[Samba] can't auth against more then 1 domain
Taylor, Jonn
jonnt at taylortelephone.com
Thu Nov 14 08:04:49 MST 2013
On 11/14/2013 08:53 AM, Doug Tucker wrote:
> On 11/13/2013 09:51 PM, Taylor, Jonn wrote:
>> On 11/13/2013 04:43 PM, Doug Tucker wrote:
>>> On 11/13/2013 04:12 PM, Taylor, Jonn wrote:
>>>> On 11/13/2013 04:04 PM, Dale Schroeder wrote:
>>>>> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>>>>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>>>>> I have 2 samba servers. One with centos5+samba 3.033 that has
>>>>>>>> been in service for a few years now. I have installed a
>>>>>>>> centos6+samba 3.6.9. I followed the how-to I did with the
>>>>>>>> first one, copied over the krb5.conf and smb.conf from the
>>>>>>>> working server and all seemed to go well. It is a member server
>>>>>>>> of a window AD. We have 2 DC's that are part of the same
>>>>>>>> forest: SEAS and SEAS-S. I joined the new one like the old one
>>>>>>>> to the SEAS domain. The problem I have run into is the new
>>>>>>>> server will only auth users in the domain it is joined to
>>>>>>>> (SEAS) and cannot get get users from SEAS-S. If I check for
>>>>>>>> trusted domains net rpc trustdom SEAS-S shows up under trusted
>>>>>>>> and trusting. If I do wbinfo -u | grep SEAS I get a full list
>>>>>>>> of users in the SEAS domain. But wbinfo -u | grep SEAS-S comes
>>>>>>>> back blank.
>>>>>>>>
>>>>>>>> I don't know what to provide to help solved this so I'll post
>>>>>>>> some basics I guess.
>>>>>>>>
>>>>>>>> krb5.conf:
>>>>>>>> [logging]
>>>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>>>>>> dns_lookup_realm = false
>>>>>>>> dns_lookup_kdc = false
>>>>>>>> ticket_lifetime = 24h
>>>>>>>> forwardable = true
>>>>>>>>
>>>>>>>> [realms]
>>>>>>>> SEAS.ENGR.SMU.EDU = {
>>>>>>>> kdc = seas.engr.smu.edu:88
>>>>>>>> admin_server = seas.engr.smu.edu:749
>>>>>>>> default_domain = engr.smu.edu
>>>>>>>> }
>>>>>>>>
>>>>>>>> SEAS-S.ENGR.SMU.EDU = {
>>>>>>>> kdc = seas-s.engr.smu.edu:88
>>>>>>>> admin_server = seas-s.engr.smu.edu:749
>>>>>>>> default_domain = engr.smu.edu
>>>>>>>> }
>>>>>>>>
>>>>>>>> [domain_realm]
>>>>>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>>>
>>>>>>>> [appdefaults]
>>>>>>>> pam = {
>>>>>>>> debug = false
>>>>>>>> ticket_lifetime = 36000
>>>>>>>> renew_lifetime = 36000
>>>>>>>> forwardable = true
>>>>>>>> krb4_convert = false
>>>>>>>> }
>>>>>>>>
>>>>>>>> Globals of smb.conf:
>>>>>>>>
>>>>>>>> workgroup = SEAS
>>>>>>>> realm = SEAS.ENGR.SMU.EDU
>>>>>>>> security = ADS
>>>>>>>> encrypt passwords = yes
>>>>>>>> passdb backend = tdbsam
>>>>>>>> obey pam restrictions = no
>>>>>>>> invalid users = root
>>>>>>>> username map = /etc/samba/domain_user.map
>>>>>>>> winbind separator = +
>>>>>>>> winbind cache time = 600
>>>>>>>> idmap uid = 19000-20000
>>>>>>>> idmap gid = 19000-20000
>>>>>>>>
>>>>>>>> Please let me know what else I may provide to help solve this.
>>>>>>>> I found some threads on this issue that were several years old
>>>>>>>> in regard to 3.028 having this issue and it was patched in a
>>>>>>>> later release. I can't find anything current about this. Thank
>>>>>>>> you in advance.
>>>>>>> Doug,
>>>>>>>
>>>>>>> This is most likely related to the idmap syntax changes in
>>>>>>> recent Samba versions. idmap uid/gid is depracated. 3.6 uses
>>>>>>> something like the following:
>>>>>>>
>>>>>>> idmap config * : backend = tdb
>>>>>>> idmap config * : range = 1000000 - 2000000
>>>>>>> idmap config DOMAIN1 : default = Yes
>>>>>>> idmap config DOMAIN1 : backend = rid
>>>>>>> idmap config DOMAIN1 : range = 1000 - 2000
>>>>>>> idmap config DOMAIN2 : backend = rid
>>>>>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>>>>>
>>>>>>> Range values should not overlap. Adjust backend and range
>>>>>>> values to suit your situation.
>>>>>>>
>>>>>>> Dale
>>>>>>>
>>>>>>
>>>>>> Sorry, hit send too soon. Here is the command/log:
>>>>>>
>>>>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>>>>> Enter SEAS-S+tuckerd's password:
>>>>>> plaintext password authentication succeeded
>>>>>> Enter SEAS-S+tuckerd's password:
>>>>>> challenge/response password authentication succeeded
>>>>>>
>>>>>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>>>>> [2013/11/13 15:32:29.093674, 10]
>>>>>> winbindd/winbindd.c:679(wb_request_done)
>>>>>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>>>>
>>>>> I haven't use the ad backend, but I believe it also requires a
>>>>> schema mode option. See:
>>>>> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>>>>>
>>>>> I've found this syntax: idmap config DOMAIN : schema mode =
>>>>> rfc2307 | sfu | sfu20
>>>>> Also found this option in some configs: winbind nss info = rfc2307
>>>>> | sfu | sfu20 | template
>>>>>
>>>>> I don't have the experience with idmap_ad to guide you, but maybe
>>>>> this will help.
