[Samba] can't auth against more then 1 domain
Doug Tucker
tuckerd at lyle.smu.edu
Thu Nov 14 08:20:25 MST 2013
On 11/14/2013 09:04 AM, Taylor, Jonn wrote:
> On 11/14/2013 08:53 AM, Doug Tucker wrote:
>> On 11/13/2013 09:51 PM, Taylor, Jonn wrote:
>>> On 11/13/2013 04:43 PM, Doug Tucker wrote:
>>>> On 11/13/2013 04:12 PM, Taylor, Jonn wrote:
>>>>> On 11/13/2013 04:04 PM, Dale Schroeder wrote:
>>>>>> On 11/13/2013 3:34 PM, Doug Tucker wrote:
>>>>>>> On 11/13/2013 02:30 PM, Dale Schroeder wrote:
>>>>>>>> On 11/13/2013 1:54 PM, Doug Tucker wrote:
>>>>>>>>> I have 2 samba servers. One with centos5+samba 3.033 that has
>>>>>>>>> been in service for a few years now. I have installed a
>>>>>>>>> centos6+samba 3.6.9. I followed the how-to I did with the
>>>>>>>>> first one, copied over the krb5.conf and smb.conf from the
>>>>>>>>> working server and all seemed to go well. It is a member
>>>>>>>>> server of a window AD. We have 2 DC's that are part of the
>>>>>>>>> same forest: SEAS and SEAS-S. I joined the new one like the
>>>>>>>>> old one to the SEAS domain. The problem I have run into is
>>>>>>>>> the new server will only auth users in the domain it is joined
>>>>>>>>> to (SEAS) and cannot get get users from SEAS-S. If I check for
>>>>>>>>> trusted domains net rpc trustdom SEAS-S shows up under trusted
>>>>>>>>> and trusting. If I do wbinfo -u | grep SEAS I get a full list
>>>>>>>>> of users in the SEAS domain. But wbinfo -u | grep SEAS-S
>>>>>>>>> comes back blank.
>>>>>>>>>
>>>>>>>>> I don't know what to provide to help solved this so I'll post
>>>>>>>>> some basics I guess.
>>>>>>>>>
>>>>>>>>> krb5.conf:
>>>>>>>>> [logging]
>>>>>>>>> default = FILE:/var/log/krb5libs.log
>>>>>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>>>>>
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = SEAS.ENGR.SMU.EDU
>>>>>>>>> dns_lookup_realm = false
>>>>>>>>> dns_lookup_kdc = false
>>>>>>>>> ticket_lifetime = 24h
>>>>>>>>> forwardable = true
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> SEAS.ENGR.SMU.EDU = {
>>>>>>>>> kdc = seas.engr.smu.edu:88
>>>>>>>>> admin_server = seas.engr.smu.edu:749
>>>>>>>>> default_domain = engr.smu.edu
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> SEAS-S.ENGR.SMU.EDU = {
>>>>>>>>> kdc = seas-s.engr.smu.edu:88
>>>>>>>>> admin_server = seas-s.engr.smu.edu:749
>>>>>>>>> default_domain = engr.smu.edu
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> [domain_realm]
>>>>>>>>> .engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>>>> engr.smu.edu = SEAS.ENGR.SMU.EDU
>>>>>>>>>
>>>>>>>>> [appdefaults]
>>>>>>>>> pam = {
>>>>>>>>> debug = false
>>>>>>>>> ticket_lifetime = 36000
>>>>>>>>> renew_lifetime = 36000
>>>>>>>>> forwardable = true
>>>>>>>>> krb4_convert = false
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Globals of smb.conf:
>>>>>>>>>
>>>>>>>>> workgroup = SEAS
>>>>>>>>> realm = SEAS.ENGR.SMU.EDU
>>>>>>>>> security = ADS
>>>>>>>>> encrypt passwords = yes
>>>>>>>>> passdb backend = tdbsam
>>>>>>>>> obey pam restrictions = no
>>>>>>>>> invalid users = root
>>>>>>>>> username map = /etc/samba/domain_user.map
>>>>>>>>> winbind separator = +
>>>>>>>>> winbind cache time = 600
>>>>>>>>> idmap uid = 19000-20000
>>>>>>>>> idmap gid = 19000-20000
>>>>>>>>>
>>>>>>>>> Please let me know what else I may provide to help solve this.
>>>>>>>>> I found some threads on this issue that were several years old
>>>>>>>>> in regard to 3.028 having this issue and it was patched in a
>>>>>>>>> later release. I can't find anything current about this.
>>>>>>>>> Thank you in advance.
