[Samba] wbinfo and trust
Stefan Kania
stefan at kania-online.de
Wed Feb 9 16:48:28 UTC 2022
Hi,
up to 4.14 I could do a "wbinfo -m" on a Linux domainmember, and I saw
a list of the trusted and trusting domains. Now with 4.15 I see only my
own domain.
With 4.14 I could get a list of all users in both domains with "wbinfo
-u --domain=<dom-name>" Now I only get a "Error looking up domain users"
Here is my smb.conf from the domainmember
------
[global]
workgroup = s1
realm = S1.EXAMPLE.NET
security = ADS
winbind refresh tickets = Yes
template shell = /bin/bash
idmap config * : range = 10000 - 19999
idmap config S1 : backend = rid
idmap config S1 : range = 1000000 - 1999999
idmap config S2 : backend = rid
idmap config S2 : range = 10000000 - 19999999
------
When I try to get the information of a single user, everything works fine:
-------------
S-1-5-21-138212032-4221773768-1855826936-1105 SID_USER (1)
root at dom1-c1:~# wbinfo -n s2\\u1-dom2
S-1-5-21-1411815006-2335587247-2664357948-1105 SID_USER (1)
root at dom1-c1:~# wbinfo -i s1\\u1-dom1
S1\u1-dom1:*:1001105:1000513::/home/S1/u1-dom1:/bin/bash
root at dom1-c1:~# wbinfo -i s2\\u1-dom2
S2\u1-dom2:*:10001105:10000513::/home/S2/u1-dom2:/bin/bash
root at dom1-c1:~# getent passwd s1\\u1-dom1
S1\u1-dom1:*:1001105:1000513::/home/S1/u1-dom1:/bin/bash
root at dom1-c1:~# getent passwd s2\\u1-dom2
S2\u1-dom2:*:10001105:10000513::/home/S2/u1-dom2:/bin/bas
-------------
I can do the authentication:
------------
root at dom1-c1:~# wbinfo -a s1\\u1-dom1
Enter s1\u1-dom1's password:
plaintext password authentication succeeded
Enter s1\u1-dom1's password:
challenge/response password authentication succeeded
root at dom1-c1:~# wbinfo -a s2\\u1-dom2
Enter s2\u1-dom2's password:
plaintext password authentication succeeded
Enter s2\u1-dom2's password:
challenge/response password authentication succeeded
------------
I can set the permission on a file or directory for users and groups
from both domains.
----------
root at dom1-c1:~# ls -ld /dom1 /dom2
drwxr-xr-x 2 S1\u1-dom1 S1\g1-dom1 4096 Feb 9 17:25 /dom1
drwxr-xr-x 2 S2\u1-dom2 S2\g1-dom2 4096 Feb 9 17:25 /dom2
----------
But I'm not getting any status (on a domainmember) of the incoming
trust. Not with "wbinfo -m" and not with "wbinfo --online-status". As a
result of both commands I only got the domain where the client is member of.
-------------
root at dom1-c1:~# wbinfo -m
BUILTIN
DOM1-C1
S1
root at dom1-c1:~# wbinfo --online-status
BUILTIN : active connection
DOM1-C1 : active connection
S1 : active connection
-------------
If I do "wbinfo --ping-dc --domain=s1" my own domain I got:
------------
root at dom1-c1:~# wbinfo --ping-dc --domain=s1
checking the NETLOGON for domain[s1] dc connection to
"dom1-dc.s1.example.net" succeeded
------------
for the other domain I got:
------------
root at dom1-c1:~# wbinfo --ping-dc --domain=s2
checking the NETLOGON for domain[s2] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
------------
On the DCs the command is working for all domains on all DCs.
Adding a user from the other domain to a group also works.
So all the functions are working as expected, only testing the status on
a domainmember is not.
Is his new to 4.15, did I miss something?
Here the status of the trust on the DCs:
--------------
root at dom1-dc:~# wbinfo -m
BUILTIN
S1
S2
root at dom1-dc:~# wbinfo --online-status
BUILTIN : active connection
S1 : active connection
S2 : active connection
root at dom2-dc:~# wbinfo -m
BUILTIN
S2
S1
root at dom2-dc:~# wbinfo --online-status
BUILTIN : active connection
S2 : active connection
S1 : active connection
--------------
More information about the samba
mailing list