>>>>>
>>>>> Dale
>>>>>
>>>>>
>>>> To clear the cache you can also use this command "net /cache flush/"
>>>>
>>>> Also here is my working AD config. This is on a cluster so just
>>>> ignor the cluster statements.
>>>>
>>>> [global]
>>>> workgroup = TAYLORTELEPHONE
>>>> realm = TAYLORTELEPHONE.COM
>>>> netbios name = SHR01
>>>> server string = Cluster Share
>>>> interfaces = eth0, eth1, lo
>>>> security = ADS
>>>> private dir = /clusterdata/ctdb
>>>> log file = /var/log/samba/log.%m
>>>> server signing = auto
>>>> lpq cache time = 20
>>>> clustering = Yes
>>>> printcap name = /etc/printcap
>>>> wins server = 192.168.173.3
>>>> template homedir = /home/%U
>>>> template shell = /bin/bash
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind refresh tickets = Yes
>>>> winbind offline logon = Yes
>>>> idmap config * : range = 500-4000000
>>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>>> idmap config TAYLORTELEPHONE:backend = rid
>>>> idmap config * : schema_mode = rfc2307
>>>> idmap config * : backend = ad
>>>> admin users = "@TAYLORTELEPHONE\Domain Admins"
>>>> inherit acls = Yes
>>>> map acl inherit = Yes
>>>> max print jobs = 100
>>>> printing = bsd
>>>> print command = lpr -r -P'%p' %s
>>>> lpq command = lpq -P'%p'
>>>> lprm command = lprm -P'%p' %j
>>>>
>>> OK, adding the schema_mode didn't change anything. I'm still
>>> missing *something*.
>>>
>>> Still if I try to do a full dump using wbinfo -u I get every user in
>>> the SEAS domain but nothing from SEAS-S. Mapping drives using a
>>> SEAS user still works, SEAS-S user still gets access denied in the
>>> client and the samba server logs says it can't find SEAS-S.
>>>
>>> Oddly, this works just fine:
>>> [root at lylesmb1 samba]# wbinfo -n SEAS+tuckerd
>>> S-1-5-21-2041585393-961507653-59529505-6586 SID_USER (1)
>>> [root at lylesmb1 samba]# wbinfo -n SEAS-S+tuckerd
>>> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
>>>
>>> And in the logs it shows:
>>>
>>> [2013/11/13 16:38:11.058477, 1]
>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>> wbint_LookupName: struct wbint_LookupName
>>> in: struct wbint_LookupName
>>> domain : *
>>> domain : 'SEAS-S'
>>> name : *
>>> name : 'TUCKERD'
>>> flags : 0x00000000 (0)
>>> [2013/11/13 16:38:11.061425, 1]
>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>> wbint_LookupName: struct wbint_LookupName
>>> out: struct wbint_LookupName
>>> type : *
>>> type : SID_NAME_USER (1)
>>> sid : *
>>> sid :
>>> S-1-5-21-1863541909-2129596521-199955091-23660
>>> result : NT_STATUS_OK
>>>
>>> [2013/11/13 16:38:02.282938, 1]
>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>> wbint_LookupName: struct wbint_LookupName
>>> in: struct wbint_LookupName
>>> domain : *
>>> domain : 'SEAS'
>>> name : *
>>> name : 'TUCKERD'
>>> flags : 0x00000000 (0)
>>> [2013/11/13 16:38:02.283503, 1]
>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>> wbint_LookupName: struct wbint_LookupName
>>> out: struct wbint_LookupName
>>> type : *
>>> type : SID_NAME_USER (1)
>>> sid : *
>>> sid :
>>> S-1-5-21-2041585393-961507653-59529505-6586
>>> result : NT_STATUS_OK
>>>
>>> I'm flatly confused why a lookup of a single user works, but nothing
>>> when doing a full dump, and why it won't authenticate and map drives :(
>> Can you post your smb.conf please.
>>
>> Jonn
>>
> Thanks John. I included only the home share definition. The rest of
> my conf file is just shares.
>
>
> [global]
>
> workgroup = SEAS
> realm = SEAS.ENGR.SMU.EDU
> hide dot files = yes
> server string = Samba Server
> client use spnego = yes
> posix locking = no
> kernel oplocks = no
> log level = 10
> log file = /var/log/samba/%m.log
> follow symlinks = yes
> wide links = yes
> unix extensions = no
> max log size = 50
> security = ADS
> encrypt passwords = yes
remove this your passwords are stored in AD
> passdb backend = tdbsam
> obey pam restrictions = no
> invalid users = root
> unix password sync = no
> username map = /etc/samba/domain_user.map
No need for this in 3.6. This can cause samba to be slow.
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> preferred master = no
> wins support = no
> wins server = 192.168.1.4 192.168.1.5
> dns proxy = no
> winbind separator = +
> winbind cache time = 600
idmap config * : backend =ad
> idmap config * : backend = tdb
> idmap config * : range = 1000000 - 1999999
idmap config SEAS:backend = rid
> idmap config SEAS:backend = ad
> idmap config SEAS:range = 10000 - 20000
> idmap config * : schema_mode = rfc2307
idmap config SEAS-S:backend = rid
> idmap config SEAS-S:backend = ad
> idmap config SEAS-S:range = 21000 - 22000
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> and so on with shares....
>
>
>
>
See inline comments. Remember to restart winbind.
Jonn
More information about the samba
mailing list