I have been killing myself on this issue over the last 2 weeks. I have setup pam AD authentication using winbind on our companies email servers. That part is currently working. I have been trying to add an existing "Trusted" child domain and allow authentication from that domain as well. I am part of the way there, but not quite to the functional point as of yet. Our primary domain is rdomainprv or rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am seeing, followed by my configs. Also, we had to open ports 88, 139 and 389 (I believe those are the correct ports, though the networking guys opened them) from the email/winbind server to the child domain, at the firewall. Any help would be very much appreciated! mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV KID mailtestbed:~# wbinfo -u | grep testuser KID\testuser mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password authentication succeeded challenge/response password authentication succeeded Here is where it's falling apart: mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user KID\testuser mailtestbed:~# id KID\\testuser id: KID\testuser: No such user mailtestbed:~# id testuser id: testuser: No such user mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# mailtestbed:~# getent passwd testuser mailtestbed:~# mailtestbed:~# id RDOMAINPRV\\testmer uid=10001(testmer) gid=10001 groups=999(users) mailtestbed:~# getent passwd RDOMAINPRV\\testmer testmer:*:10001:10001::/home/testmer:/bin/bash mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer testmer:*:10001:10001::/home/testmer:/bin/bash Versions (Debian Lenny) samba 2:3.2.5-4lenny9 winbind 2:3.2.5-4lenny9 smb.conf [global] workgroup = RDOMAINPRV realm = RDOMAIN.PRV server string = %h server dns proxy = no name resolve order = lmhosts host wins bcast log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ADS encrypt passwords = yes passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes allow trusted domains = yes winbind trusted domains only = no idmap backend = ad idmap uid = 10000-1000000 idmap gid = 10000-1000000 template homedir = /home/%U winbind use default domain = yes winbind nss info = rfc2307 winbind nested groups = yes client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 winbind enum groups = no winbind enum users = no winbind cache time = 30 krb5.conf [libdefaults] default_realm = RDOMAIN.PRV krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] RDOMAIN.PRV = { default_domain = RDOMAIN.PRV master_kdc = dc02.rdomain.prv admin_server = dc02.rdomain.prv kdc = aurad.rdomain.prv kdc = addc01.rdomain.prv kdc = addc02.rdomain.prv kdc = addc03.rdomain.prv #kdc = addc04.rdomain.prv kdc = addc05.rdomain.prv kdc = chlddc01.kid.rdomain.prv } KID.RDOMAIN.PRV = { default_domain = KID.RDOMAIN.PRV kdc = chlddc01.kid.rdomain.prv master_kdc = addc02.rdomain.prv admin_server = addc02.rdomain.prv kdc = addc01.rdomain.prv kdc = addc02.rdomain.prv } [domain_realm] .rdomain.prv = RDOMAIN.PRV rdomain.prv = RDOMAIN.PRV .kid.rdomain.prv = KID.RDOMAIN.PRV kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } [login] krb4_convert = true krb4_get_tickets = false
Hello, Thank you so much for your reply! We are using AD 2003 R2 on both the domain and the child domain. I am using 10000-29999 for IDs on the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). Interestingly, in the Unix tab (in AD Users and Computers for any object) under "NIS Domain" on any of the RDOMAIN servers we get the pulldown option "RDOMAIN" but on the Trusted domains server the only option is "KID". I'm not sure if that is expected or would affect this but I can't seem to get the RDOMAIN option in the KID Trusted domain. Thanks, -Paul On 3/30/2010 2:27 AM, Fran?ois Legal wrote:> Hello, > > I'm not familiar with this kind of setup, but I wonder whether or not the > KID domain has the SFU schema extensions setup for idmapping (see idmap > backend = ad) and if porperly setup, check that the defined uid/gid for > that domain fall in the idmap uid range > > Fran?ois > > On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> I have been killing myself on this issue over the last 2 weeks. I have >> setup pam AD authentication using winbind on our companies email >> servers. That part is currently working. I have been trying to add an >> existing "Trusted" child domain and allow authentication from that >> domain as well. I am part of the way there, but not quite to the >> functional point as of yet. Our primary domain is rdomainprv or >> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am >> seeing, followed by my configs. Also, we had to open ports 88, 139 and >> 389 (I believe those are the correct ports, though the networking guys >> opened them) from the email/winbind server to the child domain, at the >> firewall. Any help would be very much appreciated! >> >> mailtestbed:~# wbinfo --all-domains >> BUILTIN >> MAILTESTBED >> RDOMAINPRV >> KID >> >> mailtestbed:~# wbinfo -u | grep testuser >> KID\testuser >> >> mailtestbed:~# wbinfo -a KID\\testuser%password >> plaintext password authentication succeeded >> challenge/response password authentication succeeded >> >> Here is where it's falling apart: >> mailtestbed:~# wbinfo -i KID\\testuser >> Could not get info for user KID\testuser >> >> mailtestbed:~# id KID\\testuser >> id: KID\testuser: No such user >> >> mailtestbed:~# id testuser >> id: testuser: No such user >> >> mailtestbed:~# getent passwd KID\\testuser >> mailtestbed:~# >> >> mailtestbed:~# getent passwd testuser >> mailtestbed:~# >> >> mailtestbed:~# id RDOMAINPRV\\testmer >> uid=10001(testmer) gid=10001 groups=999(users) >> >> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >> testmer:*:10001:10001::/home/testmer:/bin/bash >> >> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >> testmer:*:10001:10001::/home/testmer:/bin/bash >> >> Versions (Debian Lenny) >> samba 2:3.2.5-4lenny9 >> winbind 2:3.2.5-4lenny9 >> >> smb.conf >> [global] >> workgroup = RDOMAINPRV >> realm = RDOMAIN.PRV >> server string = %h server >> dns proxy = no >> name resolve order = lmhosts host wins bcast >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> security = ADS >> encrypt passwords = yes >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> pam password change = yes >> allow trusted domains = yes >> winbind trusted domains only = no >> idmap backend = ad >> idmap uid = 10000-1000000 >> idmap gid = 10000-1000000 >> template homedir = /home/%U >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind nested groups = yes >> client use spnego = yes >> client ntlmv2 