[Samba] Filserver in Domain-trusts

Stefan Kania stefan at kania-online.de
Thu Apr 7 12:48:36 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have setup two domains (example1.net) and (example2.net). Then  I
created a trust, in two different ways (Yes, one after the other, not
at the same time):
1.
samba-tool domain trust create example2 --type=forest --direction=both
- --create-location=both -U administrator at EXAMPLE2.NET

2.
samba-tool domain trust create EXAMPLE2.NET --type=external
- --direction=both --create-location=local --no-aes-keys -U
administrator at EXAMPLE2.NET

samba-tool domain trust create EXAMPLE1.NET --type=external
- --direction=both --create-location=local --no-aes-keys -U
administrator at EXAMPLE1.NET

To resolve the names and SRV-records I configured a dns-proxy with
bind. Nameresultion is working.

On the domaincontrollers I can get all users and groups with "wbinfo"
AND "getent". I can set permissions in the filesystem of either DC.

root at addc-s1:~# getent group EXAMPLE1\\my-users1
EXAMPLE1\my-users1:x:3000022:
root at addc-s1:~# getent group EXAMPLE2\\my-users2
EXAMPLE2\my-users2:x:3000021:
root at addc-s1:~# getent passwd EXAMPLE1\\scooper
EXAMPLE1\scooper:*:3000023:100:Shaldon
Cooper:/home/EXAMPLE1/scooper:/bin/false
root at addc-s1:~# getent passwd EXAMPLE2\\ffowler
EXAMPLE2\ffowler:*:3000024:3000025:Farrah
Fowler:/home/EXAMPLE2/ffowler:/bin/false

I think this is all working fine. But now I want to join as
Samba-fileserver to one of the domains and let all users from both
domains access the shares.

Here is the smb.conf from the fileserver:
- ---------------
[global]
      workgroup = example1
      realm = EXAMPLE1.NET
      security = ADS
      winbind refresh tickets = Yes
      template shell = /bin/bash
      idmap config * : range = 10000 - 19999
      idmap config EXAMPLE1 : backend = rid
      idmap config EXAMPLE1 : range =  1000000 - 1999999
      idmap config EXAMPLE2 : backend = rid
      idmap config EXAMPLE2 : range =  10000000 - 19999999
- ---------------

All domains are "online"
- ---------------
root at fs1-s1:~# wbinfo --online-status
BUILTIN : online
FS1-S1 : online
EXAMPLE1 : online
EXAMPLE2 : online
- ---------------

I can join the domain, with "wbinfo" I can see all users and groups
from both domains:
- ---------------
root at fs1-s1:~# wbinfo -u --domain=example1
EXAMPLE1\scooper
EXAMPLE1\administrator
EXAMPLE1\example2$
EXAMPLE1\krbtgt
EXAMPLE1\guest
root at fs1-s1:~# wbinfo -u --domain=example2
EXAMPLE2\ffowler
EXAMPLE2\administrator
EXAMPLE2\example1$
EXAMPLE2\krbtgt
EXAMPLE2\guest
- ---------------

But with "getent" I can only see the users and groups from the domain
were the fileserver is member of. Users and groups from the other
domain are not listed:
- ---------------
root at fs1-s1:~# getent passwd EXAMPLE1\\scooper
EXAMPLE1\scooper:*:1001104:1000513:Shaldon
Cooper:/home/EXAMPLE1/scooper:/bin/bash
root at fs1-s1:~# getent passwd EXAMPLE2\\ffowler
root at fs1-s1:~#
- ---------------

When I test with "wbinfo -t --domain=example2" I can't connect to that
domain:
- ---------------
root at fs1-s1:~# wbinfo -t --domain=example1
checking the trust secret for domain example1 via RPC calls succeeded

root at fs1-s1:~# wbinfo -t --domain=example2
checking the trust secret for domain example2 via RPC calls failed
wbcCheckTrustCredentials(example2): error code was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
- ---------------

What did I do wrong? Or is it up to this point not pssible to map
users and groups of a trustet domain on a domain-member?

Everything that points me in the right direction will help.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlcGVyQACgkQ2JOGcNAHDTatmQCffZY4tN1aRhxl8ZFfcF4S/LcI
8OgAnj7WhKtwG5IumGruH+ro0LYy27Ev
=Y0cC
-----END PGP SIGNATURE-----

More information about the samba mailing list