[Samba] Testing a forest trusts in Samba 4.4.5 AD environment
Alex Crow
acrow at integrafin.co.uk
Mon Jul 11 12:55:44 UTC 2016
Hi List,
I am currently testing inter-forest trusts between a pair of AD domains.
All DCs and member servers are using Sernet Samba 4.4.5.
I have set up conditional forwarding in by Bind setup (I'm using
BIND9_DLZ) and all machines can resolve each other. On the DCs, I can
see users from the other side of the trust using wbinfo -u
--domain=<other domain>. In addition if I set up ID mapping in smb.conf
on the DCs, getent group/password work fine (using winbind in
nsswitch.conf).
There are two parts I'm struggling to get working. On member servers
(file servers in my case), even with an ID mapping set up in smb.conf,
wbinfo -u --domain=<other domain> returns nothing, and I see errors in
log.wb-<domain>:
[2016/07/11 13:48:25.449458, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:25.449700, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred.
[2016/07/11 13:48:26.015483, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:26.444479, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:26.444610, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred
Understandably getent fails here too. Here's an example smb.conf from a
member server:
[global]
workgroup = AAA_NET
realm = samba.aaa.net
netbios name = S4FILES
security = ADS
#bind interfaces only = yes
#interfaces = eth0, lo
#dedicated keytab file = /etc/krb5.keytab
#kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
clustering = yes
#private dir = /mfs/ctdb/private
idmap config *:backend = tdb
idmap config *:range = 200000-300000
idmap config AAA_NET:backend = ad
idmap config AAA_NET:default = yes
idmap config AAA_NET:schema_mode = rfc2307
idmap config AAA_NET:range = 500-199999
idmap config BBB:backend = rid
idmap config BBB:range = 3000000-3100000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
The other issue I have is when trying to work with accounts from the
other side of the trust within Windows. For instance, when trying to add
a user from the "other" domain to permissions on a directory, I can
indeed select the accounts in the picker, get prompted for credentials
on the other domain, but at the final step get an error: "The Active
Directory Domain Controllers required to find the selected objects in
the following domains are not available: samba.bbb.net. Ensure the
Active Directory Domain Controllers are available, and try to select the
objects again".
Now I'm aware that it's early days for trusts in AD with Samba, but I'm
curious if there is something I'm missing here or others may have got
further than I have.
Many thanks
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
More information about the samba
mailing list