auth = yes >> restrict anonymous = 2 >> winbind enum groups = no >> winbind enum users = no>> winbind cache time = 30 >> >> krb5.conf >> [libdefaults] >> default_realm = RDOMAIN.PRV >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >> permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 >> des-cbc-crc des-cbc-md5 >> v4_instance_resolve = false >> v4_name_convert = { >> host = { >> rcmd = host >> ftp = ftp >> } >> plain = { >> something = something-else >> } >> } >> fcc-mit-ticketflags = true >> [realms] >> RDOMAIN.PRV = { >> default_domain = RDOMAIN.PRV >> master_kdc = dc02.rdomain.prv >> admin_server = dc02.rdomain.prv >> kdc = aurad.rdomain.prv >> kdc = addc01.rdomain.prv >> kdc = addc02.rdomain.prv >> kdc = addc03.rdomain.prv >> #kdc = addc04.rdomain.prv >> kdc = addc05.rdomain.prv >> kdc = chlddc01.kid.rdomain.prv >> } >> KID.RDOMAIN.PRV = { >> default_domain = KID.RDOMAIN.PRV >> kdc = chlddc01.kid.rdomain.prv >> master_kdc = addc02.rdomain.prv >> admin_server = addc02.rdomain.prv >> kdc = addc01.rdomain.prv >> kdc = addc02.rdomain.prv >> } >> [domain_realm] >> .rdomain.prv = RDOMAIN.PRV >> rdomain.prv = RDOMAIN.PRV >> .kid.rdomain.prv = KID.RDOMAIN.PRV >> kid.rdomain.prv = KID.RDOMAIN.PRV >> [kdc] >> profile = /var/kerberos/krb5kdc/kdc.conf >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> validate = true >> } >> [login] >> krb4_convert = true >> krb4_get_tickets = false >>
The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. mailtestbed:~# wbinfo -t checking the trust secret via RPC calls succeeded On 3/30/2010 9:47 AM, Fran?ois Legal wrote:> I'm not sure to 100% understand what you mean (it's been a long time since > I last used an AD server with SFU). > However, next step now will be to increase winbindd debug level while > issuing the wbinfo -i command, and see what fails there. > > Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. > > Fran?ois > > On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> Hello, >> Thank you so much for your reply! We are using AD 2003 R2 on both the >> domain and the child domain. I am using 10000-29999 for IDs on the main >> domain (RDOMAIN) and 30000-100000 on the child domain (KID). >> Interestingly, in the Unix tab (in AD Users and Computers for any >> object) under "NIS Domain" on any of the RDOMAIN servers we get the >> pulldown option "RDOMAIN" but on the Trusted domains server the only >> option is "KID". I'm not sure if that is expected or would affect this >> but I can't seem to get the RDOMAIN option in the KID Trusted domain. >> >> Thanks, >> -Paul >> >> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >> >>> Hello, >>> >>> I'm not familiar with this kind of setup, but I wonder whether or not >>> > the > >>> KID domain has the SFU schema extensions setup for idmapping (see idmap >>> backend = ad) and if porperly setup, check that the defined uid/gid for >>> that domain fall in the idmap uid range >>> >>> Fran?ois >>> >>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com> >>> wrote: >>> >>> >>>> I have been killing myself on this issue over the last 2 weeks. I >>>> > have > >>>> setup pam AD authentication using winbind on our companies email >>>> servers. That part is currently working. I have been trying to add >>>> > an > >>>> existing "Trusted" child domain and allow authentication from that >>>> domain as well. I am part of the way there, but not quite to the >>>> functional point as of yet. Our primary domain is rdomainprv or >>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I >>>> > am > >>>> seeing, followed by my configs. Also, we had to open ports 88, 139 >>>> > and > >>>> 389 (I believe those are the correct ports, though the networking guys >>>> opened them) from the email/winbind server to the child domain, at the >>>> firewall. Any help would be very much appreciated! >>>> >>>> mailtestbed:~# wbinfo --all-domains >>>> BUILTIN >>>> MAILTESTBED >>>> RDOMAINPRV >>>> KID >>>> >>>> mailtestbed:~# wbinfo -u | grep testuser >>>> KID\testuser >>>> >>>> mailtestbed:~# wbinfo -a KID\\testuser%password >>>> plaintext password authentication succeeded >>>> challenge/response password authentication succeeded >>>> >>>> Here is where it's falling apart: >>>> mailtestbed:~# wbinfo -i KID\\testuser >>>> Could not get info for user KID\testuser >>>> >>>> mailtestbed:~# id KID\\testuser >>>> id: KID\testuser: No such user >>>> >>>> mailtestbed:~# id testuser >>>> id: testuser: No such user >>>> >>>> mailtestbed:~# getent passwd KID\\testuser >>>> mailtestbed:~# >>>> >>>> mailtestbed:~# getent passwd testuser >>>> mailtestbed:~# >>>> >>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>> uid=10001(testmer) gid=10001 groups=999(users) >>>> >>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>> >>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>> >>>> Versions (Debian Lenny) >>>> samba 2:3.2.5-4lenny9 >>>> winbind 2:3.2.5-4lenny9 >>>> >>>> smb.conf >>>> [global] >>>> workgroup = RDOMAINPRV >>>> realm = RDOMAIN.PRV >>>> server string = %h server >>>> dns proxy = no >>>> name resolve order = lmhosts host wins bcast >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> syslog = 0 >>>> panic action = /usr/share/samba/panic-action %d >>>> security = ADS >>>> encrypt passwords = yes >>>> passdb backend = tdbsam >>>> obey pam restrictions = yes >>>> unix password sync = yes >>>> passwd program = /usr/bin/passwd %u >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>> pam password change = yes >>>> allow trusted domains = yes >>>> winbind trusted domains only = no >>>> idmap backend = ad >>>> idmap uid = 10000-1000000 >>>> idmap gid = 10000-1000000 >>>> template homedir = /home/%U >>>> winbind use default domain = yes >>>> winbind nss info = rfc2307 >>>> winbind nested groups = yes >>>> client use spnego = yes >>>> client ntlmv2 auth = yes >>>> restrict anonymous = 2 >>>> winbind enum groups = no >>>> winbind enum users = no >>>> >> >>>> winbind cache time = 30 >>>> >>>> krb5.conf >>>> [libdefaults] >>>> default_realm = RDOMAIN.PRV >>>> krb4_config = /etc/krb.conf >>>> krb4_realms = /etc/krb.realms >>>> kdc_timesync = 1 >>>> ccache_type = 4 >>>> forwardable = true >>>> proxiable = true >>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>> > des3-hmac-sha1 > >>>> des-cbc-crc des-cbc-md5 >>>> v4_instance_resolve = false >>>> v4_name_convert = { >>>> host = { >>>> rcmd = host >>>> ftp = ftp >>>> } >>>> plain = { >>>> something = something-else >>>> } >>>> } >>>> fcc-mit-ticketflags = true >>>> [realms] >>>> RDOMAIN.PRV = { >>>> default_domain = RDOMAIN.PRV >>>> master_kdc = dc02.rdomain.prv >>>> admin_server = dc02.rdomain.prv >>>> kdc = aurad.rdomain.prv >>>> kdc = addc01.rdomain.prv >>>> kdc = addc02.rdomain.prv >>>> kdc = addc03.rdomain.prv >>>> #kdc = addc04.rdomain.prv >>>> kdc = addc05.rdomain.prv >>>> kdc = chlddc01.kid.rdomain.prv >>>> } >>>> KID.RDOMAIN.PRV = { >>>> default_domain = KID.RDOMAIN.PRV >>>> kdc = chlddc01.kid.rdomain.prv >>>> master_kdc = addc02.rdomain.prv >>>> admin_server = addc02.rdomain.prv >>>> kdc = addc01.rdomain.prv >>>> kdc = addc02.rdomain.prv >>>> } >>>> [domain_realm] >>>> .rdomain.prv = RDOMAIN.PRV >>>> rdomain.prv = RDOMAIN.PRV >>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>> kid.rdomain.prv = KID.RDOMAIN.PRV >>>> [kdc] >>>> profile = /var/kerberos/krb5kdc/kdc.conf >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> validate = true >>>> } >>>> [login] >>>> krb4_convert = true >>>> krb4_get_tickets = false >>>> >>>>-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ADlogs.text URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/ea13781c/attachment.text>
I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote:> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. > > Fran?ois > > -----Message d'origine----- > De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss > Envoy? : mardi 30 mars 2010 20:23 > ? : samba at lists.samba.org > Objet : Re: [Samba] AD Auth Trusted Domain issues > > The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. > > mailtestbed:~# wbinfo -t > checking the trust secret via RPC calls succeeded > > On 3/30/2010 9:47 AM, Fran?ois Legal wrote: > >> I'm not sure to 100% understand what you mean (it's been a long time >> since I last used an AD server with SFU). >> However, next step now will be to increase winbindd debug level while >> issuing the wbinfo -i command, and see what fails there. >> >> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >> >> Fran?ois >> >> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com> >> wrote: >> >> >>> Hello, >>> Thank you so much for your reply! We are using AD 2003 R2 on both >>> the domain and the child domain. I am using 10000-29999 for IDs on >>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>> Interestingly, in the Unix tab (in AD Users and Computers for any >>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>> option is "KID". I'm not sure if that is expected or would affect >>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>> >>> Thanks, >>> -Paul >>> >>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>> >>> >>>> Hello, >>>> >>>> I'm not familiar with this kind of setup, but I wonder whether or >>>> not >>>> >>>> >> the >> >> >>>> KID domain has the SFU schema extensions setup for idmapping (see >>>> idmap backend = ad) and if porperly setup, check that the defined >>>> uid/gid for that domain fall in the idmap uid range >>>> >>>> Fran?ois >>>> >>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>> <plauss at protocolgs.com> >>>> wrote: >>>> >>>> >>>> >>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>> >>>>> >> have >> >> >>>>> setup pam AD authentication using winbind on our companies email >>>>> servers. That part is currently working. I have been trying to >>>>> add >>>>> >>>>> >> an >> >> >>>>> existing "Trusted" child domain and allow authentication from that >>>>> domain as well. I am part of the way there, but not quite to the >>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what >>>>> I >>>>> >>>>> >> am >> >> >>>>> seeing, followed by my configs. Also, we had to open ports 88, 139 >>>>> >>>>> >> and >> >> >>>>> 389 (I believe those are the correct ports, though the networking >>>>> guys opened them) from the email/winbind server to the child >>>>> domain, at the firewall. Any help would be very much appreciated! >>>>> >>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>> KID >>>>> >>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>> >>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>> authentication succeeded challenge/response password authentication >>>>> succeeded >>>>> >>>>> Here is where it's falling apart: >>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>> KID\testuser >>>>> >>>>> mailtestbed:~# id KID\\testuser >>>>> id: KID\testuser: No such user >>>>> >>>>> mailtestbed:~# id testuser >>>>> id: testuser: No such user >>>>> >>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>> >>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>> >>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>> >>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>> >>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>> >>>>> Versions (Debian Lenny) >>>>> samba 2:3.2.5-4lenny9 >>>>> winbind 2:3.2.5-4lenny9 >>>>> >>>>> smb.conf >>>>> [global] >>>>> workgroup = RDOMAINPRV >>>>> realm = RDOMAIN.PRV >>>>> server string = %h server >>>>> dns proxy = no >>>>> name resolve order = lmhosts host wins bcast >>>>> log file = /var/log/samba/log.%m >>>>> max log size = 1000 >>>>> syslog = 0 >>>>> panic action = /usr/share/samba/panic-action %d >>>>> security = ADS >>>>> encrypt passwords = yes >>>>> passdb backend = tdbsam >>>>> obey pam restrictions = yes >>>>> unix password sync = yes >>>>> passwd program = /usr/bin/passwd %u >>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>> pam password change = yes >>>>> allow trusted domains = yes >>>>> winbind trusted domains only = no >>>>> idmap backend = ad >>>>> idmap uid = 10000-1000000 >>>>> idmap gid = 10000-1000000 >>>>> template homedir = /home/%U >>>>> winbind use default domain = yes >>>>> winbind nss info = rfc2307 >>>>> winbind nested groups = yes >>>>> client use spnego = yes >>>>> client ntlmv2 auth = yes >>>>> restrict anonymous = 2 >>>>> winbind enum groups = no >>>>> winbind enum users = no >>>>> >>>>> >>> >>> >>>>> winbind cache time = 30 >>>>> >>>>> krb5.conf >>>>> [libdefaults] >>>>> default_realm = RDOMAIN.PRV >>>>> krb4_config = /etc/krb.conf >>>>> krb4_realms = /etc/krb.realms >>>>> kdc_timesync = 1 >>>>> ccache_type = 4 >>>>> forwardable = true >>>>> proxiable = true >>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>> >>>>> >> des3-hmac-sha1 >> >> >>>>> des-cbc-crc des-cbc-md5 >>>>> v4_instance_resolve = false >>>>> v4_name_convert = { >>>>> host = { >>>>> rcmd = host >>>>> ftp = ftp >>>>> } >>>>> plain = { >>>>> something = something-else >>>>> } >>>>> } >>>>> fcc-mit-ticketflags = true >>>>> [realms] >>>>> RDOMAIN.PRV = { >>>>> default_domain = RDOMAIN.PRV >>>>> master_kdc = dc02.rdomain.prv >>>>> admin_server = dc02.rdomain.prv >>>>> kdc = aurad.rdomain.prv >>>>> kdc = addc01.rdomain.prv >>>>> kdc = addc02.rdomain.prv >>>>> kdc = addc03.rdomain.prv >>>>> #kdc = addc04.rdomain.prv >>>>> kdc = addc05.rdomain.prv >>>>> kdc = chlddc01.kid.rdomain.prv >>>>> } >>>>> KID.RDOMAIN.PRV = { >>>>> default_domain = KID.RDOMAIN.PRV >>>>> kdc = chlddc01.kid.rdomain.prv >>>>> master_kdc = addc02.rdomain.prv >>>>> admin_server = addc02.rdomain.prv >>>>> kdc = addc01.rdomain.prv >>>>> kdc = addc02.rdomain.prv >>>>> } >>>>> [domain_realm] >>>>> .rdomain.prv = RDOMAIN.PRV >>>>> rdomain.prv = RDOMAIN.PRV >>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>> debug = false >>>>> ticket_lifetime = 36000 >>>>> renew_lifetime = 36000 >>>>> forwardable = true >>>>> krb4_convert = false >>>>> validate = true >>>>> } >>>>> [login] >>>>> krb4_convert = true >>>>> krb4_get_tickets = false >>>>> >>>>> >>>>> >-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ADLogs.text URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/f2adf793/attachment-0001.text>
