[Samba] Help with winbind getusersids across forests
Earsh Nandkeshwar
Earsh.Nandkeshwar at harmonicinc.com
Thu Mar 27 17:49:05 MDT 2014
I am hoping someone can shed some light on this. We have a setup that is using Active Directory Windows 2008 R2 with 2 domains, A and B. They are across forests, with a one-way trust between the forests. A is the trusted domain, B is the trusting domain. We have a 3.6.9 samba server joined to B's Active Directory. If we try authenticating from our machine in B's domain as a user from A given A's domain name, it works. The command used is ntlm_auth. If we try getting its groups, by calling getusersids in our own patched version of ntlm_auth, it fails with this message:
>From /var/log/samba/log.winbindd:
[2014/03/19 15:54:13.951576, 3] winbindd/winbindd_getusersids.c:49(winbindd_getusersids_send)
getusersids S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:13.951645, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserGroups: struct wbint_LookupUserGroups
in: struct wbint_LookupUserGroups
sid : *
sid : S-1-5-21-3126979147-1297554514-4166189043-1113
[2014/03/19 15:54:25.728717, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
wbint_LookupUserGroups: struct wbint_LookupUserGroups
out: struct wbint_LookupUserGroups
sids : *
sids: struct wbint_SidArray
num_sids : 0x00000000 (0)
sids: ARRAY(0)
result : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/03/19 15:54:25.728877, 5] winbindd/winbindd_getusersids.c:94(winbindd_getusersids_recv)
We believe the forests and one way trust is set up correctly, but something recently changed at the site, where it worked before and doesn't work now. Either we think a route was disabled between the machine in Domain A talking to the Domain controller in B or something with smb.conf / krb5.conf changed. Nothing is standing out as the problem however. Are there specific settings that need to be added into conf files for doing cross-forest commands for winbind's getusersids request? Any settings in Active Directory that have to be set? Is there a different call besides getusersids to get the groups of the member on A that can be used cross-forest (even though we saw this work earlier before "something" changed)?
Thanks for any feedback. Also if anyone has pointers on trouble-shooting such issues, that would be appreciated.
More information about the samba
mailing list