[Samba] can't auth against more then 1 domain
Doug Tucker
tuckerd at lyle.smu.edu
Wed Nov 13 15:43:45 MST 2013
On 11/13/2013 04:12 PM, Taylor, Jonn wrote:
> On 11/13/2013 04:04 PM, Dale Schroeder wrote:
>> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>> I have 2 samba servers. One with centos5+samba 3.033 that has
>>>>> been in service for a few years now. I have installed a
>>>>> centos6+samba 3.6.9. I followed the how-to I did with the first
>>>>> one, copied over the krb5.conf and smb.conf from the working
>>>>> server and all seemed to go well. It is a member server of a
>>>>> window AD. We have 2 DC's that are part of the same forest: SEAS
>>>>> and SEAS-S. I joined the new one like the old one to the SEAS
>>>>> domain. The problem I have run into is the new server will only
>>>>> auth users in the domain it is joined to (SEAS) and cannot get get
>>>>> users from SEAS-S. If I check for trusted domains net rpc trustdom
>>>>> SEAS-S shows up under trusted and trusting. If I do wbinfo -u |
>>>>> grep SEAS I get a full list of users in the SEAS domain. But
>>>>> wbinfo -u | grep SEAS-S comes back blank.
>>>>>
>>>>> I don't know what to provide to help solved this so I'll post some
>>>>> basics I guess.
>>>>>
>>>>> krb5.conf:
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = false
>>>>> ticket_lifetime = 24h
>>>>> forwardable = true
>>>>>
>>>>> [realms]
>>>>> SEAS.ENGR.SMU.EDU = {
>>>>> kdc = seas.engr.smu.edu:88
>>>>> admin_server = seas.engr.smu.edu:749
>>>>> default_domain = engr.smu.edu
>>>>> }
>>>>>
>>>>> SEAS-S.ENGR.SMU.EDU = {
>>>>> kdc = seas-s.engr.smu.edu:88
>>>>> admin_server = seas-s.engr.smu.edu:749
>>>>> default_domain = engr.smu.edu
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>
>>>>> [appdefaults]
>>>>> pam = {
>>>>> debug = false
>>>>> ticket_lifetime = 36000
>>>>> renew_lifetime = 36000
>>>>> forwardable = true
>>>>> krb4_convert = false
>>>>> }
>>>>>
>>>>> Globals of smb.conf:
>>>>>
>>>>> workgroup = SEAS
>>>>> realm = SEAS.ENGR.SMU.EDU
>>>>> security = ADS
>>>>> encrypt passwords = yes
>>>>> passdb backend = tdbsam
>>>>> obey pam restrictions = no
>>>>> invalid users = root
>>>>> username map = /etc/samba/domain_user.map
>>>>> winbind separator = +
>>>>> winbind cache time = 600
>>>>> idmap uid = 19000-20000
>>>>> idmap gid = 19000-20000
>>>>>
>>>>> Please let me know what else I may provide to help solve this. I
>>>>> found some threads on this issue that were several years old in
>>>>> regard to 3.028 having this issue and it was patched in a later
>>>>> release. I can't find anything current about this. Thank you in
>>>>> advance.
>>>> Doug,
>>>>
>>>> This is most likely related to the idmap syntax changes in recent
>>>> Samba versions. idmap uid/gid is depracated. 3.6 uses something
>>>> like the following:
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 1000000 - 2000000
>>>> idmap config DOMAIN1 : default = Yes
>>>> idmap config DOMAIN1 : backend = rid
>>>> idmap config DOMAIN1 : range = 1000 - 2000
>>>> idmap config DOMAIN2 : backend = rid
>>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>>
>>>> Range values should not overlap. Adjust backend and range values
>>>> to suit your situation.
>>>>
>>>> Dale
>>>>
>>>
>>> Sorry, hit send too soon. Here is the command/log:
>>>
>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>> Enter SEAS-S+tuckerd's password:
>>> plaintext password authentication succeeded
>>> Enter SEAS-S+tuckerd's password:
>>> challenge/response password authentication succeeded
>>>
>>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>> [2013/11/13 15:32:29.093674, 10]
>>> winbindd/winbindd.c:679(wb_request_done)
>>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>
>> I haven't use the ad backend, but I believe it also requires a schema
>> mode option. See:
>> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>>
>> I've found this syntax: idmap config DOMAIN : schema mode = rfc2307 |
>> sfu | sfu20
>> Also found this option in some configs: winbind nss info = rfc2307 |
>> sfu | sfu20 | template
>>
>> I don't have the experience with idmap_ad to guide you, but maybe
>> this will help.
>>
>> Dale
>>
>>
> To clear the cache you can also use this command "net /cache flush/"
>
> Also here is my working AD config. This is on a cluster so just ignor
> the cluster statements.
>
> [global]
> workgroup = TAYLORTELEPHONE
> realm = TAYLORTELEPHONE.COM
> netbios name = SHR01
> server string = Cluster Share
> interfaces = eth0, eth1, lo
> security = ADS
> private dir = /clusterdata/ctdb
> log file = /var/log/samba/log.%m
> server signing = auto
> lpq cache time = 20
> clustering = Yes
> printcap name = /etc/printcap
> wins server = 192.168.173.3
> template homedir = /home/%U
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> idmap config * : range = 500-4000000
> idmap config TAYLORTELEPHONE:range = 500-4000000
> idmap config TAYLORTELEPHONE:backend = rid
> idmap config * : schema_mode = rfc2307
> idmap config * : backend = ad
> admin users = "@TAYLORTELEPHONE\Domain Admins"
> inherit acls = Yes
> map acl inherit = Yes
> max print jobs = 100
> printing = bsd
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
>
OK, adding the schema_mode didn't change anything. I'm still missing
*something*.
Still if I try to do a full dump using wbinfo -u I get every user in the
SEAS domain but nothing from SEAS-S. Mapping drives using a SEAS user
still works, SEAS-S user still gets access denied in the client and the
samba server logs says it can't find SEAS-S.
Oddly, this works just fine:
[root at lylesmb1 samba]# wbinfo -n SEAS+tuckerd
S-1-5-21-2041585393-961507653-59529505-6586 SID_USER (1)
[root at lylesmb1 samba]# wbinfo -n SEAS-S+tuckerd
S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
And in the logs it shows:
[2013/11/13 16:38:11.058477, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'SEAS-S'
name : *
name : 'TUCKERD'
flags : 0x00000000 (0)
[2013/11/13 16:38:11.061425, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-1863541909-2129596521-199955091-23660
result : NT_STATUS_OK
[2013/11/13 16:38:02.282938, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'SEAS'
name : *
name : 'TUCKERD'
flags : 0x00000000 (0)
[2013/11/13 16:38:02.283503, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2041585393-961507653-59529505-6586
result : NT_STATUS_OK
I'm flatly confused why a lookup of a single user works, but nothing
when doing a full dump, and why it won't authenticate and map drives :(
More information about the samba
mailing list