We have corrected the issues of "KID" not being native but this does not seem to have helped. We did however see this error in the Windows Event Viewer at the point that I am trying to make the connection. I am not certain what it means that there are no logon servers available... Thoughts? Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 3/31/2010 Time: 3:19:00 AM User: N/A Computer: CHLDDC01 Description: The Security System detected an authentication error for the server ldap/chlddc01.kid.rdomain.prv. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 5e 00 00 c0 ^..? On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote:> So, as I already told you, I'm not familiar with that kind of setup. > > From what I could see, the fact that domain KID is not in ADS native may be the problem as you've got security = ADS and that expects native mode. > > You should try to go back to the list to confirm that. Your setup does not seem to be that odd, I could read lots of people trying (successfully for most of them if I remember correctly) to accomplish that kind of things. > > Sorry to not be able to help you more. > > Fran?ois > > -----Message d'origine----- > De : Paul Lauss [mailto:plauss at protocolgs.com] > Envoy? : mardi 30 mars 2010 23:26 > ? : devel at thom.fr.eu.org > Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues > > This didn't seem to go through the listserv... > > > I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. > > On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: > >> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. >> >> Fran?ois >> >> -----Message d'origine----- >> De : samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss Envoy? >> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >> [Samba] AD Auth Trusted Domain issues >> >> The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. >> >> mailtestbed:~# wbinfo -t >> checking the trust secret via RPC calls succeeded >> >> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >> >> >>> I'm not sure to 100% understand what you mean (it's been a long time >>> since I last used an AD server with SFU). >>> However, next step now will be to increase winbindd debug level while >>> issuing the wbinfo -i command, and see what fails there. >>> >>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>> >>> Fran?ois >>> >>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>> <plauss at protocolgs.com> >>> wrote: >>> >>> >>> >>>> Hello, >>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>> option is "KID". I'm not sure if that is expected or would affect >>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>>> >>>> Thanks, >>>> -Paul >>>> >>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>> >>>> >>>> >>>>> Hello, >>>>> >>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>> not >>>>> >>>>> >>>>> >>> the >>> >>> >>> >>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>> uid/gid for that domain fall in the idmap uid range >>>>> >>>>> Fran?ois >>>>> >>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>> <plauss at protocolgs.com> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>> >>>>>> >>>>>> >>> have >>> >>> >>> >>>>>> setup pam AD authentication using winbind on our companies email >>>>>> servers. That part is currently working. I have been trying to >>>>>> add >>>>>> >>>>>> >>>>>> >>> an >>> >>> >>> >>>>>> existing "Trusted" child domain and allow authentication from that >>>>>> domain as well. I am part of the way there, but not quite to the >>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>> what I >>>>>> >>>>>> >>>>>> >>> am >>> >>> >>> >>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>> 139 >>>>>> >>>>>> >>>>>> >>> and >>> >>> >>> >>>>>> 389 (I believe those are the correct ports, though the networking >>>>>> guys opened them) from the email/winbind server to the child >>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>> >>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>> KID >>>>>> >>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>> >>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>> authentication succeeded challenge/response password >>>>>> authentication succeeded >>>>>> >>>>>> Here is where it's falling apart: >>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>> KID\testuser >>>>>> >>>>>> mailtestbed:~# id KID\\testuser >>>>>> id: KID\testuser: No such user >>>>>> >>>>>> mailtestbed:~# id testuser >>>>>> id: testuser: No such user >>>>>> >>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>> >>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>> >>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>> >>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>> >>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>> >>>>>> Versions (Debian Lenny) >>>>>> samba 2:3.2.5-4lenny9 >>>>>> winbind 2:3.2.5-4lenny9 >>>>>> >>>>>> smb.conf >>>>>> [global] >>>>>> workgroup = RDOMAINPRV >>>>>> realm = RDOMAIN.PRV >>>>>> server string = %h server >>>>>> dns proxy = no >>>>>> name resolve order = lmhosts host wins bcast >>>>>> log file = /var/log/samba/log.