[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member
Christian Reischl
christian.reischl at ivv.fraunhofer.de
Mon Jun 8 12:39:21 MDT 2015
Hello Everybody,
we have authentication problems with the mentioned configuration.
Current situation:
We have two Windows 2008 R2 domains (currently on 2003 level) in
separate forests. Recently we created a two-way trust with selective
authentication between them.
A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports
version) is member of our primary domain and provides file shares.
The problem:
Users of the trusted domain (TRUSTDOM) aren't able to access shares
hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A
username/password dialogue gets shown instead. We've correctly granted
the necessary "allowed to authenticate" right to all corresponding
users. In contrast accessing a share on a Windows machine works as expected.
Maybe I have to give some additional users somewhere the "allowed to
authenticate" permission. Please help me with that. I've tried to fix it
for so many hours without success. Should I upgrade SAMBA and/or Debian?
Do you have any advice?
Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while
"wbinfo -i TRUSTDOM+administrator" fails with:
-------------------------------------------------------------------------
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user trustdom+user
-------------------------------------------------------------------------
log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"):
-------------------------------------------------------------------------
[2015/06/08 12:01:45.348081, 0] libads/sasl.c:908(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy
rejects request
-------------------------------------------------------------------------
The same error appears if I enter "wbinfo -a" in combination with a
username lacking the "allowed to authenticate" right.
smb.conf:
-------------------------------------------------------------------------
[global]
workgroup = PRIMDOM
realm = INT.PRIMDOM.DE
server string = FILE2
security = ADS
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config PRIMDOM : backend = rid
idmap config PRIMDOM : range = 10000-49999
idmap config TRUSTDOM : backend = rid
idmap config TRUSTDOM : range = 50000-99999
winbind enum users = yes
winbind enum groups = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1
bind interfaces only = yes
follow symlinks = yes
wide links = yes
unix extensions = no
log level = 0
load printers = no
disable spoolss = yes
[Share]
comment = Test Share
path = /srv/smb/Share
read only = No
create mask = 0777
directory mask = 0777
force unknown acl user = Yes
inherit acls = yes
-------------------------------------------------------------------------
Output of "net rpc trustdom list -U PRIMDOM+administrator":
-------------------------------------------------------------------------
Trusted domains list:
TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
Trusting domains list:
TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
-------------------------------------------------------------------------
Output of "wbinfo -m":
-------------------------------------------------------------------------
BUILTIN
FILE2
PRIMDOM
TRUSTDOM
-------------------------------------------------------------------------
Output of "id TRUSTDOM+administrator":
-------------------------------------------------------------------------
id: TRUSTDOM+administrator: No such user
-------------------------------------------------------------------------
Output of "chown TRUSTDOM+administrator Share/":
-------------------------------------------------------------------------
chown: invalid user: „TRUSTDOM+administrator“
-------------------------------------------------------------------------
"wbinfo -u" and "getent passwd" only shows users of PRIMDOM.
I've already tried these additional steps without success:
http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html
http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html
Kind regards,
Christian
--
__________________________________________
Christian Reischl
Fraunhofer Institut für
Verfahrenstechnik und Verpackung
Giggenhauser Str. 35
85354 Freising
Tel.: +49 8161 491-704
mailto:christian.reischl at ivv.fraunhofer.de
http://www.ivv.fraunhofer.de/
More information about the samba
mailing list