[Samba] Cannot access domain member from trusted domain user
Stephen Brandli
steve at brandli.com
Mon Feb 17 00:17:40 UTC 2025
I'm not able to access a samba file server that I recently created and joined to a domain. I have two domains with an external trust: BRANDLILAW and BRANDLI. The server is joined to BRANDLILAW. I am trying to access it from a user on the BRANDLI domain. This worked with the prior server that the new server is replacing. All domain controllers and the server are Debian backports (21.3). The user can access a Windows 10 machine also joined to the BRANDLILAW domain, and can also access a samba file server on the BRANDLI domain. "samba-tool domain trust validate" works correctly in both directions.
How do I debug this? I would appreciate any pointers.
Log entries include:
smbd:
Feb 16 16:02:50 roberts smbd[514]: check_account: Failed to convert SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID (dom_user[BRANDLI\steve])
Feb 16 16:02:52 roberts smbd[514]: [2025/02/16 16:02:52.332273, 0] source3/auth/auth_util.c:1945(check_account)
winbind:
[2025/02/16 15:59:21.834790, 1, traceid=1674] source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103: NT_STATUS_NO_SUCH_DOMAIN
[2025/02/16 15:59:21.834852, 1, traceid=1674] source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN.
[2025/02/16 15:59:21.834875, 1, traceid=1674] source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc)
Failed with NT_STATUS_NO_SUCH_DOMAIN.
I am also getting the error that secrets.ldb does not exist. But the samba file server on the BRANDLI domain is getting those errors, and I can access that.
smb.conf:
[global]
security = ads
workgroup = BRANDLILAW
realm = DOMAIN.BRANDLILAW.COM
log file = /var/log/samba/roberts.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config BRANDLI:backend = ad
idmap config BRANDLI:schema_mode = rfc2307
idmap config BRANDLI:range = 1000-1499
idmap config BRANDLI:unix_nss_info = no
idmap config BRANDLI:unix_primary_group = yes
idmap config BRANDLILAW:backend = ad
idmap config BRANDLILAW:schema_mode = rfc2307
idmap config BRANDLILAW:range = 1500-1999
idmap config BRANDLILAW:unix_nss_info = no
idmap config BRANDLILAW:unix_primary_group = yes
[Docs]
path = /home/shares/docs
writeable = yes
valid users = steve bj tabitha kim erin
force user = steve
force group = steve
force create mode = 770
The relevant passwd entry on the file server:
steve:x:1000:1000:,,,:/home/steve:/bin/bash
samba-tool user show steve:
dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Steve SAB. Brandli
sn: Brandli
givenName: Steve
initials: SAB.
instanceType: 4
whenCreated: 20201005011138.0Z
displayName: Steve Brandli
uSNCreated: 5433
name: Steve SAB. Brandli
objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
userAccountControl: 66048
codePage: 0
countryCode: 0
pwdLastSet: 132970435361910940
primaryGroupID: 513
objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
accountExpires: 0
sAMAccountName: steve
sAMAccountType: 805306368
userPrincipalName: steve at domain.brandli.com<mailto:steve at domain.brandli.com>
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
uidNumber: 1000
gidNumber: 1000
memberOf: CN=Domain Admins,CN=Users,DC=domain,DC=brandli,DC=com
whenChanged: 20250210010316.0Z
uSNChanged: 5640
lastLogonTimestamp: 133836229965179730
lastLogon: 133841460882236080
logonCount: 42
distinguishedName: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
More information about the samba
mailing list