>>>>>>>> Doug,
>>>>>>>>
>>>>>>>> This is most likely related to the idmap syntax changes in
>>>>>>>> recent Samba versions. idmap uid/gid is depracated. 3.6 uses
>>>>>>>> something like the following:
>>>>>>>>
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> idmap config * : range = 1000000 - 2000000
>>>>>>>> idmap config DOMAIN1 : default = Yes
>>>>>>>> idmap config DOMAIN1 : backend = rid
>>>>>>>> idmap config DOMAIN1 : range = 1000 - 2000
>>>>>>>> idmap config DOMAIN2 : backend = rid
>>>>>>>> idmap config DOMAIN2 : range = 3000 - 4000
>>>>>>>>
>>>>>>>> Range values should not overlap. Adjust backend and range
>>>>>>>> values to suit your situation.
>>>>>>>>
>>>>>>>> Dale
>>>>>>>>
>>>>>>>
>>>>>>> Sorry, hit send too soon. Here is the command/log:
>>>>>>>
>>>>>>> [root at lylesmb1 ~]# wbinfo -a SEAS-S+tuckerd
>>>>>>> Enter SEAS-S+tuckerd's password:
>>>>>>> plaintext password authentication succeeded
>>>>>>> Enter SEAS-S+tuckerd's password:
>>>>>>> challenge/response password authentication succeeded
>>>>>>>
>>>>>>> [ 2639]: pam auth crap domain: [SEAS-S] user: tuckerd
>>>>>>> [2013/11/13 15:32:29.093674, 10]
>>>>>>> winbindd/winbindd.c:679(wb_request_done)
>>>>>>> wb_request_done[2639:PAM_AUTH_CRAP]: NT_STATUS_OK
>>>>>>
>>>>>> I haven't use the ad backend, but I believe it also requires a
>>>>>> schema mode option. See:
>>>>>> http://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
>>>>>>
>>>>>> I've found this syntax: idmap config DOMAIN : schema mode =
>>>>>> rfc2307 | sfu | sfu20
>>>>>> Also found this option in some configs: winbind nss info =
>>>>>> rfc2307 | sfu | sfu20 | template
>>>>>>
>>>>>> I don't have the experience with idmap_ad to guide you, but maybe
>>>>>> this will help.
>>>>>>
>>>>>> Dale
>>>>>>
>>>>>>
>>>>> To clear the cache you can also use this command "net /cache flush/"
>>>>>
>>>>> Also here is my working AD config. This is on a cluster so just
>>>>> ignor the cluster statements.
>>>>>
>>>>> [global]
>>>>> workgroup = TAYLORTELEPHONE
>>>>> realm = TAYLORTELEPHONE.COM
>>>>> netbios name = SHR01
>>>>> server string = Cluster Share
>>>>> interfaces = eth0, eth1, lo
>>>>> security = ADS
>>>>> private dir = /clusterdata/ctdb
>>>>> log file = /var/log/samba/log.%m
>>>>> server signing = auto
>>>>> lpq cache time = 20
>>>>> clustering = Yes
>>>>> printcap name = /etc/printcap
>>>>> wins server = 192.168.173.3
>>>>> template homedir = /home/%U
>>>>> template shell = /bin/bash
>>>>> winbind enum users = Yes
>>>>> winbind enum groups = Yes
>>>>> winbind use default domain = Yes
>>>>> winbind refresh tickets = Yes
>>>>> winbind offline logon = Yes
>>>>> idmap config * : range = 500-4000000
>>>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>>>> idmap config TAYLORTELEPHONE:backend = rid
>>>>> idmap config * : schema_mode = rfc2307
>>>>> idmap config * : backend = ad
>>>>> admin users = "@TAYLORTELEPHONE\Domain Admins"
>>>>> inherit acls = Yes
>>>>> map acl inherit = Yes
>>>>> max print jobs = 100
>>>>> printing = bsd
>>>>> print command = lpr -r -P'%p' %s
>>>>> lpq command = lpq -P'%p'
>>>>> lprm command = lprm -P'%p' %j
>>>>>
>>>> OK, adding the schema_mode didn't change anything. I'm still
>>>> missing *something*.
>>>>
>>>> Still if I try to do a full dump using wbinfo -u I get every user
>>>> in the SEAS domain but nothing from SEAS-S. Mapping drives using a
>>>> SEAS user still works, SEAS-S user still gets access denied in the
>>>> client and the samba server logs says it can't find SEAS-S.
