samba - Apr 2012 - wbinfo -a works against other domains, but can't use other dom creds for a share

I've successfully joined my Samba server to a Windows domain (let's call
it DOMAIN1). When I run wbinfo -m , I see a number of other domains listed,
including DOMAIN2. I can even test credentials in those other domains (wbinfo -a
DOMAIN2\\username says that both plaintext and challenge/response authentication
were successful).

However, I can't get Samba to accept credentials from other domains.

I can log in with any (valid) credentials from DOMAIN1. What I'd really like
to do, though, is to allow people to login with credentials from DOMAIN2 (that
domain is our equivalent of a single-sign-on key, used for a lot of things).
When I try to connect (from a Windows desktop client), though, I'm always
told "Invalid user name or password". With the default logging, the
only thing that shows up is a note in log.smbd about "Connection reset by
peer," which I assume is related to Windows trying and failing to connect.

Upping the log level to 2 doesn't tell me much more:
auth/auth.c:314(check_ntlm_password) check_ntlm_password:  Authentication for
user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER

This makes sense, as I actually entered DOMAIN2\username when trying to map the
drive from my Windows desktop.

I don't have access to the domain controllers, which I know limits my
ability to provide debugging information. Any suggestions on things to look for,
though? Below is a (slightly sanitized - changed the domain names but nothing
else) copy of my smb.conf. This is all on a RHEL 6.2 server, running their
current/supported version of Samba (3.5.10). I can provide other configuration
files (the only other one that seems relevant would be /etc/krb5.conf) if
needed.

Thanks!


[global]
workgroup = domain1
realm = DOMAIN1.DOM.WUSTL.EDU
security = ads
netbios name = TESTBOX
encrypt passwords = yes
idmap uid=30000-40000
idmap gid=30000-40000
winbind refresh tickets = yes
## These lines just suppress printer spam in the logs
printing = bsd
load printers = no
disable spoolss = yes

[site2]
guest ok = no
browseable = yes
force user  = site2
force group = site2
# these are both 'local' users, and it's here for a reason
hide dot files = no
path = /home/site2
read only = no



--
David E. Smith, Systems Engineer
Washington University in Saint Louis
desmith at wustl.edu<mailto:desmith at wustl.edu> / 314-935-5746

> I've successfully joined my Samba server to a Windows domain (let's
call it DOMAIN1). When I run wbinfo -m , I see a number of other domains listed,
including DOMAIN2. I can even test credentials in those other domains (wbinfo -a
DOMAIN2\\username says that both plaintext and challenge/response authentication
were successful).
Following up to myself here: I'm starting to run short on ideas.

If I add "allow trusted domains = yes" to my smb.conf, the Samba
server tries to map logins to its own hostname:

[2012/04/24 10:43:12.167648,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[username] domain=[domain2] workstation=[IS-M001] len1=24 len2=290
[2012/04/24 10:43:12.168080,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[domain2]\[username]@[IS-M001] with the new password interface
[2012/04/24 10:43:12.168101,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [ISTWPTEST2]\[username]@[IS-M001]

(In the above "ISTWPTEST2" is the NetBIOS name of the server, as
configured in smb.conf; IS-M001 is my desktop, from which I'm trying to
connect.

There also was a promising "map untrusted to domain" option, but it
maps everything to the domain of which this server is a member (DOMAIN1 in my
example), not the domain provided by the user.

Anything? I'm getting a bit flustered by this.

David Smith