[Samba] can't auth against more then 1 domain

Wed Nov 13 15:04:11 MST 2013

On 11/13/2013 3:34 PM, Doug Tucker wrote:
> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>> I have 2 samba servers.  One with centos5+samba 3.033 that has been 
>>> in service for a few years now. I have installed a centos6+samba 
>>> 3.6.9.  I followed the how-to I did with the first one, copied over 
>>> the krb5.conf and smb.conf from the working server and all seemed to 
>>> go well. It is a member server of a window AD.  We have 2 DC's that 
>>> are part of the same forest: SEAS and SEAS-S.  I joined the new one 
>>> like the old one to the SEAS domain.  The problem I have run into is 
>>> the new server will only auth users in the domain it is joined to 
>>> (SEAS) and cannot get get users from SEAS-S. If I check for trusted 
>>> domains net rpc trustdom SEAS-S shows up under trusted and 
>>> trusting.  If I do wbinfo -u | grep SEAS I get a full list of users 
>>> in the SEAS domain.  But wbinfo -u | grep SEAS-S comes back blank.
>>>
>>> I don't know what to provide to help solved this so I'll post some 
>>> basics I guess.
>>>
>>> krb5.conf:
>>> [logging]
>>>  default = FILE:/var/log/krb5libs.log
>>>  kdc = FILE:/var/log/krb5kdc.log
>>>  admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>>  default_realm = SEAS.ENGR.SMU.EDU
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24h
>>>  forwardable = true
>>>
>>> [realms]
>>>  SEAS.ENGR.SMU.EDU = {
>>>   kdc = seas.engr.smu.edu:88
>>>   admin_server = seas.engr.smu.edu:749
>>>   default_domain = engr.smu.edu
>>>  }
>>>
>>>  SEAS-S.ENGR.SMU.EDU = {
>>>   kdc = seas-s.engr.smu.edu:88
>>>   admin_server = seas-s.engr.smu.edu:749
>>>   default_domain = engr.smu.edu
>>>  }
>>>
>>> [domain_realm]
>>>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 36000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> Globals of smb.conf:
>>>
>>> workgroup = SEAS
>>>    realm = SEAS.ENGR.SMU.EDU
>>>   security = ADS
>>> encrypt passwords = yes
>>>   passdb backend = tdbsam
>>>   obey pam restrictions = no
>>>   invalid users = root
>>>  username map = /etc/samba/domain_user.map
>>> winbind separator = +
>>>    winbind cache time = 600
>>>    idmap uid = 19000-20000
>>>    idmap gid = 19000-20000
>>>
>>> Please let me know what else I may provide to help solve this. I 
>>> found some threads on this issue that were several years old in 
>>> regard to 3.028 having this issue and it was patched in a later 
>>> release.  I can't find anything current about this. Thank you in 
>>> advance.
>> Doug,
>>
>> This is most likely related to the idmap syntax changes in recent 
>> Samba versions. idmap uid/gid is depracated.  3.6 uses something like 
>> the following:
>>
>>     idmap config * : backend        = tdb
>>     idmap config * : range            = 1000000 - 2000000
>>     idmap config DOMAIN1 : default     = Yes
>>     idmap config DOMAIN1 : backend    = rid
>>     idmap config DOMAIN1 : range        = 1000 - 2000
>>     idmap config DOMAIN2 : backend    = rid
>>     idmap config DOMAIN2 : range        = 3000 - 4000
>>
>> Range values should not overlap.  Adjust backend and range values to 
>> suit your situation.
>>
>> Dale
>>
>
> Sorry, hit send too soon.  Here is the command/log:
>
> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
> Enter SEAS-S+tuckerd's password:
> plaintext password authentication succeeded
> Enter SEAS-S+tuckerd's password:
> challenge/response password authentication succeeded
>
>  [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
> [2013/11/13 15:32:29.093674, 10] winbindd/winbindd.c:679(wb_request_done)
>   wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK

I haven't use the ad backend, but I believe it also requires a schema 
mode option.  See: 
http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html

I've found this syntax: idmap config DOMAIN : schema mode = rfc2307 | 
sfu | sfu20
Also found this option in some configs: winbind nss info = rfc2307 | sfu 
| sfu20 | template

I don't have the experience with idmap_ad to guide you, but maybe this 
will help.

Dale