>>>>
>>>> Oddly, this works just fine:
>>>> [root at lylesmb1 samba]# wbinfo -n SEAS+tuckerd
>>>> S-1-5-21-2041585393-961507653-59529505-6586 SID_USER (1)
>>>> [root at lylesmb1 samba]# wbinfo -n SEAS-S+tuckerd
>>>> S-1-5-21-1863541909-2129596521-199955091-23660 SID_USER (1)
>>>>
>>>> And in the logs it shows:
>>>>
>>>> [2013/11/13 16:38:11.058477, 1]
>>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>>> wbint_LookupName: struct wbint_LookupName
>>>> in: struct wbint_LookupName
>>>> domain : *
>>>> domain : 'SEAS-S'
>>>> name : *
>>>> name : 'TUCKERD'
>>>> flags : 0x00000000 (0)
>>>> [2013/11/13 16:38:11.061425, 1]
>>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>>> wbint_LookupName: struct wbint_LookupName
>>>> out: struct wbint_LookupName
>>>> type : *
>>>> type : SID_NAME_USER (1)
>>>> sid : *
>>>> sid :
>>>> S-1-5-21-1863541909-2129596521-199955091-23660
>>>> result : NT_STATUS_OK
>>>>
>>>> [2013/11/13 16:38:02.282938, 1]
>>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>>> wbint_LookupName: struct wbint_LookupName
>>>> in: struct wbint_LookupName
>>>> domain : *
>>>> domain : 'SEAS'
>>>> name : *
>>>> name : 'TUCKERD'
>>>> flags : 0x00000000 (0)
>>>> [2013/11/13 16:38:02.283503, 1]
>>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>>> wbint_LookupName: struct wbint_LookupName
>>>> out: struct wbint_LookupName
>>>> type : *
>>>> type : SID_NAME_USER (1)
>>>> sid : *
>>>> sid :
>>>> S-1-5-21-2041585393-961507653-59529505-6586
>>>> result : NT_STATUS_OK
>>>>
>>>> I'm flatly confused why a lookup of a single user works, but
>>>> nothing when doing a full dump, and why it won't authenticate and
>>>> map drives :(
>>> Can you post your smb.conf please.
>>>
>>> Jonn
>>>
>> Thanks John. I included only the home share definition. The rest of
>> my conf file is just shares.
>>
>>
>> [global]
>>
>> workgroup = SEAS
>> realm = SEAS.ENGR.SMU.EDU
>> hide dot files = yes
>> server string = Samba Server
>> client use spnego = yes
>> posix locking = no
>> kernel oplocks = no
>> log level = 10
>> log file = /var/log/samba/%m.log
>> follow symlinks = yes
>> wide links = yes
>> unix extensions = no
>> max log size = 50
>> security = ADS
>> encrypt passwords = yes
> remove this your passwords are stored in AD
>> passdb backend = tdbsam
>
>> obey pam restrictions = no
>> invalid users = root
>> unix password sync = no
>> username map = /etc/samba/domain_user.map
> No need for this in 3.6. This can cause samba to be slow.
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>> local master = no
>> preferred master = no
>> wins support = no
>> wins server = 192.168.1.4 192.168.1.5
>> dns proxy = no
>> winbind separator = +
>> winbind cache time = 600
> idmap config * : backend =ad
>> idmap config * : backend = tdb
>
>> idmap config * : range = 1000000 - 1999999
> idmap config SEAS:backend = rid
>> idmap config SEAS:backend = ad
>
>> idmap config SEAS:range = 10000 - 20000
>> idmap config * : schema_mode = rfc2307
> idmap config SEAS-S:backend = rid
>> idmap config SEAS-S:backend = ad
>
>> idmap config SEAS-S:range = 21000 - 22000
>>
>> [homes]
>> comment = Home Directories
>> browseable = no
>> writable = yes
>>
>> and so on with shares....
>>
>>
>>
>>
> See inline comments. Remember to restart winbind.
>
> Jonn
>
Changes made, no change in function. SEAS domain works, SEAS-S does
not. wbinfo -u | grep SEAS-S returns no results. Attempt to mount using
SEAS-S user results in "access denied" to the client and this in the logs:
[2013/11/14 09:18:38.922249, 3]
winbindd/winbindd_misc.c:226(winbindd_domain_info)
[ 5485]: domain_info [SEAS-S]
[2013/11/14 09:18:38.922276, 3]
winbindd/winbindd_misc.c:232(winbindd_domain_info)
Did not find domain [SEAS-S]
[2013/11/14 09:18:38.922308, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
winbind_client_response_written[5485:DOMAIN_INFO]: delivered response
to client
[2013/11/14 09:18:39.055184, 6]
winbindd/winbindd.c:842(winbind_client_request_read)
closing socket 29, client exited
More information about the samba
mailing list