samba - May 2006 - Winbind authenticating its default domain but not trusted domains

Dear Samba Team/Readers:

I have been reading the mailing lists looking for a solution to a particular
problem that I am having:

The Setup:

centos 4.3 (redhat enterprise server clone) running kerberos, samba Version
3.0.10-1.4E.2, 32 bit system.  Running stock kernel 2.6.9-22.  I am
authenticating to a windows 2003 server, standard edition, with all service
packs and patches applied.  I am using winbind and AD integration to allow
linux workstations to authenticate to our NT domains.

What Works:

I have two 'realms' here.com and corp.here.com, which correspond to the
domains of 'here' and 'corp', respectively.  Corp trusts
'here'.

If the linux box is a member of 'corp' people from the corp domain can
login
fine.

What Doesn't work

 But people in the 'trusted' domain 'here' cannot login.  The
system reports
the user as not existing.

I tried changing the smb.conf and the krb5.conf files to use 'here'
domain,
e.g. here.com while logging into corp.here.com domain controller.  It worked
miserably, nothing worked.  I also listed my 'trusted domains' using the
wbinfo command, and it lists corp as being trusted.  I also have the allow
trusted domains = yes and the use default domains = yes (tried no on this
with NO luck!).

I have looked at the list, and I saw a recent flame war in which an
individual seemed to be trying to do what I am, and he was told politely
that he 'should seek help  elsewhere'.  I am not sure exactly if my
problem
corresponds to his,  but I list it to prove that I have at least tried
reading the list.  I haven't included all of .conf files, for brevity, but
will include relevant parts of files:

---------------

nsswitch.conf is setup to use winbind

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
protocols:  files winbind
services:   files winbind
netgroup:   files winbind
automount:  files winbind

-----------------

My krb5.conf file

[libdefaults]
 default_realm = CORP.HERE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 CORP.HERE.COM = {
  kdc = server1.corp.here.com:88
  admin.server = server1.corp.here.com:749
  default_domain = corp.here.com
 }

[domain_realm]
 .corp.here.com = CORP.HERE.COM
 corp.here.com = CORP.HERE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

----------------

Finally, the [global] section of my smb.conf file:[global]

   workgroup = CORP
   netbios name=MYCOMPUTER
   server string = Samba Server
   printcap name = /etc/printcap
   load printers = yes
   cups options = raw
   log file = /var/log/samba/%m.log
   max log size = 50
   security = ads
   realm=CORP.HERE.COM
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
   allow trusted domains = Yes
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   pam password change = yes
   obey pam restrictions = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   winbind use default domain = yes
   winbind separator = #
   winbind enum users = yes
   winbind enum groups = yes
   template shell=/bin/bash
   template homedir = /home/%U

-----------------

Lastly, My system-auth file from my /etc/pam.d directory

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so skel=etc/skel/
umask=0027
session     optional      /lib/security/$ISA/pam_krb5.so
------------

I thank you for your time and patience.

Sincerely,

Thomas J. Munn

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Munn wrote:
> What Works:
> 
> I have two 'realms' here.com and corp.here.com, which 
> correspond to the domains of 'here' and 'corp',
> respectively.  Corp trusts 'here'.
> 
> If the linux box is a member of 'corp' people from 
> the corp domain can login fine.
> 
> What Doesn't work
> 
> But people in the 'trusted' domain 'here' cannot login.  
> The system reports the user as not existing.
We do not at this time support one way trusts but it on
my radar in the next month or so.






cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEaefDIR7qMdg1EfYRAtnbAKDjxSMcnPiVAWuS6noILdV8P4DnrgCfS9m+
glLiUyL1dLvt59FaOn/ohNI=SLvS
-----END PGP SIGNATURE-----