[Samba] Help with winbind getusersids across forests

Earsh Nandkeshwar Earsh.Nandkeshwar at harmonicinc.com
Thu Mar 27 17:49:05 MDT 2014

I am hoping someone can shed some light on this. We have a setup that is using Active Directory Windows 2008 R2 with  2 domains, A and B. They are across forests, with a one-way trust between the forests. A is the trusted domain, B is the trusting domain. We have a 3.6.9 samba server joined to B's  Active Directory. If we try authenticating from our machine in B's domain as a user from A given A's domain name, it works. The command used is ntlm_auth. If we try getting its groups, by calling getusersids in our own patched version of ntlm_auth, it fails with this message:

>From /var/log/samba/log.winbindd:
[2014/03/19 15:54:13.951576,  3] winbindd/winbindd_getusersids.c:49(winbindd_getusersids_send)
  getusersids S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:13.951645,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          in: struct wbint_LookupUserGroups
              sid                      : *
                  sid                      : S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:25.728717,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          out: struct wbint_LookupUserGroups
              sids                     : *
                  sids: struct wbint_SidArray
                      num_sids                 : 0x00000000 (0)
                      sids: ARRAY(0)
              result                   : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/03/19 15:54:25.728877,  5] winbindd/winbindd_getusersids.c:94(winbindd_getusersids_recv)

We believe the forests and one way trust is set up correctly, but something recently changed at the site, where it worked before and doesn't work now. Either we think a route was disabled between the machine in Domain A talking to the Domain controller in B or something with smb.conf / krb5.conf changed. Nothing is standing out as the problem however. Are there specific settings that need to be added into conf files for doing cross-forest commands for winbind's getusersids request? Any settings in Active Directory that have to be set? Is there a different call besides getusersids to get the groups of the member on A that can be used cross-forest (even though we saw this work earlier before "something" changed)?

Thanks for any feedback. Also if anyone has pointers on trouble-shooting such issues, that would be appreciated.

More information about the samba mailing list