-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have setup two domains (example1.net) and (example2.net). Then I
created a trust, in two different ways (Yes, one after the other, not
at the same time):
1.
samba-tool domain trust create example2 --type=forest --direction=both
- --create-location=both -U administrator at EXAMPLE2.NET
2.
samba-tool domain trust create EXAMPLE2.NET --type=external
- --direction=both --create-location=local --no-aes-keys -U
administrator at EXAMPLE2.NET
samba-tool domain trust create EXAMPLE1.NET --type=external
- --direction=both --create-location=local --no-aes-keys -U
administrator at EXAMPLE1.NET
To resolve the names and SRV-records I configured a dns-proxy with
bind. Nameresultion is working.
On the domaincontrollers I can get all users and groups with "wbinfo"
AND "getent". I can set permissions in the filesystem of either DC.
root at addc-s1:~# getent group EXAMPLE1\\my-users1
EXAMPLE1\my-users1:x:3000022:
root at addc-s1:~# getent group EXAMPLE2\\my-users2
EXAMPLE2\my-users2:x:3000021:
root at addc-s1:~# getent passwd EXAMPLE1\\scooper
EXAMPLE1\scooper:*:3000023:100:Shaldon
Cooper:/home/EXAMPLE1/scooper:/bin/false
root at addc-s1:~# getent passwd EXAMPLE2\\ffowler
EXAMPLE2\ffowler:*:3000024:3000025:Farrah
Fowler:/home/EXAMPLE2/ffowler:/bin/false
I think this is all working fine. But now I want to join as
Samba-fileserver to one of the domains and let all users from both
domains access the shares.
Here is the smb.conf from the fileserver:
- ---------------
[global]
workgroup = example1
realm = EXAMPLE1.NET
security = ADS
winbind refresh tickets = Yes
template shell = /bin/bash
idmap config * : range = 10000 - 19999
idmap config EXAMPLE1 : backend = rid
idmap config EXAMPLE1 : range = 1000000 - 1999999
idmap config EXAMPLE2 : backend = rid
idmap config EXAMPLE2 : range = 10000000 - 19999999
- ---------------
All domains are "online"
- ---------------
root at fs1-s1:~# wbinfo --online-status
BUILTIN : online
FS1-S1 : online
EXAMPLE1 : online
EXAMPLE2 : online
- ---------------
I can join the domain, with "wbinfo" I can see all users and groups
from both domains:
- ---------------
root at fs1-s1:~# wbinfo -u --domain=example1
EXAMPLE1\scooper
EXAMPLE1\administrator
EXAMPLE1\example2$
EXAMPLE1\krbtgt
EXAMPLE1\guest
root at fs1-s1:~# wbinfo -u --domain=example2
EXAMPLE2\ffowler
EXAMPLE2\administrator
EXAMPLE2\example1$
EXAMPLE2\krbtgt
EXAMPLE2\guest
- ---------------
But with "getent" I can only see the users and groups from the domain
were the fileserver is member of. Users and groups from the other
domain are not listed:
- ---------------
root at fs1-s1:~# getent passwd EXAMPLE1\\scooper
EXAMPLE1\scooper:*:1001104:1000513:Shaldon
Cooper:/home/EXAMPLE1/scooper:/bin/bash
root at fs1-s1:~# getent passwd EXAMPLE2\\ffowler
root at fs1-s1:~#
- ---------------
When I test with "wbinfo -t --domain=example2" I can't connect to
that
domain:
- ---------------
root at fs1-s1:~# wbinfo -t --domain=example1
checking the trust secret for domain example1 via RPC calls succeeded
root at fs1-s1:~# wbinfo -t --domain=example2
checking the trust secret for domain example2 via RPC calls failed
wbcCheckTrustCredentials(example2): error code was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
- ---------------
What did I do wrong? Or is it up to this point not pssible to map
users and groups of a trustet domain on a domain-member?
Everything that points me in the right direction will help.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlcGVyQACgkQ2JOGcNAHDTatmQCffZY4tN1aRhxl8ZFfcF4S/LcI
8OgAnj7WhKtwG5IumGruH+ro0LYy27Ev
=Y0cC
-----END PGP SIGNATURE-----
