[Samba] can't auth against more then 1 domain
Doug Tucker
tuckerd at lyle.smu.edu
Thu Nov 14 07:53:40 MST 2013
On 11/13/2013 09:51 PM, Taylor, Jonn wrote:
> On 11/13/2013 04:43 PM, Doug Tucker wrote:
>> On 11/13/2013 04:12 PM, Taylor, Jonn wrote:
>>> On 11/13/2013 04:04 PM, Dale Schroeder wrote:
>>>> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>>>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>>>> I have 2 samba servers. One with centos5+samba 3.033 that has
>>>>>>> been in service for a few years now. I have installed a
>>>>>>> centos6+samba 3.6.9. I followed the how-to I did with the first
>>>>>>> one, copied over the krb5.conf and smb.conf from the working
>>>>>>> server and all seemed to go well. It is a member server of a
>>>>>>> window AD. We have 2 DC's that are part of the same forest: SEAS
>>>>>>> and SEAS-S. I joined the new one like the old one to the SEAS
>>>>>>> domain. The problem I have run into is the new server will only
>>>>>>> auth users in the domain it is joined to (SEAS) and cannot get
>>>>>>> get users from SEAS-S. If I check for trusted domains net rpc
>>>>>>> trustdom SEAS-S shows up under trusted and trusting. If I do
>>>>>>> wbinfo -u | grep SEAS I get a full list of users in the SEAS
>>>>>>> domain. But wbinfo -u | grep SEAS-S comes back blank.
>>>>>>>
>>>>>>> I don't know what to provide to help solved this so I'll post
>>>>>>> some basics I guess.
>>>>>>>
>>>>>>> krb5.conf:
>>>>>>> [logging]
>>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>>>>> dns_lookup_realm = false
>>>>>>> dns_lookup_kdc = false
>>>>>>> ticket_lifetime = 24h
>>>>>>> forwardable = true
>>>>>>>
>>>>>>> [realms]
>>>>>>> SEAS.ENGR.SMU.EDU = {
>>>>>>> kdc = seas.engr.smu.edu:88
>>>>>>> admin_server = seas.engr.smu.edu:749
>>>>>>> default_domain = engr.smu.edu
>>>>>>> }
>>>>>>>
>>>>>>> SEAS-S.ENGR.SMU.EDU = {
>>>>>>> kdc = seas-s.engr.smu.edu:88
>>>>>>> admin_server = seas-s.engr.smu.edu:749
>>>>>>> default_domain = engr.smu.edu
>>>>>>> }
>>>>>>>
>>>>>>> [domain_realm]
>>>>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>>
>>>>>>> [appdefaults]
>>>>>>> pam = {
>>>>>>> debug = false
>>>>>>> ticket_lifetime = 36000
>>>>>>> renew_lifetime = 36000
>>>>>>> forwardable = true
>>>>>>> krb4_convert = false
>>>>>>> }
>>>>>>>
>>>>>>> Globals of smb.conf:
>>>>>>>
>>>>>>> workgroup = SEAS
>>>>>>> realm = SEAS.ENGR.SMU.EDU
>>>>>>> security = ADS
>>>>>>> encrypt passwords = yes
>>>>>>> passdb backend = tdbsam
>>>>>>> obey pam restrictions = no
>>>>>>> invalid users = root
>>>>>>> username map = /etc/samba/domain_user.map
>>>>>>> winbind separator = +
>>>>>>> winbind cache time = 600
>>>>>>> idmap uid = 19000-20000
>>>>>>> idmap gid = 19000-20000
>>>>>>>
>>>>>>> Please let me know what else I may provide to help solve this. I
>>>>>>> found some threads on this issue that were several years old in
>>>>>>> regard to 3.028 having this issue and it was patched in a later
>>>>>>> release. I can't find anything current about this. Thank you in
>>>>>>> advance.
>>>>>> Doug,
>>>>>>
>>>>>> This is most likely related to the idmap syntax changes in recent
>>>>>> Samba versions. idmap uid/gid is depracated. 3.6 uses something
>>>>>> like the following:
>>>>>>
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 1000000 - 2000000
>>>>>> idmap config DOMAIN1 : default = Yes
>>>>>> idmap config DOMAIN1 : backend = rid
>>>>>> idmap config DOMAIN1 : range = 1000 - 2000
>>>>>> idmap config DOMAIN2 : backend = rid
>>>>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>>>>
>>>>>> Range values should not overlap. Adjust backend and range values
>>>>>> to suit your situation.
>>>>>>
>>>>>> Dale
>>>>>>
>>>>>
>>>>> Sorry, hit send too soon. Here is the command/log:
>>>>>
>>>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>>>> Enter SEAS-S+tuckerd's password:
>>>>> plaintext password authentication succeeded
>>>>> Enter SEAS-S+tuckerd's password:
>>>>> challenge/response password authentication succeeded
>>>>>
>>>>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>>>> [2013/11/13 15:32:29.093674, 10]
>>>>> winbindd/winbindd.c:679(wb_request_done)
>>>>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>>>
>>>> I haven't use the ad backend, but I believe it also requires a
>>>> schema mode option. See:
>>>> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>>>>
>>>> I've found this syntax: idmap config DOMAIN : schema mode = rfc2307
>>>> | sfu | sfu20
>>>> Also found this option in some configs: winbind nss info = rfc2307
>>>> | sfu | sfu20 | template
>>>>
>>>> I don't have the experience with idmap_ad to guide you, but maybe
>>>> this will help.
