[Samba] Authentication with trusted credentials
Rowland penny
rpenny at samba.org
Tue Jul 21 10:40:26 UTC 2020
On 20/07/2020 12:09, Yakov Revyakin wrote:
> OK, trying to define the environment more clearly.
>
OK, I 'think' I know what is going on here, haven't got a fix though :-(
Can you run this command on the Linux DC's and a Linux client:
wbinfo --online-status
On DC's, I get this:
BUILTIN : active connection
EXAMPLE : active connection
SAMDOM : active connection
But on Linux domain members, I get this:
BUILTIN : active connection
DEVSTATION : active connection
SAMDOM : active connection
EXAMPLE : no active connection
This is in the 'SAMDOM' domain on the computer called devstation, if I
run it on a client in the 'EXAMPLE' domain, the AD domains are switched,
'EXAMPLE' is active and 'SAMDOM' isn't.
If I try to ssh into the 'EXAMPLE' client from a 'SAMDOM' client using a
'SAMDOM' user, I get:
Jul 21 11:13:08 linux-client sshd[5506]: pam_krb5(sshd:auth):
authentication failure; logname=SAMDOM\rowland uid=0 euid=0 tty=ssh
ruser= rhost=192.168.0.49
Jul 21 11:13:08 linux-client sshd[5506]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.49 user=SAMDOM\rowland
Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): getting
password (0x00000388)
Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth):
pam_get_item returned a password
Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL
(9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon
servers are currently available to service the logon request.
Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth):
internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user =
'SAMDOM\rowland')
Jul 21 11:13:12 linux-client sshd[5506]: Failed password for
SAMDOM\\rowland from 192.168.0.49 port 51962 ssh2
I can create directories on a client in the 'EXAMPLE' domain and chown
to user:group from the 'SAMDOM' domain.
I 'think' that the domain that is offline on clients needs to be brought
online, but I do not know how to do this :-(
I based my testing around a pdf created by Stefan Kania, available here:
www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf
Rowland
More information about the samba
mailing list