[Samba] multiple domain and winbind use default domain

BLINDAUER Emmanuel e.blindauer at gmail.com
Fri Aug 19 07:22:50 UTC 2016

I'm preparing a new fileserver, based on jessie + sernet 4.2.10 
packages. the server is bound to a forest, "AD" where users account are 
stored, and subdomains "PSI" for computers and some local accounts
The Active directory forest is managed by 2008R2  servers, with rfc2307 
attributs filled for accounts.

I'm using "winbind use default domain" because users are also used on 
linux PC labs.

So currently an user user1 from domain AD can request a ticket and 
access his share with smbclient -k //server/user1
wbinfo -i user1 gives correct values.

But a user admin.eb from subdomain PSI can't access his share after 
requesting a ticket
wbinfo -i admin.eb gives correct value:

but the smbd logs are saying:

   Adding homes service for user 'PSI+admin.eb' using home directory: 
   adding home's share [admin.eb] for user 'PSI+admin.eb' at 
   smb_pam_start: PAM: Init passed for user: PSI+admin.eb
   smb_pam_account: PAM: Account OK for User: PSI+admin.eb
   string_to_sid: SID admin.eb is not in a valid format
   user 'PSI+admin.eb' (from session setup) not permitted to access this 
share (admin.eb)

looking in log.winbindd, winbindd try several names search:

   getpwnam psi+admin.eb
   getpwnam PSI+admin.eb
   getpwnam PSI+admin.eb
   lookupname AD+admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   lookupname Unix User+admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   getpwnam admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   getpwnam ADMIN.EB
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED

To be sure I verified the account on the server
# getent passwd PSI+admin.eb

It seems that the domain is dropped.
if I add a local user account in /etc/passwd:

it works fine

Here the smb.conf:

# Global parameters
         workgroup = AD
         realm = AD.UNISTRA.FR
         server role = member server
         security = ADS
         map to guest = Bad User
         obey pam restrictions = Yes
         kerberos method = secrets and keytab
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 100000
         panic action = /usr/share/samba/panic-action %d
         winbind separator = +
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         winbind max domain connections = 100
         idmap config psi : range = 5000-9998
         idmap config psi : schema_mode = rfc2307
         idmap config psi : backend = ad
         idmap config ad : schema_mode = rfc2307
         idmap config ad : range = 9999-1000000
         idmap config ad : default = yes
         idmap config ad : backend = ad
         idmap config * : range = 3000-4000
         idmap config * : backend = tdb2

         comment = Home Directories
         valid users = %S
         read only = No
         create mask = 0700
         directory mask = 0700
         browseable = No

More information about the samba mailing list