[Samba] Member server does not show users from trusted domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Nov 14 17:09:46 UTC 2016
I have a samba classic domain, called it "DomainA." All domain
controllers and servers are running 3.6.25 on Solaris 11.
The PDC and BDC use an LDAP backend for unix, samba and idmap
data. Member servers use LDAP backend for unix accounts, so the
underlying unix and group accounts are consistent.
There is a trust relationship with Windows 2008 AD domain ("DomainB.")
On the member servers, "wbinfo -u" and "wbinfo -g" only shows members
from servers' own domain (DomainA.)
The wbinfo command does indicate that domains are trusted.
root at member1# wbinfo -m
BUILTIN
MEMBER1
DOMAINA
DOMAINB
root at member1# wbinfo -D DOMAINB
Name : DOMAINB
Alt_Name : domainb.mydomain.com
SID : S-1-5-21-xxxxxxxxxxxxxxx
Active Directory : Yes
Native : Yes
Primary : No
root at member1#
Although I am assuming that wbinfo is merely querying the domainA PDC or
BDC. The PDC is also the WINS server.
I have trying to configure idmapping for domainB on the member servers,
using an LDAP backend, to keep the idmapping consistent across all
servers. However, I figure idmapping won't come into play if winbind
is not even seeing the domainB users. I am actually unclear if the
member server is supposed to contact its own domain controller for
trusted account information or if it is supposed to contact the trusted
domain (domainB) AD controller.
The nmblookup command indicates WINS resolution is working correctly.
root at member1# nmblookup -U name_of_wins_server -R 'DOMAINB#1C'
…
answers: nmb_name=DOMAINB<1c> rr_type=32 rr_class=1 ttl=216591
answers 0 char ...... hex E000C0A8031A
Got a positive name query response from ...
ip_of_DomainB_AD DomainB<1c>
root at member1#
The log.wb-DOMAINB log shows the server locating the domain controller
for the trusted domain.
root at member1#testparm -v | grep winbind
....
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind max clients = 200
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 1
root at member1#
The IDMAP entry in smb.conf is as follows
idmap config DOMAINB:backend = ldap
# idmap config DOMAINB:readonly = no
idmap config DOMAINB:readonly = yes
idmap config DOMAINB:default=no
idmap config DOMAINB:ldap_base_dn = ou=domainb,ou=idmap,o=ssci.com
idmap config DOMAINB:ldap_user_dn = cn=SomeLDAPAdminUser
idmap config DOMAINB:ldap_url = ldap://pdc.mydomain.com
idmap config DOMAINB:range = 30000-39999
#is following legit?
idmap config DOMAINB:suffix=ou=domainb,ou=idmap
Idmapping is required so that "getent passwd" and "getent group" can
list windows users. But even if idmapping is not setup correctly, I
should still see trusted users with "wbinfo -u" and "wbinfo -g."
Appreciate any feedback
Thanks
More information about the samba
mailing list