>>>>
>>>> Dale
>>>>
>>>>
>>> To clear the cache you can also use this command "net /cache flush/"
>>>
>>> Also here is my working AD config. This is on a cluster so just
>>> ignor the cluster statements.
>>>
>>> [global]
>>> workgroup = TAYLORTELEPHONE
>>> realm = TAYLORTELEPHONE.COM
>>> netbios name = SHR01
>>> server string = Cluster Share
>>> interfaces = eth0, eth1, lo
>>> security = ADS
>>> private dir = /clusterdata/ctdb
>>> log file = /var/log/samba/log.%m
>>> server signing = auto
>>> lpq cache time = 20
>>> clustering = Yes
>>> printcap name = /etc/printcap
>>> wins server = 192.168.173.3
>>> template homedir = /home/%U
>>> template shell = /bin/bash
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind refresh tickets = Yes
>>> winbind offline logon = Yes
>>> idmap config * : range = 500-4000000
>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>> idmap config TAYLORTELEPHONE:backend = rid
>>> idmap config * : schema_mode = rfc2307
>>> idmap config * : backend = ad
>>> admin users = "@TAYLORTELEPHONE\Domain Admins"
>>> inherit acls = Yes
>>> map acl inherit = Yes
>>> max print jobs = 100
>>> printing = bsd
>>> print command = lpr -r -P'%p' %s
>>> lpq command = lpq -P'%p'
>>> lprm command = lprm -P'%p' %j
>>>
>> OK, adding the schema_mode didn't change anything. I'm still missing
>> *something*.
>>
>> Still if I try to do a full dump using wbinfo -u I get every user in
>> the SEAS domain but nothing from SEAS-S. Mapping drives using a SEAS
>> user still works, SEAS-S user still gets access denied in the client
>> and the samba server logs says it can't find SEAS-S.
>>
>> Oddly, this works just fine:
>> [root at lylesmb1 samba]# wbinfo -n SEAS+tuckerd
>> S-1-5-21-2041585393-961507653-59529505-6586 SID_USER (1)
>> [root at lylesmb1 samba]# wbinfo -n SEAS-S+tuckerd
>> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
>>
>> And in the logs it shows:
>>
>> [2013/11/13 16:38:11.058477, 1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName
>> in: struct wbint_LookupName
>> domain : *
>> domain : 'SEAS-S'
>> name : *
>> name : 'TUCKERD'
>> flags : 0x00000000 (0)
>> [2013/11/13 16:38:11.061425, 1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName
>> out: struct wbint_LookupName
>> type : *
>> type : SID_NAME_USER (1)
>> sid : *
>> sid :
>> S-1-5-21-1863541909-2129596521-199955091-23660
>> result : NT_STATUS_OK
>>
>> [2013/11/13 16:38:02.282938, 1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName
>> in: struct wbint_LookupName
>> domain : *
>> domain : 'SEAS'
>> name : *
>> name : 'TUCKERD'
>> flags : 0x00000000 (0)
>> [2013/11/13 16:38:02.283503, 1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> wbint_LookupName: struct wbint_LookupName
>> out: struct wbint_LookupName
>> type : *
>> type : SID_NAME_USER (1)
>> sid : *
>> sid :
>> S-1-5-21-2041585393-961507653-59529505-6586
>> result : NT_STATUS_OK
>>
>> I'm flatly confused why a lookup of a single user works, but nothing
>> when doing a full dump, and why it won't authenticate and map drives :(
> Can you post your smb.conf please.
>
> Jonn
>
Thanks John. I included only the home share definition. The rest of my
conf file is just shares.
[global]
workgroup = SEAS
realm = SEAS.ENGR.SMU.EDU
hide dot files = yes
server string = Samba Server
client use spnego = yes
posix locking = no
kernel oplocks = no
log level = 10
log file = /var/log/samba/%m.log
follow symlinks = yes
wide links = yes
unix extensions = no
max log size = 50
security = ADS
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = no
invalid users = root
unix password sync = no
username map = /etc/samba/domain_user.map
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
preferred master = no
wins support = no
wins server = 192.168.1.4 192.168.1.5
dns proxy = no
winbind separator = +
winbind cache time = 600
idmap config * : backend = tdb
idmap config * : range = 1000000 - 1999999
idmap config SEAS:backend = ad
idmap config SEAS:range = 10000 - 20000
idmap config * : schema_mode = rfc2307
idmap config SEAS-S:backend = ad
idmap config SEAS-S:range = 21000 - 22000
[homes]
comment = Home Directories
browseable = no
writable = yes
and so on with shares....
More information about the samba
mailing list