[Samba] can't auth against more then 1 domain
Doug Tucker
tuckerd at lyle.smu.edu
Wed Nov 13 14:59:00 MST 2013
On 11/13/2013 03:57 PM, Taylor, Jonn wrote:
> On 11/13/2013 03:34 PM, Doug Tucker wrote:
>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>> I have 2 samba servers. One with centos5+samba 3.033 that has been
>>>> in service for a few years now. I have installed a centos6+samba
>>>> 3.6.9. I followed the how-to I did with the first one, copied over
>>>> the krb5.conf and smb.conf from the working server and all seemed
>>>> to go well. It is a member server of a window AD. We have 2 DC's
>>>> that are part of the same forest: SEAS and SEAS-S. I joined the
>>>> new one like the old one to the SEAS domain. The problem I have
>>>> run into is the new server will only auth users in the domain it is
>>>> joined to (SEAS) and cannot get get users from SEAS-S. If I check
>>>> for trusted domains net rpc trustdom SEAS-S shows up under trusted
>>>> and trusting. If I do wbinfo -u | grep SEAS I get a full list of
>>>> users in the SEAS domain. But wbinfo -u | grep SEAS-S comes back
>>>> blank.
>>>>
>>>> I don't know what to provide to help solved this so I'll post some
>>>> basics I guess.
>>>>
>>>> krb5.conf:
>>>> [logging]
>>>> default = FILE:/var/log/krb5libs.log
>>>> kdc = FILE:/var/log/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = false
>>>> ticket_lifetime = 24h
>>>> forwardable = true
>>>>
>>>> [realms]
>>>> SEAS.ENGR.SMU.EDU = {
>>>> kdc = seas.engr.smu.edu:88
>>>> admin_server = seas.engr.smu.edu:749
>>>> default_domain = engr.smu.edu
>>>> }
>>>>
>>>> SEAS-S.ENGR.SMU.EDU = {
>>>> kdc = seas-s.engr.smu.edu:88
>>>> admin_server = seas-s.engr.smu.edu:749
>>>> default_domain = engr.smu.edu
>>>> }
>>>>
>>>> [domain_realm]
>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>>
>>>> Globals of smb.conf:
>>>>
>>>> workgroup = SEAS
>>>> realm = SEAS.ENGR.SMU.EDU
>>>> security = ADS
>>>> encrypt passwords = yes
>>>> passdb backend = tdbsam
>>>> obey pam restrictions = no
>>>> invalid users = root
>>>> username map = /etc/samba/domain_user.map
>>>> winbind separator = +
>>>> winbind cache time = 600
>>>> idmap uid = 19000-20000
>>>> idmap gid = 19000-20000
>>>>
>>>> Please let me know what else I may provide to help solve this. I
>>>> found some threads on this issue that were several years old in
>>>> regard to 3.028 having this issue and it was patched in a later
>>>> release. I can't find anything current about this. Thank you in
>>>> advance.
>>> Doug,
>>>
>>> This is most likely related to the idmap syntax changes in recent
>>> Samba versions. idmap uid/gid is depracated. 3.6 uses something
>>> like the following:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000 - 2000000
>>> idmap config DOMAIN1 : default = Yes
>>> idmap config DOMAIN1 : backend = rid
>>> idmap config DOMAIN1 : range = 1000 - 2000
>>> idmap config DOMAIN2 : backend = rid
>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>
>>> Range values should not overlap. Adjust backend and range values to
>>> suit your situation.
>>>
>>> Dale
>>>
>>
>> Sorry, hit send too soon. Here is the command/log:
>>
>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>> Enter SEAS-S+tuckerd's password:
>> plaintext password authentication succeeded
>> Enter SEAS-S+tuckerd's password:
>> challenge/response password authentication succeeded
>>
>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>> [2013/11/13 15:32:29.093674, 10]
>> winbindd/winbindd.c:679(wb_request_done)
>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>
>>
>>
>>
>>
> Did you clear your winbind cache and restart the winbind service?
>
> Jonn
>
I just did a windbind stop and start...does that clear the cache?
More information about the samba
mailing list