[Samba] Cannot access domain member from trusted domain user

Rowland Penny rpenny at samba.org
Mon Feb 17 08:45:56 UTC 2025 

On Mon, 17 Feb 2025 00:17:40 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:

> I'm not able to access a samba file server that I recently created
> and joined to a domain.  I have two domains with an external trust:
> BRANDLILAW and BRANDLI.  The server is joined to BRANDLILAW.  I am
> trying to access it from a user on the BRANDLI domain.  This worked
> with the prior server that the new server is replacing.  All domain
> controllers and the server are Debian backports (21.3).  The user can
> access a Windows 10 machine also joined to the BRANDLILAW domain, and
> can also access a samba file server on the BRANDLI domain.
> "samba-tool domain trust validate" works correctly in both directions.
> 
> How do I debug this?  I would appreciate any pointers.
> 
> Log entries include:
> 
> smbd:
> Feb 16 16:02:50 roberts smbd[514]:   check_account: Failed to convert
> SID S-1-5-21-3237397562-3087105784-2935402547-1103 to a UID
> (dom_user[BRANDLI\steve]) Feb 16 16:02:52 roberts smbd[514]:
> [2025/02/16 16:02:52.332273,  0]
> source3/auth/auth_util.c:1945(check_account)
> 
> winbind:
> [2025/02/16 15:59:21.834790,  1, traceid=1674]
> source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-3237397562-3087105784-2935402547-1103:
> NT_STATUS_NO_SUCH_DOMAIN [2025/02/16 15:59:21.834852,  1,
> traceid=1674]
> source3/winbindd/wb_queryuser.c:123(wb_queryuser_got_uid)
> wb_sids2xids_recv() failed with NT_STATUS_NO_SUCH_DOMAIN. [2025/02/16
> 15:59:21.834875,  1, traceid=1674]
> source3/winbindd/wb_sids2xids.c:715(wb_sids2xids_gotdc) Failed with
> NT_STATUS_NO_SUCH_DOMAIN.
> 
> I am also getting the error that secrets.ldb does not exist.  But the
> samba file server on the BRANDLI domain is getting those errors, and
> I can access that. smb.conf:
> 
> [global]
> security = ads
> workgroup = BRANDLILAW
> realm = DOMAIN.BRANDLILAW.COM
> 
> log file = /var/log/samba/roberts.log
> log level = 1
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> 
> idmap config BRANDLI:backend = ad
> idmap config BRANDLI:schema_mode = rfc2307
> idmap config BRANDLI:range = 1000-1499
> idmap config BRANDLI:unix_nss_info = no
> idmap config BRANDLI:unix_primary_group = yes
> 
> idmap config BRANDLILAW:backend = ad
> idmap config BRANDLILAW:schema_mode = rfc2307
> idmap config BRANDLILAW:range = 1500-1999
> idmap config BRANDLILAW:unix_nss_info = no
> idmap config BRANDLILAW:unix_primary_group = yes
> 
> [Docs]
> path = /home/shares/docs
> writeable = yes
> valid users = steve bj tabitha kim erin
> force user = steve
> force group = steve
> force create mode = 770
> 
> The relevant passwd entry on the file server:
> steve:x:1000:1000:,,,:/home/steve:/bin/bash
> 
> samba-tool user show steve:
> 
> dn: CN=Steve SAB. Brandli,CN=Users,DC=domain,DC=brandli,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Steve SAB. Brandli
> sn: Brandli
> givenName: Steve
> initials: SAB.
> instanceType: 4
> whenCreated: 20201005011138.0Z
> displayName: Steve Brandli
> uSNCreated: 5433
> name: Steve SAB. Brandli
> objectGUID: 1586c1f8-ca8e-49a9-92cf-e0936fc122b0
> userAccountControl: 66048
> codePage: 0
> countryCode: 0
> pwdLastSet: 132970435361910940
> primaryGroupID: 513
> objectSid: S-1-5-21-3237397562-3087105784-2935402547-1103
> accountExpires: 0
> sAMAccountName: steve
> sAMAccountType: 805306368
> userPrincipalName:
> steve at domain.brandli.com<mailto:steve at domain.brandli.com>
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=brandli,DC=com
> uidNumber: 1000 gidNumber: 1000 memberOf: CN=Domain
> Admins,CN=Users,DC=domain,DC=brandli,DC=com whenChanged:
> 20250210010316.0Z uSNChanged: 5640
> lastLogonTimestamp: 133836229965179730
> lastLogon: 133841460882236080
> logonCount: 42
> distinguishedName: CN=Steve SAB.
> Brandli,CN=Users,DC=domain,DC=brandli,DC=com

Try reading this:

https://www.kania-online.de/wp-content/uploads/2019/06/trusts-tutorial-en.pdf

I know it is a bit old now, but hopefully still relevant, if you are
lucky Stefan will chime in here, he is the one that wrote it.

Rowland

More information about the samba mailing list