%m >>>>>> max log size = 1000 >>>>>> syslog = 0 >>>>>> panic action = /usr/share/samba/panic-action %d >>>>>> security = ADS >>>>>> encrypt passwords = yes >>>>>> passdb backend = tdbsam >>>>>> obey pam restrictions = yes >>>>>> unix password sync = yes >>>>>> passwd program = /usr/bin/passwd %u >>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>> pam password change = yes >>>>>> allow trusted domains = yes >>>>>> winbind trusted domains only = no >>>>>> idmap backend = ad >>>>>> idmap uid = 10000-1000000 >>>>>> idmap gid = 10000-1000000 >>>>>> template homedir = /home/%U >>>>>> winbind use default domain = yes >>>>>> winbind nss info = rfc2307 >>>>>> winbind nested groups = yes >>>>>> client use spnego = yes >>>>>> client ntlmv2 auth = yes >>>>>> restrict anonymous = 2 >>>>>> winbind enum groups = no >>>>>> winbind enum users = no >>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >>>>>> winbind cache time = 30 >>>>>> >>>>>> krb5.conf >>>>>> [libdefaults] >>>>>> default_realm = RDOMAIN.PRV >>>>>> krb4_config = /etc/krb.conf >>>>>> krb4_realms = /etc/krb.realms >>>>>> kdc_timesync = 1 >>>>>> ccache_type = 4 >>>>>> forwardable = true >>>>>> proxiable = true >>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> >>>>>> >>>>>> >>> des3-hmac-sha1 >>> >>> >>> >>>>>> des-cbc-crc des-cbc-md5 >>>>>> v4_instance_resolve = false >>>>>> v4_name_convert = { >>>>>> host = { >>>>>> rcmd = host >>>>>> ftp = ftp >>>>>> } >>>>>> plain = { >>>>>> something = something-else >>>>>> } >>>>>> } >>>>>> fcc-mit-ticketflags = true [realms] >>>>>> RDOMAIN.PRV = { >>>>>> default_domain = RDOMAIN.PRV >>>>>> master_kdc = dc02.rdomain.prv >>>>>> admin_server = dc02.rdomain.prv >>>>>> kdc = aurad.rdomain.prv >>>>>> kdc = addc01.rdomain.prv >>>>>> kdc = addc02.rdomain.prv >>>>>> kdc = addc03.rdomain.prv >>>>>> #kdc = addc04.rdomain.prv >>>>>> kdc = addc05.rdomain.prv >>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>> } >>>>>> KID.RDOMAIN.PRV = { >>>>>> default_domain = KID.RDOMAIN.PRV >>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>> master_kdc = addc02.rdomain.prv >>>>>> admin_server = addc02.rdomain.prv >>>>>> kdc = addc01.rdomain.prv >>>>>> kdc = addc02.rdomain.prv >>>>>> } >>>>>> [domain_realm] >>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>> rdomain.prv = RDOMAIN.PRV >>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>> debug = false >>>>>> ticket_lifetime = 36000 >>>>>> renew_lifetime = 36000 >>>>>> forwardable = true >>>>>> krb4_convert = false >>>>>> validate = true >>>>>> } >>>>>> [login] >>>>>> krb4_convert = true >>>>>> krb4_get_tickets = false >>>>>> >>>>>> >>>>>> >>>>>> >> >> > > >
Yes, doing "wbinfo -u" retrieves all of the KID users, then again it always did. Being able to get the SID is new. I am attaching my log file which has been gziped to make it smaller... I hope this is not an issue. See a few of my tests below. Thanks, -Paul mailtestbed:~# wbinfo -n KID\\testuser S-1-5-21-29899443-2986348974-2400605501-1223 User (1) mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user KID\\testuser mailtestbed:~# wbinfo -u | grep KID [...] KID\co2s17 KID\testuser KID\co2s13 KID\co2s01 KID\jplaolet KID\co2stemp On 4/3/2010 5:04 AM, devel at thom.fr.eu.org wrote:> That's definitely a good point. > > Do you get the KID users in wbinfo -u ? > > Try increasing again loglevel for winbindd and send it for review. > > > Fran?ois > > -----Message d'origine----- > De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss > Envoy? : vendredi 2 avril 2010 20:57 > ? : samba at lists.samba.org > Objet : Re: [Samba] AD Auth Trusted Domain issues > > Greetings, > I figured out that since we made KID ADS native I have been able to > query for the SID successfully. I was unable to do that before. wbinfo > -n testuser actually returns a sid but it doesn't seem to want to map it > to anything so I am thinking my issue may be with how I am configuring > idmap. Any thoughts or suggestions? > > Thanks, > -Paul > > On 4/1/2010 8:55 AM, Paul Lauss wrote: > >> We have corrected the issues of "KID" not being native but this does not >> seem to have helped. We did however see this error in the Windows Event >> Viewer at the point that I am trying to make the connection. I am not >> certain what it means that there are no logon servers available... >> Thoughts? >> >> Event Type: Warning >> Event Source: LSASRV >> Event Category: SPNEGO (Negotiator) >> Event ID: 40960 >> Date: 3/31/2010 >> Time: 3:19:00 AM >> User: N/A >> Computer: CHLDDC01 >> Description: >> The Security System detected an authentication error for the server >> ldap/chlddc01.kid.rdomain.prv. The failure code from authentication >> protocol Kerberos was "There are currently no logon servers available to >> service the logon request. >> (0xc000005e)". >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> Data: >> 0000: 5e 00 00 c0 ^..? >> >> >> On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote: >> >> >>> So, as I already told you, I'm not familiar with that kind of setup. >>> >>> From what I could see, the fact that domain KID is not in ADS native may be the problem as you've got security = ADS and that expects native mode. >>> >>> You should try to go back to the list to confirm that. Your setup does not seem to be that odd, I could read lots of people trying (successfully for most of them if I remember correctly) to accomplish that kind of things. >>> >>> Sorry to not be able to help you more. >>> >>> Fran?ois >>> >>> -----Message d'origine----- >>> De : Paul Lauss [mailto:plauss at protocolgs.com] >>> Envoy? : mardi 30 mars 2010 23:26 >>> ? : devel at thom.fr.eu.org >>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >>> >>> This didn't seem to go through the listserv... >>> >>> >>> I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. >>> >>> On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: >>> >>> >>> >>>> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. >>>> >>>> Fran?ois >>>> >>>> -----Message d'origine----- >>>> De : samba-bounces at lists.samba.org >>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss Envoy? >>>> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >>>> [Samba] AD Auth Trusted Domain issues >>>> >>>> The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. >>>> >>>> mailtestbed:~# wbinfo -t >>>> checking the trust secret via RPC calls succeeded >>>> >>>> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >>>> >>>> >>>> >>>> >>>>> I'm not sure to 100% understand what you mean (it's been a long time >>>>> since I last used an AD server with SFU). >>>>> However, next step now will be to increase winbindd debug level while >>>>> issuing the wbinfo -i command, and see what fails there. >>>>> >>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>>>> >>>>> Fran?ois >>>>> >>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>>> <plauss at protocolgs.com> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Hello, >>>>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>>>> option is "KID". I'm not sure if that is expected or would affect >>>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>>>>> >>>>>> Thanks, >>>>>> -Paul >>>>>> >>>>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>>>> not >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> the >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>>>> uid/gid for that domain fall in the idmap uid range >>>>>>> >>>>>>> Fran?ois >>>>>>> >>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>>> <plauss at protocolgs.com> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> have >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> setup pam AD authentication using winbind on our companies email >>>>>>>> servers. That part is currently working. I have been trying to >>>>>>>> add >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> an >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> existing "Trusted" child domain and allow authentication from that >>>>>>>> domain as well. I am part of the way there, but not quite to the >>>>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>>> what I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> am >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>>>> 139 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> and >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> 389 (I believe those are the correct ports, though the networking >>>>>>>> guys opened them) from the email/winbind server to the child >>>>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>>>> KID >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>>>> authentication succeeded challenge/response password >>>>>>>> authentication succeeded >>>>>>>> >>>>>>>> Here is where it's falling apart: >>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>>>> KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# id KID\\testuser >>>>>>>> id: KID\testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# id testuser >>>>>>>> id: testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> Versions (Debian Lenny) >>>>>>>> samba 2:3.2.5-4lenny9 >>>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>>> >>>>>>>> smb.conf >>>>>>>> [global] >>>>>>>> workgroup = RDOMAINPRV >>>>>>>> realm = RDOMAIN.PRV >>>>>>>> server string = %h server >>>>>>>> dns proxy = no >>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> max log size = 1000 >>>>>>>> syslog = 0 >>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>> security = ADS >>>>>>>> encrypt passwords = yes >>>>>>>> passdb backend = tdbsam >>>>>>>> obey pam restrictions = yes >>>>>>>> unix password sync = yes >>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>>>> pam password change = yes >>>>>>>> allow trusted domains = yes >>>>>>>> winbind trusted domains only = no >>>>>>>> idmap backend = ad >>>>>>>> idmap uid = 10000-1000000 >>>>>>>> idmap gid = 10000-1000000 >>>>>>>> template homedir = /home/%U >>>>>>>> winbind use default domain = yes >>>>>>>> winbind nss info = rfc2307 >>>>>>>> winbind nested groups = yes >>>>>>>> client use spnego = yes >>>>>>>> client ntlmv2 auth = yes >>>>>>>> restrict anonymous = 2 >>>>>>>> winbind enum groups = no >>>>>>>> winbind enum users = no >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>> winbind cache time = 30 >>>>>>>> >>>>>>>> krb5.conf >>>>>>>> [libdefaults] >>>>>>>> default_realm = RDOMAIN.PRV >>>>>>>> krb4_config = /etc/krb.conf >>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>> kdc_timesync = 1 >>>>>>>> ccache_type = 4 >>>>>>>> forwardable = true >>>>>>>> proxiable = true >>>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> des3-hmac-sha1 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> des-cbc-crc des-cbc-md5 >>>>>>>> v4_instance_resolve = false >>>>>>>> v4_name_convert = { >>>>>>>> host = { >>>>>>>> rcmd = host >>>>>>>> ftp = ftp >>>>>>>> } >>>>>>>> plain = { >>>>>>>> something = something-else >>>>>>>> } >>>>>>>> } >>>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>>> RDOMAIN.PRV = { >>>>>>>> default_domain = RDOMAIN.PRV >>>>>>>> master_kdc = dc02.rdomain.prv >>>>>>>> admin_server = dc02.rdomain.prv >>>>>>>> kdc = aurad.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> kdc = addc03.rdomain.prv >>>>>>>> #kdc = addc04.rdomain.prv >>>>>>>> kdc = addc05.rdomain.prv >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> } >>>>>>>> KID.RDOMAIN.PRV = { >>>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> master_kdc = addc02.rdomain.prv >>>>>>>> admin_server = addc02.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> } >>>>>>>> [domain_realm] >>>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>>> debug = false >>>>>>>> ticket_lifetime = 36000 >>>>>>>> renew_lifetime = 36000 >>>>>>>> forwardable = true >>>>>>>> krb4_convert = false >>>>>>>> validate = true >>>>>>>> } >>>>>>>> [login] >>>>>>>> krb4_convert = true >>>>>>>> krb4_get_tickets = false >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >
It's looking more and more like it is the Windows environment at issue here. If the KID domain was not using AD 2003 R2 and all of the other would that would cause the issue. I will talk to our Windows admins to see if we can resolve the mixed mode thing before moving on. Thanks! -Paul On 4/7/2010 3:20 AM, Fran?ois Legal wrote:> From what I could read, I'm not sure which of the 2 proposition is > correct, > > either winbindd tries to get idmap from rdomain.prv DC from domain kid > which does not exists > either winbindd tries to query idmap from kid.rdomain.prv DC and does not > find the right information (either the information is not there or not > using the same schema as rdomain.prv). > > Fran?ois > > On Tue, 06 Apr 2010 11:15:51 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> Here are the other logs. I just sent you the whole logs rather than >> paring down. >> >> On 4/6/2010 10:20 AM, Fran?ois Legal wrote: >> >>> By checking the log, I could not find so many interesting things. >>> I could see that domain KID is still reported as MIXED mode (and not >>> NATIVE) (in array starting at line 1002) >>> >>> Then, winbindd seems to be locked down trying to contact the >>> CORADDOM02.external.rdomain.prv machine for domain EXTRDOMAINPRV, but >>> > for > >>> some reason this fails and it keeps on trying at least for about 30 >>> minutes >>> outlined in the log. >>> I have no idea how to fix this. This can be asked to the list. I >>> > remember > >>> that someone had the same problem and I think this could be solved. >>> >>> Do you have anything interesting in log.wb-KID log.winbindd-dc-connect >>> and >>> log.winbindd-idmap ? >>> >>> Fran?ois >>> >>> On Tue, 06 Apr 2010 09:13:00 -0500, Paul Lauss <plauss at protocolgs.com> >>> wrote: >>> >>> >>>> Yes, doing "wbinfo -u" retrieves all of the KID users, then again it >>>> always did. Being able to get the SID is new. I am attaching my log >>>> file which has been gziped to make it smaller... I hope this is not an >>>> issue. See a few of my tests below. >>>> >>>> Thanks, >>>> -Paul >>>> >>>> mailtestbed:~# wbinfo -n KID\\testuser >>>> S-1-5-21-29899443-2986348974-2400605501-1223 User (1) >>>> mailtestbed:~# wbinfo -i KID\\testuser >>>> Could not get info for user KID\\testuser >>>> mailtestbed:~# wbinfo -u | grep KID >>>> [...] >>>> KID\co2s17 >>>> KID\testuser >>>> KID\co2s13 >>>> KID\co2s01 >>>> KID\jplaolet >>>> KID\co2stemp >>>> >>>> On 4/3/2010 5:04 AM, devel at thom.fr.eu.org wrote: >>>> >>>> >>>>> That's definitely a good point. >>>>> >>>>> Do you get the KID users in wbinfo -u ? >>>>> >>>>> Try increasing again loglevel for winbindd and send it for review. >>>>> >>>>> >>>>> Fran?ois >>>>> >>>>> -----Message d'origine----- >>>>> De : samba-bounces at lists.samba.org >>>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss >>>>> Envoy? : vendredi 2 avril 2010 20:57 >>>>> ? : samba at lists.samba.org >>>>> Objet : Re: [Samba] AD Auth Trusted Domain issues >>>>> >>>>> Greetings, >>>>> I figured out that since we made KID ADS native I have been able to >>>>> query for the SID successfully. I was unable to do that before. >>>>> > wbinfo > >>>>> -n testuser actually returns a sid but it doesn't seem to want to map >>>>> >>>>> >>> it >>> >>> >>>>> to anything so I am thinking my issue may be with how I am >>>>> > configuring > >>>>> idmap. Any thoughts or suggestions? >>>>> >>>>> Thanks, >>>>> -Paul >>>>> >>>>> On 4/1/2010 8:55 AM, Paul Lauss wrote: >>>>> >>>>> >>>>> >>>>>> We have corrected the issues of "KID" not being native but this does >>>>>> >>>>>> >>> not >>> >>> >>>>>> seem to have helped. We did however see this error in the Windows >>>>>> >>>>>> >>> Event >>> >>> >>>>>> Viewer at the point that I am trying to make the connection. I am >>>>>> > not > >>>>>> certain what it means that there are no logon servers available... >>>>>> Thoughts? >>>>>> >>>>>> Event Type: Warning >>>>>> Event Source: LSASRV >>>>>> Event Category: SPNEGO (Negotiator) >>>>>> Event ID: 40960 >>>>>> Date: 3/31/2010 >>>>>> Time: 3:19:00 AM >>>>>> User: N/A >>>>>> Computer: CHLDDC01 >>>>>> Description: >>>>>> The Security System detected an authentication error for the server >>>>>> ldap/chlddc01.kid.rdomain.prv. The failure code from authentication >>>>>> protocol Kerberos was "There are currently no logon servers >>>>>> > available > >>>>>> >>>>>> >>> to >>> >>> >>>>>> service the logon request. >>>>>> (0xc000005e)". >>>>>> >>>>>> For more information, see Help and Support Center at >>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>> Data: >>>>>> 0000: 5e 00 00 c0 ^..? >>>>>> >>>>>> >>>>>> On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> So, as I already told you, I'm not familiar with that kind of >>>>>>> > setup. > >>>>>>> From what I could see, the fact that domain KID is not in ADS >>>>>>> > native > >>>>>>> may be the problem as you've got security = ADS and that expects >>>>>>> >> >>>>>>> >>>>>>> >>> native >>> >>> >>>>>>> mode. >>>>>>> >>>>>>> You should try to go back to the list to confirm that. Your setup >>>>>>> >>>>>>> >>> does >>> >>> >>>>>>> not seem to be that odd, I could read lots of people trying >>>>>>> (successfully for most of them if I remember correctly) to >>>>>>> > accomplish > >>>>>>> that kind of things. >>>>>>> >>>>>>> Sorry to not be able to help you more. >>>>>>> >>>>>>> Fran?ois >>>>>>> >>>>>>> -----Message d'origine----- >>>>>>> De : Paul Lauss [mailto:plauss at protocolgs.com] >>>>>>> Envoy? : mardi 30 mars 2010 23:26 >>>>>>> ? : devel at thom.fr.eu.org >>>>>>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >>>>>>> >>>>>>> This didn't seem to go through the listserv... >>>>>>> >>>>>>> >>>>>>> I am so sorry, I was trying to stay fairly concise... Here is the >>>>>>> whole log file I extracted. >>>>>>> >>>>>>> On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Could you provide the part that you removed, I can see that >>>>>>>> > winbind > >>>>>>>> is trying to connect to chlddc01.kid.rdomain.prv for domain kid, >>>>>>>> > but > >>>>>>>> then you removed that part of the transaction, and we end up with >>>>>>>> >>>>>>>> >>> some >>> >>> >>>>>>>> info returned from main domain dc. >>>>>>>> >>>>>>>> Fran?ois >>>>>>>> >>>>>>>> -----Message d'origine----- >>>>>>>> De : samba-bounces at lists.samba.org >>>>>>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss >>>>>>>> Envoy? >>>>>>>> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >>>>>>>> [Samba] AD Auth Trusted Domain issues >>>>>>>> >>>>>>>> The trust check succeeded... I have attached the pertinent logs... >>>>>>>> >>>>>>>> >>> it >>> >>> >>>>>>>> looks like it is timing out... I am not sure why though. The link >>>>>>>> should be a little slower but it shouldn't be terrible, it is a >>>>>>>> > 2Mb > >>>>>>>> pipe. >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -t >>>>>>>> checking the trust secret via RPC calls succeeded >>>>>>>> >>>>>>>> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I'm not sure to 100% understand what you mean (it's been a long >>>>>>>>> >>>>>>>>> >>> time >>> >>> >>>>>>>>> since I last used an AD server with SFU). >>>>>>>>> However, next step now will be to increase winbindd debug level >>>>>>>>> while >>>>>>>>> issuing the wbinfo -i command, and see what fails there. >>>>>>>>> >>>>>>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd >>>>>>>>> verbosity. >>>>>>>>> >>>>>>>>> Fran?ois >>>>>>>>> >>>>>>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>>>>>>> <plauss at protocolgs.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> Thank you so much for your reply! We are using AD 2003 R2 on >>>>>>>>>> > both > >>>>>>>>>> >>>>>>>>>> >>> >>> >>>>>>>>>> the domain and the child domain. I am using 10000-29999 for IDs >>>>>>>>>> >>>>>>>>>> >>> on >>> >>> >>>>>>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain >>>>>>>>>> (KID). >>>>>>>>>> Interestingly, in the Unix tab (in AD Users and Computers for >>>>>>>>>> > any > >>>>>>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get >>>>>>>>>> >>>>>>>>>> >>> the >>> >>> >>>>>>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the >>>>>>>>>> only >>>>>>>>>> option is "KID". I'm not sure if that is expected or would >>>>>>>>>> > affect > >>>>>>>>>> >>>>>>>>>> >>> >>> >>>>>>>>>> this but I can't seem to get the RDOMAIN option in the KID >>>>>>>>>> > Trusted > >>>>>>>>>> domain. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> -Paul >>>>>>>>>> >>>>>>>>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I'm not familiar with this kind of setup, but I wonder whether >>>>>>>>>>> > or > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> the >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> KID domain has the SFU schema extensions setup for idmapping >>>>>>>>>>> > (see > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> idmap backend = ad) and if porperly setup, check that the >>>>>>>>>>> > defined > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> uid/gid for that domain fall in the idmap uid range >>>>>>>>>>> >>>>>>>>>>> Fran?ois >>>>>>>>>>> >>>>>>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>>>>>>> <plauss at protocolgs.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> I have been killing myself on this issue over the last 2 >>>>>>>>>>>> > weeks. > >>>>>>>>>>>> >>>>>>>>>>>> >>> I >>> >>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> have >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> setup pam AD authentication using winbind on our companies >>>>>>>>>>>> > email > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> servers. That part is currently working. I have been trying >>>>>>>>>>>> > to > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> add >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> an >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> existing "Trusted" child domain and allow authentication from >>>>>>>>>>>> that >>>>>>>>>>>> domain as well. I am part of the way there, but not quite to >>>>>>>>>>>> >>>>>>>>>>>> >>> the >>> >>> >>>>>>>>>>>> functional point as of yet. Our primary domain is rdomainprv >>>>>>>>>>>> > or > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>>>>>>> > >>>>>>>>>>>> what I >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> am >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> seeing, followed by my configs. Also, we had to open ports >>>>>>>>>>>> > 88, > >>>>>>>>>>>> 139 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> and >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> 389 (I believe those are the correct ports, though the >>>>>>>>>>>> >>>>>>>>>>>> >>> networking >>> >>> >>>>>>>>>>>> guys opened them) from the email/winbind server to the child >>>>>>>>>>>> domain, at the firewall. Any help would be very much >>>>>>>>>>>> >>>>>>>>>>>> >>> appreciated! >>> >>> >>>>>>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED >>>>>>>>>>>> RDOMAINPRV >>>>>>>>>>>> KID >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext >>>>>>>>>>>> password >>>>>>>>>>>> authentication succeeded challenge/response password >>>>>>>>>>>> authentication succeeded >>>>>>>>>>>> >>>>>>>>>>>> Here is where it's falling apart: >>>>>>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for >>>>>>>>>>>> user >>>>>>>>>>>> KID\testuser >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id KID\\testuser >>>>>>>>>>>> id: KID\testuser: No such user >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id testuser >>>>>>>>>>>> id: testuser: No such user >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>>>>>> >>>>>>>>>>>> Versions (Debian Lenny) >>>>>>>>>>>> samba 2:3.2.5-4lenny9 >>>>>>>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>>>>>>> >>>>>>>>>>>> smb.conf >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = RDOMAINPRV >>>>>>>>>>>> realm = RDOMAIN.PRV >>>>>>>>>>>> server string = %h server >>>>>>>>>>>> dns proxy = no >>>>>>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>> max log size = 1000 >>>>>>>>>>>> syslog = 0 >>>>>>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>>>>>> security = ADS >>>>>>>>>>>> encrypt passwords = yes >>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>> obey pam restrictions = yes >>>>>>>>>>>> unix password sync = yes >>>>>>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>>>>>> *Retype\snew\s*\spassword:* %n\n >>>>>>>>>>>> *password\supdated\ssuccessfully* . >>>>>>>>>>>> pam password change = yes >>>>>>>>>>>> allow trusted domains = yes >>>>>>>>>>>> winbind trusted domains only = no >>>>>>>>>>>> idmap backend = ad >>>>>>>>>>>> idmap uid = 10000-1000000 >>>>>>>>>>>> idmap gid = 10000-1000000 >>>>>>>>>>>> template homedir = /home/%U >>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>> winbind nested groups = yes >>>>>>>>>>>> client use spnego = yes >>>>>>>>>>>> client ntlmv2 auth = yes >>>>>>>>>>>> restrict anonymous = 2 >>>>>>>>>>>> winbind enum groups = no >>>>>>>>>>>> winbind enum users = no >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> winbind cache time = 30 >>>>>>>>>>>> >>>>>>>>>>>> krb5.conf >>>>>>>>>>>> [libdefaults] >>>>>>>>>>>> default_realm = RDOMAIN.PRV >>>>>>>>>>>> krb4_config = /etc/krb.conf >>>>>>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>>>>>> kdc_timesync = 1 >>>>>>>>>>>> ccache_type = 4 >>>>>>>>>>>> forwardable = true >>>>>>>>>>>> proxiable = true >>>>>>>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> des3-hmac-sha1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> des-cbc-crc des-cbc-md5 >>>>>>>>>>>> v4_instance_resolve = false >>>>>>>>>>>> v4_name_convert = { >>>>>>>>>>>> host = { >>>>>>>>>>>> rcmd = host >>>>>>>>>>>> ftp = ftp >>>>>>>>>>>> } >>>>>>>>>>>> plain = { >>>>>>>>>>>> something = something-else >>>>>>>>>>>> } >>>>>>>>>>>> } >>>>>>>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>>>>>>> RDOMAIN.PRV = { >>>>>>>>>>>> default_domain = RDOMAIN.PRV >>>>>>>>>>>> master_kdc = dc02.rdomain.prv >>>>>>>>>>>> admin_server = dc02.rdomain.prv >>>>>>>>>>>> kdc = aurad.rdomain.prv >>>>>>>>>>>> kdc = addc01.rdomain.prv >>>>>>>>>>>> kdc = addc02.rdomain.prv >>>>>>>>>>>> kdc = addc03.rdomain.prv >>>>>>>>>>>> #kdc = addc04.rdomain.prv >>>>>>>>>>>> kdc = addc05.rdomain.prv >>>>>>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>>>>>> } >>>>>>>>>>>> KID.RDOMAIN.PRV = { >>>>>>>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>>>>>> master_kdc = addc02.rdomain.prv >>>>>>>>>>>> admin_server = addc02.rdomain.prv >>>>>>>>>>>> kdc = addc01.rdomain.prv >>>>>>>>>>>> kdc = addc02.rdomain.prv >>>>>>>>>>>> } >>>>>>>>>>>> [domain_realm] >>>>>>>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>>>>>>> debug = false >>>>>>>>>>>> ticket_lifetime = 36000 >>>>>>>>>>>> renew_lifetime = 36000 >>>>>>>>>>>> forwardable = true >>>>>>>>>>>> krb4_convert = false >>>>>>>>>>>> validate = true >>>>>>>>>>>> } >>>>>>>>>>>> [login] >>>>>>>>>>>> krb4_convert = true >>>>>>>>>>>> krb4_get_tickets = false >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>