[Samba] can't auth against more then 1 domain
Taylor, Jonn
jonnt at taylortelephone.com
Wed Nov 13 15:12:20 MST 2013
On 11/13/2013 04:04 PM, Dale Schroeder wrote:
> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>> I have 2 samba servers. One with centos5+samba 3.033 that has been
>>>> in service for a few years now. I have installed a centos6+samba
>>>> 3.6.9. I followed the how-to I did with the first one, copied over
>>>> the krb5.conf and smb.conf from the working server and all seemed
>>>> to go well. It is a member server of a window AD. We have 2 DC's
>>>> that are part of the same forest: SEAS and SEAS-S. I joined the
>>>> new one like the old one to the SEAS domain. The problem I have
>>>> run into is the new server will only auth users in the domain it is
>>>> joined to (SEAS) and cannot get get users from SEAS-S. If I check
>>>> for trusted domains net rpc trustdom SEAS-S shows up under trusted
>>>> and trusting. If I do wbinfo -u | grep SEAS I get a full list of
>>>> users in the SEAS domain. But wbinfo -u | grep SEAS-S comes back
>>>> blank.
>>>>
>>>> I don't know what to provide to help solved this so I'll post some
>>>> basics I guess.
>>>>
>>>> krb5.conf:
>>>> [logging]
>>>> default = FILE:/var/log/krb5libs.log
>>>> kdc = FILE:/var/log/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = false
>>>> ticket_lifetime = 24h
>>>> forwardable = true
>>>>
>>>> [realms]
>>>> SEAS.ENGR.SMU.EDU = {
>>>> kdc = seas.engr.smu.edu:88
>>>> admin_server = seas.engr.smu.edu:749
>>>> default_domain = engr.smu.edu
>>>> }
>>>>
>>>> SEAS-S.ENGR.SMU.EDU = {
>>>> kdc = seas-s.engr.smu.edu:88
>>>> admin_server = seas-s.engr.smu.edu:749
>>>> default_domain = engr.smu.edu
>>>> }
>>>>
>>>> [domain_realm]
>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>>
>>>> Globals of smb.conf:
>>>>
>>>> workgroup = SEAS
>>>> realm = SEAS.ENGR.SMU.EDU
>>>> security = ADS
>>>> encrypt passwords = yes
>>>> passdb backend = tdbsam
>>>> obey pam restrictions = no
>>>> invalid users = root
>>>> username map = /etc/samba/domain_user.map
>>>> winbind separator = +
>>>> winbind cache time = 600
>>>> idmap uid = 19000-20000
>>>> idmap gid = 19000-20000
>>>>
>>>> Please let me know what else I may provide to help solve this. I
>>>> found some threads on this issue that were several years old in
>>>> regard to 3.028 having this issue and it was patched in a later
>>>> release. I can't find anything current about this. Thank you in
>>>> advance.
>>> Doug,
>>>
>>> This is most likely related to the idmap syntax changes in recent
>>> Samba versions. idmap uid/gid is depracated. 3.6 uses something
>>> like the following:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000 - 2000000
>>> idmap config DOMAIN1 : default = Yes
>>> idmap config DOMAIN1 : backend = rid
>>> idmap config DOMAIN1 : range = 1000 - 2000
>>> idmap config DOMAIN2 : backend = rid
>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>
>>> Range values should not overlap. Adjust backend and range values to
>>> suit your situation.
>>>
>>> Dale
>>>
>>
>> Sorry, hit send too soon. Here is the command/log:
>>
>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>> Enter SEAS-S+tuckerd's password:
>> plaintext password authentication succeeded
>> Enter SEAS-S+tuckerd's password:
>> challenge/response password authentication succeeded
>>
>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>> [2013/11/13 15:32:29.093674, 10]
>> winbindd/winbindd.c:679(wb_request_done)
>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>
> I haven't use the ad backend, but I believe it also requires a schema
> mode option. See:
> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>
> I've found this syntax: idmap config DOMAIN : schema mode = rfc2307 |
> sfu | sfu20
> Also found this option in some configs: winbind nss info = rfc2307 |
> sfu | sfu20 | template
>
> I don't have the experience with idmap_ad to guide you, but maybe this
> will help.
>
> Dale
>
>
To clear the cache you can also use this command "net /cache flush/"
Also here is my working AD config. This is on a cluster so just ignor
the cluster statements.
[global]
workgroup = TAYLORTELEPHONE
realm = TAYLORTELEPHONE.COM
netbios name = SHR01
server string = Cluster Share
interfaces = eth0, eth1, lo
security = ADS
private dir = /clusterdata/ctdb
log file = /var/log/samba/log.%m
server signing = auto
lpq cache time = 20
clustering = Yes
printcap name = /etc/printcap
wins server = 192.168.173.3
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config * : range = 500-4000000
idmap config TAYLORTELEPHONE:range = 500-4000000
idmap config TAYLORTELEPHONE:backend = rid
idmap config * : schema_mode = rfc2307
idmap config * : backend = ad
admin users = "@TAYLORTELEPHONE\Domain Admins"
inherit acls = Yes
map acl inherit = Yes
max print jobs = 100
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
More information about the samba
mailing list