[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member

Christian Reischl christian.reischl at ivv.fraunhofer.de
Mon Jun 8 12:39:21 MDT 2015 

Hello Everybody,

we have authentication problems with the mentioned configuration.

Current situation:
We have two Windows 2008 R2 domains (currently on 2003 level) in 
separate forests. Recently we created a two-way trust with selective 
authentication between them.

A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports 
version) is member of our primary domain and provides file shares.


The problem:
Users of the trusted domain (TRUSTDOM) aren't able to access shares 
hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A 
username/password dialogue gets shown instead. We've correctly granted 
the necessary "allowed to authenticate" right to all corresponding 
users. In contrast accessing a share on a Windows machine works as expected.


Maybe I have to give some additional users somewhere the "allowed to 
authenticate" permission. Please help me with that. I've tried to fix it 
for so many hours without success. Should I upgrade SAMBA and/or Debian? 
Do you have any advice?


Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while 
"wbinfo -i TRUSTDOM+administrator" fails with:
-------------------------------------------------------------------------
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user trustdom+user
-------------------------------------------------------------------------


log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"):
-------------------------------------------------------------------------
[2015/06/08 12:01:45.348081,  0] libads/sasl.c:908(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy 
rejects request
-------------------------------------------------------------------------
The same error appears if I enter "wbinfo -a" in combination with a 
username lacking the "allowed to authenticate" right.


smb.conf:
-------------------------------------------------------------------------
[global]
         workgroup = PRIMDOM
         realm = INT.PRIMDOM.DE
         server string = FILE2
         security = ADS

         winbind separator = +
         idmap config * : backend = tdb
         idmap config * : range = 1000000-1999999
         idmap config PRIMDOM : backend = rid
         idmap config PRIMDOM : range = 10000-49999
         idmap config TRUSTDOM : backend = rid
         idmap config TRUSTDOM : range = 50000-99999
         winbind enum users = yes
         winbind enum groups = yes

         socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE

         interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1
         bind interfaces only = yes

         follow symlinks = yes
         wide links = yes
         unix extensions = no

         log level = 0

         load printers = no
         disable spoolss = yes

[Share]
         comment = Test Share
         path = /srv/smb/Share
         read only = No
         create mask = 0777
         directory mask = 0777
         force unknown acl user = Yes
         inherit acls = yes
-------------------------------------------------------------------------


Output of "net rpc trustdom list -U PRIMDOM+administrator":
-------------------------------------------------------------------------
Trusted domains list:

TRUSTDOM           S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx

Trusting domains list:

TRUSTDOM           S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
-------------------------------------------------------------------------


Output of "wbinfo -m":
-------------------------------------------------------------------------
BUILTIN
FILE2
PRIMDOM
TRUSTDOM
-------------------------------------------------------------------------


Output of "id TRUSTDOM+administrator":
-------------------------------------------------------------------------
id: TRUSTDOM+administrator: No such user
-------------------------------------------------------------------------


Output of "chown TRUSTDOM+administrator Share/":
-------------------------------------------------------------------------
chown: invalid user: „TRUSTDOM+administrator“
-------------------------------------------------------------------------


"wbinfo -u" and "getent passwd" only shows users of PRIMDOM.


I've already tried these additional steps without success:
http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html
http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html


Kind regards,
Christian
-- 
__________________________________________
Christian Reischl

Fraunhofer Institut für
Verfahrenstechnik und Verpackung
Giggenhauser Str. 35
85354 Freising

Tel.: +49 8161 491-704
mailto:christian.reischl at ivv.fraunhofer.de
http://www.ivv.fraunhofer.de/

More information about the samba mailing list