[Samba] can't auth against more then 1 domain

Taylor, Jonn jonnt at taylortelephone.com
Wed Nov 13 15:12:20 MST 2013 

On 11/13/2013 04:04 PM, Dale Schroeder wrote:
> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>> I have 2 samba servers.  One with centos5+samba 3.033 that has been 
>>>> in service for a few years now. I have installed a centos6+samba 
>>>> 3.6.9.  I followed the how-to I did with the first one, copied over 
>>>> the krb5.conf and smb.conf from the working server and all seemed 
>>>> to go well. It is a member server of a window AD.  We have 2 DC's 
>>>> that are part of the same forest: SEAS and SEAS-S.  I joined the 
>>>> new one like the old one to the SEAS domain.  The problem I have 
>>>> run into is the new server will only auth users in the domain it is 
>>>> joined to (SEAS) and cannot get get users from SEAS-S. If I check 
>>>> for trusted domains net rpc trustdom SEAS-S shows up under trusted 
>>>> and trusting.  If I do wbinfo -u | grep SEAS I get a full list of 
>>>> users in the SEAS domain.  But wbinfo -u | grep SEAS-S comes back 
>>>> blank.
>>>>
>>>> I don't know what to provide to help solved this so I'll post some 
>>>> basics I guess.
>>>>
>>>> krb5.conf:
>>>> [logging]
>>>>  default = FILE:/var/log/krb5libs.log
>>>>  kdc = FILE:/var/log/krb5kdc.log
>>>>  admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>>  default_realm = SEAS.ENGR.SMU.EDU
>>>>  dns_lookup_realm = false
>>>>  dns_lookup_kdc = false
>>>>  ticket_lifetime = 24h
>>>>  forwardable = true
>>>>
>>>> [realms]
>>>>  SEAS.ENGR.SMU.EDU = {
>>>>   kdc = seas.engr.smu.edu:88
>>>>   admin_server = seas.engr.smu.edu:749
>>>>   default_domain = engr.smu.edu
>>>>  }
>>>>
>>>>  SEAS-S.ENGR.SMU.EDU = {
>>>>   kdc = seas-s.engr.smu.edu:88
>>>>   admin_server = seas-s.engr.smu.edu:749
>>>>   default_domain = engr.smu.edu
>>>>  }
>>>>
>>>> [domain_realm]
>>>>  .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>  engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>
>>>> [appdefaults]
>>>>  pam = {
>>>>    debug = false
>>>>    ticket_lifetime = 36000
>>>>    renew_lifetime = 36000
>>>>    forwardable = true
>>>>    krb4_convert = false
>>>>  }
>>>>
>>>> Globals of smb.conf:
>>>>
>>>> workgroup = SEAS
>>>>    realm = SEAS.ENGR.SMU.EDU
>>>>   security = ADS
>>>> encrypt passwords = yes
>>>>   passdb backend = tdbsam
>>>>   obey pam restrictions = no
>>>>   invalid users = root
>>>>  username map = /etc/samba/domain_user.map
>>>> winbind separator = +
>>>>    winbind cache time = 600
>>>>    idmap uid = 19000-20000
>>>>    idmap gid = 19000-20000
>>>>
>>>> Please let me know what else I may provide to help solve this. I 
>>>> found some threads on this issue that were several years old in 
>>>> regard to 3.028 having this issue and it was patched in a later 
>>>> release.  I can't find anything current about this. Thank you in 
>>>> advance.
>>> Doug,
>>>
>>> This is most likely related to the idmap syntax changes in recent 
>>> Samba versions. idmap uid/gid is depracated.  3.6 uses something 
>>> like the following:
>>>
>>>     idmap config * : backend        = tdb
>>>     idmap config * : range            = 1000000 - 2000000
>>>     idmap config DOMAIN1 : default     = Yes
>>>     idmap config DOMAIN1 : backend    = rid
>>>     idmap config DOMAIN1 : range        = 1000 - 2000
>>>     idmap config DOMAIN2 : backend    = rid
>>>     idmap config DOMAIN2 : range        = 3000 - 4000
>>>
>>> Range values should not overlap.  Adjust backend and range values to 
>>> suit your situation.
>>>
>>> Dale
>>>
>>
>> Sorry, hit send too soon.  Here is the command/log:
>>
>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>> Enter SEAS-S+tuckerd's password:
>> plaintext password authentication succeeded
>> Enter SEAS-S+tuckerd's password:
>> challenge/response password authentication succeeded
>>
>>  [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>> [2013/11/13 15:32:29.093674, 10] 
>> winbindd/winbindd.c:679(wb_request_done)
>>   wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>
> I haven't use the ad backend, but I believe it also requires a schema 
> mode option.  See: 
> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>
> I've found this syntax: idmap config DOMAIN : schema mode = rfc2307 | 
> sfu | sfu20
> Also found this option in some configs: winbind nss info = rfc2307 | 
> sfu | sfu20 | template
>
> I don't have the experience with idmap_ad to guide you, but maybe this 
> will help.
>
> Dale
>
>
To clear the cache you can also use this command "net /cache flush/"

Also here is my working AD config. This is on a cluster so just ignor 
the cluster statements.

[global]
     workgroup = TAYLORTELEPHONE
     realm = TAYLORTELEPHONE.COM
     netbios name = SHR01
     server string = Cluster Share
     interfaces = eth0, eth1, lo
     security = ADS
     private dir = /clusterdata/ctdb
     log file = /var/log/samba/log.%m
     server signing = auto
     lpq cache time = 20
     clustering = Yes
     printcap name = /etc/printcap
     wins server = 192.168.173.3
     template homedir = /home/%U
     template shell = /bin/bash
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind refresh tickets = Yes
     winbind offline logon = Yes
     idmap config * : range = 500-4000000
     idmap config TAYLORTELEPHONE:range = 500-4000000
     idmap config TAYLORTELEPHONE:backend = rid
     idmap config * : schema_mode = rfc2307
     idmap config * : backend = ad
     admin users = "@TAYLORTELEPHONE\Domain Admins"
     inherit acls = Yes
     map acl inherit = Yes
     max print jobs = 100
     printing = bsd
     print command = lpr -r -P'%p' %s
     lpq command = lpq -P'%p'
     lprm command = lprm -P'%p' %j

More information about the samba mailing list