samba - Dec 2006 - Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains

Hi there

We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100%
fine when connected to from users who are members of the same ADS domain
our Samba servers are members of. However, users from other ADS domains
(we are all W2K3-based) on our network cannot connect - they get
NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have
no share-level permission checks - we want any valid account to be able
to connect.

auth methods = "sam, winbind", winbind is used and "wbinfo
-m" shows the
domains we trust. And yet people in those domains cannot login.

ntlm_auth - which uses winbind - is able to authenticate such accounts -
but it looks like Samba "doesn't care" what winbind thinks - it
must be
blocking for another reason. The logs show Samba starts as expected by
looking up "otherDom\username", but it always falls back to doing
Get_Pwnam_internals calls to winbind on the username by itself, and
obviously receives a "no such user" error from winbind.

winbind settings in smb.conf are:

        auth methods = winbind
        winbind separator = \
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = No
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No

We have tried this with both "security = domain" and "security =
ADS" -
no difference.

"finger myDomain\\username" works, but "finger
otherDomain\\username"
immediately fails, with log.wb-otherDomain reporting

error getting user info for sid
S-1-5-21-1644491937-1078081533-682003330-6760

...and yet "wbinfo --sid-to-name" maps that back to the correct
username, and "wbinfo --name-to-sid" maps the username to the same
SID.
As mentioned earlier, ntlm_auth with such an account and correct
password returns OK.


Any ideas? It smells so close to working...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

I had something similar, I had to include all relevant kdcs in the realms
section of krb5.conf to Authenticate from trusted domains to the domain the
member server is in
eg

[libdefaults]
        default_realm = CORP.YW.xxxxxx
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc


[realms]
        CORP.YW.xxxxxx = {
        kdc=corpad1.corp.yw.xxxx
        }

        YW.xxxx = {
        kdc=ywad1.yw.xxxxxx
        }
[domain_realms]
        .kerberos.server = CORP.YW.KELDA

HTH

Mark




|---------+---------------------------------------------------------------->
|         |           Jason Haar <Jason.Haar@trimble.co.nz>               
|
|         |           Sent by:                                             |
|         |           samba-bounces+mark.cuthbert=yorkshirewater.co.uk@list|
|         |           s.samba.org                                          |
|         |                                                                |
|         |                                                                |
|         |           05/12/2006 07:04                                     |
|         |                                                                |
|         |           Message Size: 7.4Kb                                  |
|---------+---------------------------------------------------------------->
 
>----------------------------------------------------------------------------------------------|
  |                                                                             
|
  |       To:       samba@lists.samba.org                                       
|
  |       cc:       (bcc: Mark Cuthbert/Technology/YWS/Yorkshire Water)         
|
  |       Subject:  [Samba] Cannot connect to Samba-3.0.23d (and earlier) from
other trusted AD  |
  |        domains                                                              
|
 
>----------------------------------------------------------------------------------------------|




Hi there

We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100%
fine when connected to from users who are members of the same ADS domain
our Samba servers are members of. However, users from other ADS domains
(we are all W2K3-based) on our network cannot connect - they get
NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have
no share-level permission checks - we want any valid account to be able
to connect.

auth methods = "sam, winbind", winbind is used and "wbinfo
-m" shows the
domains we trust. And yet people in those domains cannot login.

ntlm_auth - which uses winbind - is able to authenticate such accounts -
but it looks like Samba "doesn't care" what winbind thinks - it
must be
blocking for another reason. The logs show Samba starts as expected by
looking up "otherDom\username", but it always falls back to doing
Get_Pwnam_internals calls to winbind on the username by itself, and
obviously receives a "no such user" error from winbind.

winbind settings in smb.conf are:

        auth methods = winbind
        winbind separator = \
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = No
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No

We have tried this with both "security = domain" and "security =
ADS" -
no difference.

"finger myDomain\\username" works, but "finger
otherDomain\\username"
immediately fails, with log.wb-otherDomain reporting

error getting user info for sid
S-1-5-21-1644491937-1078081533-682003330-6760

.....and yet "wbinfo --sid-to-name" maps that back to the correct
username, and "wbinfo --name-to-sid" maps the username to the same
SID.
As mentioned earlier, ntlm_auth with such an account and correct
password returns OK.


Any ideas? It smells so close to working...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


-----------------------------------------
Is your home protected from frost this winter? Visit
http://www.yorkshirewater.com/frost for advice on how you can avoid
frost damage to water pipes.

YORKSHIRE WATER - WINNER OF THE UTILITY OF THE YEAR AWARD 2004 AND
2005

The information in this e-mail is confidential and may also be
legally privileged. The contents are intended for recipient only
and are subject to the legal notice available at
http://www.keldagroup.com/email.htm Yorkshire Water Services
Limited
Registered Office Western House Halifax Road Bradford BD6 2SZ
Registered in England and Wales No 2366682