[Samba] can't auth against more then 1 domain

Taylor, Jonn jonnt at taylortelephone.com
Wed Nov 13 15:03:27 MST 2013 

On 11/13/2013 03:59 PM, Doug Tucker wrote:
> On 11/13/2013 03:57 PM, Taylor, Jonn wrote:
>> On 11/13/2013 03:34 PM, Doug Tucker wrote:
>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>> I have 2 samba servers.  One with centos5+samba 3.033 that has 
>>>>> been in service for a few years now. I have installed a 
>>>>> centos6+samba 3.6.9.  I followed the how-to I did with the first 
>>>>> one, copied over the krb5.conf and smb.conf from the working 
>>>>> server and all seemed to go well. It is a member server of a 
>>>>> window AD. We have 2 DC's that are part of the same forest: SEAS 
>>>>> and SEAS-S.  I joined the new one like the old one to the SEAS 
>>>>> domain.  The problem I have run into is the new server will only 
>>>>> auth users in the domain it is joined to (SEAS) and cannot get get 
>>>>> users from SEAS-S. If I check for trusted domains net rpc trustdom 
>>>>> SEAS-S shows up under trusted and trusting.  If I do wbinfo -u | 
>>>>> grep SEAS I get a full list of users in the SEAS domain.  But 
>>>>> wbinfo -u | grep SEAS-S comes back blank.
>>>>>
>>>>> I don't know what to provide to help solved this so I'll post some 
>>>>> basics I guess.
>>>>>
>>>>> krb5.conf:
>>>>> [logging]
>>>>>  default = FILE:/var/log/krb5libs.log
>>>>>  kdc = FILE:/var/log/krb5kdc.log
>>>>>  admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>>  default_realm = SEAS.ENGR.SMU.EDU
>>>>>  dns_lookup_realm = false
>>>>>  dns_lookup_kdc = false
>>>>>  ticket_lifetime = 24h
>>>>>  forwardable = true
>>>>>
>>>>> [realms]
>>>>>  SEAS.ENGR.SMU.EDU = {
>>>>>   kdc = seas.engr.smu.edu:88
>>>>>   admin_server = seas.engr.smu.edu:749
>>>>>   default_domain = engr.smu.edu
>>>>>  }
>>>>>
>>>>>  SEAS-S.ENGR.SMU.EDU = {
>>>>>   kdc = seas-s.engr.smu.edu:88
>>>>>   admin_server = seas-s.engr.smu.edu:749
>>>>>   default_domain = engr.smu.edu
>>>>>  }
>>>>>
>>>>> [domain_realm]
>>>>>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>
>>>>> [appdefaults]
>>>>>  pam = {
>>>>>    debug = false
>>>>>    ticket_lifetime = 36000
>>>>>    renew_lifetime = 36000
>>>>>    forwardable = true
>>>>>    krb4_convert = false
>>>>>  }
>>>>>
>>>>> Globals of smb.conf:
>>>>>
>>>>> workgroup = SEAS
>>>>>    realm = SEAS.ENGR.SMU.EDU
>>>>>   security = ADS
>>>>> encrypt passwords = yes
>>>>>   passdb backend = tdbsam
>>>>>   obey pam restrictions = no
>>>>>   invalid users = root
>>>>>  username map = /etc/samba/domain_user.map
>>>>> winbind separator = +
>>>>>    winbind cache time = 600
>>>>>    idmap uid = 19000-20000
>>>>>    idmap gid = 19000-20000
>>>>>
>>>>> Please let me know what else I may provide to help solve this. I 
>>>>> found some threads on this issue that were several years old in 
>>>>> regard to 3.028 having this issue and it was patched in a later 
>>>>> release.  I can't find anything current about this. Thank you in 
>>>>> advance.
>>>> Doug,
>>>>
>>>> This is most likely related to the idmap syntax changes in recent 
>>>> Samba versions. idmap uid/gid is depracated.  3.6 uses something 
>>>> like the following:
>>>>
>>>>     idmap config * : backend        = tdb
>>>>     idmap config * : range            = 1000000 - 2000000
>>>>     idmap config DOMAIN1 : default     = Yes
>>>>     idmap config DOMAIN1 : backend    = rid
>>>>     idmap config DOMAIN1 : range        = 1000 - 2000
>>>>     idmap config DOMAIN2 : backend    = rid
>>>>     idmap config DOMAIN2 : range        = 3000 - 4000
>>>>
>>>> Range values should not overlap.  Adjust backend and range values 
>>>> to suit your situation.
>>>>
>>>> Dale
>>>>
>>>
>>> Sorry, hit send too soon.  Here is the command/log:
>>>
>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>> Enter SEAS-S+tuckerd's password:
>>> plaintext password authentication succeeded
>>> Enter SEAS-S+tuckerd's password:
>>> challenge/response password authentication succeeded
>>>
>>>  [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>> [2013/11/13 15:32:29.093674, 10] 
>>> winbindd/winbindd.c:679(wb_request_done)
>>>   wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>>
>>>
>>>
>>>
>>>
>> Did you clear your winbind cache and restart the winbind service?
>>
>> Jonn
>>
> I just did a windbind stop and start...does that clear the cache?
>
No, you need to delete the cache files in /var/lib/samba and 
/var/lib/samba/private

Jonn

More information about the samba mailing list