[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member

Christian Reischl christian.reischl at ivv.fraunhofer.de
Fri Jun 12 05:28:35 MDT 2015


Hi,

I've finally found the solution by myself.

After analyzing the network traffic with Wireshark I've found out that 
SAMBA tries to authenticate itself with its machine account on the 
trusted domain's controllers.

The error-code was KRB5KDC_ERR_PREAUTH_REQUIRED (25).

I've added the "allowed to authenticate" permission on "descendant 
computer objects" of the OU "Domain Controllers" in the trusted domain.

Now "wbinfo -i" an everything else works for the trusted domain's accounts.

Why is this necessary for SAMBA but not for Windows File Servers?

Kind regards,
Christian
__________________________________________
Christian Reischl

Fraunhofer Institut für
Verfahrenstechnik und Verpackung
Giggenhauser Str. 35
85354 Freising

Tel.: +49 8161 491-704
mailto:christian.reischl at ivv.fraunhofer.de
http://www.ivv.fraunhofer.de/


Christian Reischl schrieb:
> Hello Everybody,
>
> we have authentication problems with the mentioned configuration.
>
> Current situation:
> We have two Windows 2008 R2 domains (currently on 2003 level) in
> separate forests. Recently we created a two-way trust with selective
> authentication between them.
>
> A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports
> version) is member of our primary domain and provides file shares.
>
>
> The problem:
> Users of the trusted domain (TRUSTDOM) aren't able to access shares
> hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A
> username/password dialogue gets shown instead. We've correctly granted
> the necessary "allowed to authenticate" right to all corresponding
> users. In contrast accessing a share on a Windows machine works as
> expected.
>
>
> Maybe I have to give some additional users somewhere the "allowed to
> authenticate" permission. Please help me with that. I've tried to fix it
> for so many hours without success. Should I upgrade SAMBA and/or Debian?
> Do you have any advice?
>
>
> Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while
> "wbinfo -i TRUSTDOM+administrator" fails with:
> -------------------------------------------------------------------------
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user trustdom+user
> -------------------------------------------------------------------------
>
>
> log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"):
> -------------------------------------------------------------------------
> [2015/06/08 12:01:45.348081,  0] libads/sasl.c:908(ads_sasl_spnego_bind)
>    kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy
> rejects request
> -------------------------------------------------------------------------
> The same error appears if I enter "wbinfo -a" in combination with a
> username lacking the "allowed to authenticate" right.
>
>
> smb.conf:
> -------------------------------------------------------------------------
> [global]
>          workgroup = PRIMDOM
>          realm = INT.PRIMDOM.DE
>          server string = FILE2
>          security = ADS
>
>          winbind separator = +
>          idmap config * : backend = tdb
>          idmap config * : range = 1000000-1999999
>          idmap config PRIMDOM : backend = rid
>          idmap config PRIMDOM : range = 10000-49999
>          idmap config TRUSTDOM : backend = rid
>          idmap config TRUSTDOM : range = 50000-99999
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>
>          interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1
>          bind interfaces only = yes
>
>          follow symlinks = yes
>          wide links = yes
>          unix extensions = no
>
>          log level = 0
>
>          load printers = no
>          disable spoolss = yes
>
> [Share]
>          comment = Test Share
>          path = /srv/smb/Share
>          read only = No
>          create mask = 0777
>          directory mask = 0777
>          force unknown acl user = Yes
>          inherit acls = yes
> -------------------------------------------------------------------------
>
>
> Output of "net rpc trustdom list -U PRIMDOM+administrator":
> -------------------------------------------------------------------------
> Trusted domains list:
>
> TRUSTDOM           S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
>
> Trusting domains list:
>
> TRUSTDOM           S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
> -------------------------------------------------------------------------
>
>
> Output of "wbinfo -m":
> -------------------------------------------------------------------------
> BUILTIN
> FILE2
> PRIMDOM
> TRUSTDOM
> -------------------------------------------------------------------------
>
>
> Output of "id TRUSTDOM+administrator":
> -------------------------------------------------------------------------
> id: TRUSTDOM+administrator: No such user
> -------------------------------------------------------------------------
>
>
> Output of "chown TRUSTDOM+administrator Share/":
> -------------------------------------------------------------------------
> chown: invalid user: „TRUSTDOM+administrator“
> -------------------------------------------------------------------------
>
>
> "wbinfo -u" and "getent passwd" only shows users of PRIMDOM.
>
>
> I've already tried these additional steps without success:
> http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html
>
> http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html
>
>
>
> Kind regards,
> Christian


More information about the samba mailing list