[Samba] Authentication with trusted credentials

Rowland penny rpenny at samba.org
Tue Jul 21 10:40:26 UTC 2020


On 20/07/2020 12:09, Yakov Revyakin wrote:
> OK, trying to define the environment more clearly.
>
OK, I 'think' I know what is going on here, haven't got a fix though :-(

Can you run this command on the Linux DC's and a Linux client:

wbinfo --online-status

On DC's, I get this:

BUILTIN : active connection
EXAMPLE : active connection
SAMDOM : active connection

But on Linux domain members, I get this:

BUILTIN : active connection
DEVSTATION : active connection
SAMDOM : active connection
EXAMPLE : no active connection

This is in the 'SAMDOM' domain on the computer called devstation, if I 
run it on a client in the 'EXAMPLE' domain, the AD domains are switched, 
'EXAMPLE' is active and 'SAMDOM' isn't.

If I try to ssh into the 'EXAMPLE' client from a 'SAMDOM' client using a 
'SAMDOM' user, I get:

Jul 21 11:13:08 linux-client sshd[5506]: pam_krb5(sshd:auth): 
authentication failure; logname=SAMDOM\rowland uid=0 euid=0 tty=ssh 
ruser= rhost=192.168.0.49
Jul 21 11:13:08 linux-client sshd[5506]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.0.49  user=SAMDOM\rowland
Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Jul 21 11:13:08 linux-client sshd[5506]: pam_winbind(sshd:auth): 
pam_get_item returned a password
Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): request 
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL 
(9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon 
servers are currently available to service the logon request.
Jul 21 11:13:09 linux-client sshd[5506]: pam_winbind(sshd:auth): 
internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 
'SAMDOM\rowland')
Jul 21 11:13:12 linux-client sshd[5506]: Failed password for 
SAMDOM\\rowland from 192.168.0.49 port 51962 ssh2

I can create directories on a client in the 'EXAMPLE' domain and chown 
to user:group from the 'SAMDOM' domain.

I 'think' that the domain that is offline on clients needs to be brought 
online, but I do not know how to do this :-(

I based my testing around a pdf created by Stefan Kania, available here:

www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial.pdf

Rowland





More information about the samba mailing list