[Samba] can't auth against more then 1 domain
Taylor, Jonn
jonnt at taylortelephone.com
Wed Nov 13 14:57:27 MST 2013
On 11/13/2013 03:34 PM, Doug Tucker wrote:
> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>> I have 2 samba servers. One with centos5+samba 3.033 that has been
>>> in service for a few years now. I have installed a centos6+samba
>>> 3.6.9. I followed the how-to I did with the first one, copied over
>>> the krb5.conf and smb.conf from the working server and all seemed to
>>> go well. It is a member server of a window AD. We have 2 DC's that
>>> are part of the same forest: SEAS and SEAS-S. I joined the new one
>>> like the old one to the SEAS domain. The problem I have run into is
>>> the new server will only auth users in the domain it is joined to
>>> (SEAS) and cannot get get users from SEAS-S. If I check for trusted
>>> domains net rpc trustdom SEAS-S shows up under trusted and
>>> trusting. If I do wbinfo -u | grep SEAS I get a full list of users
>>> in the SEAS domain. But wbinfo -u | grep SEAS-S comes back blank.
>>>
>>> I don't know what to provide to help solved this so I'll post some
>>> basics I guess.
>>>
>>> krb5.conf:
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> default_realm = SEAS.ENGR.SMU.EDU
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>> ticket_lifetime = 24h
>>> forwardable = true
>>>
>>> [realms]
>>> SEAS.ENGR.SMU.EDU = {
>>> kdc = seas.engr.smu.edu:88
>>> admin_server = seas.engr.smu.edu:749
>>> default_domain = engr.smu.edu
>>> }
>>>
>>> SEAS-S.ENGR.SMU.EDU = {
>>> kdc = seas-s.engr.smu.edu:88
>>> admin_server = seas-s.engr.smu.edu:749
>>> default_domain = engr.smu.edu
>>> }
>>>
>>> [domain_realm]
>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>
>>> [appdefaults]
>>> pam = {
>>> debug = false
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>> }
>>>
>>> Globals of smb.conf:
>>>
>>> workgroup = SEAS
>>> realm = SEAS.ENGR.SMU.EDU
>>> security = ADS
>>> encrypt passwords = yes
>>> passdb backend = tdbsam
>>> obey pam restrictions = no
>>> invalid users = root
>>> username map = /etc/samba/domain_user.map
>>> winbind separator = +
>>> winbind cache time = 600
>>> idmap uid = 19000-20000
>>> idmap gid = 19000-20000
>>>
>>> Please let me know what else I may provide to help solve this. I
>>> found some threads on this issue that were several years old in
>>> regard to 3.028 having this issue and it was patched in a later
>>> release. I can't find anything current about this. Thank you in
>>> advance.
>> Doug,
>>
>> This is most likely related to the idmap syntax changes in recent
>> Samba versions. idmap uid/gid is depracated. 3.6 uses something like
>> the following:
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000 - 2000000
>> idmap config DOMAIN1 : default = Yes
>> idmap config DOMAIN1 : backend = rid
>> idmap config DOMAIN1 : range = 1000 - 2000
>> idmap config DOMAIN2 : backend = rid
>> idmap config DOMAIN2 : range = 3000 - 4000
>>
>> Range values should not overlap. Adjust backend and range values to
>> suit your situation.
>>
>> Dale
>>
>
> Sorry, hit send too soon. Here is the command/log:
>
> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
> Enter SEAS-S+tuckerd's password:
> plaintext password authentication succeeded
> Enter SEAS-S+tuckerd's password:
> challenge/response password authentication succeeded
>
> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
> [2013/11/13 15:32:29.093674, 10] winbindd/winbindd.c:679(wb_request_done)
> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>
>
>
>
>
Did you clear your winbind cache and restart the winbind service?
Jonn
More information about the samba
mailing list