>> (SEAS) and cannot get get users from SEAS-S. If I check for trusted
>> domains net rpc trustdom SEAS-S shows up under trusted and trusting.
>> If I do wbinfo -u | grep SEAS I get a full list of users in the SEAS
>> domain. But wbinfo -u | grep SEAS-S comes back blank.
>>
>> I don't know what to provide to help solved this so I'll post some
>> basics I guess.
>>
>> krb5.conf:
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = SEAS.ENGR.SMU.EDU
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = true
>>
>> [realms]
>> SEAS.ENGR.SMU.EDU = {
>> kdc = seas.engr.smu.edu:88
>> admin_server = seas.engr.smu.edu:749
>> default_domain = engr.smu.edu
>> }
>>
>> SEAS-S.ENGR.SMU.EDU = {
>> kdc = seas-s.engr.smu.edu:88
>> admin_server = seas-s.engr.smu.edu:749
>> default_domain = engr.smu.edu
>> }
>>
>> [domain_realm]
>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> Globals of smb.conf:
>>
>> workgroup = SEAS
>> realm = SEAS.ENGR.SMU.EDU
>> security = ADS
>> encrypt passwords = yes
>> passdb backend = tdbsam
>> obey pam restrictions = no
>> invalid users = root
>> username map = /etc/samba/domain_user.map
>> winbind separator = +
>> winbind cache time = 600
>> idmap uid = 19000-20000
>> idmap gid = 19000-20000
>>
>> Please let me know what else I may provide to help solve this. I
>> found some threads on this issue that were several years old in
>> regard to 3.028 having this issue and it was patched in a later
>> release. I can't find anything current about this. Thank you in
>> advance.
> Doug,
>
> This is most likely related to the idmap syntax changes in recent
> Samba versions. idmap uid/gid is depracated. 3.6 uses something like
> the following:
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 2000000
> idmap config DOMAIN1 : default = Yes
> idmap config DOMAIN1 : backend = rid
> idmap config DOMAIN1 : range = 1000 - 2000
> idmap config DOMAIN2 : backend = rid
> idmap config DOMAIN2 : range = 3000 - 4000
>
> Range values should not overlap. Adjust backend and range values to
> suit your situation.
>
> Dale
>
Sorry, hit send too soon. Here is the command/log:
[root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
Enter SEAS-S+tuckerd's password:
plaintext password authentication succeeded
Enter SEAS-S+tuckerd's password:
challenge/response password authentication succeeded
[ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
[2013/11/13 15:32:29.093674, 10] winbindd/winbindd.c:679(wb_request_done)
wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
More information about the samba
mailing list