samba - Mar 2004 - Samba-3 / ADS problems with trusted domain

Hello,

 I'm running Mandrake 9.2 and Samba-3.0.2a

 I'm connecting a Samba Server as a Domain member to an 2003 ADS, called
TEST2.  I've been able to create the computer account.  I've also tested
successfully,  from Chapter 7 of ' Samba HOWTO Collection'  with a W2K
client logon/mount a share  from the samba server using Kerberos.  The testing
of the smbclient was also successful.

 The problem that I'm having now is that I can not successfully logon/mount
a share with Kerberos from a client logon from a trusted domain, TEST1, with the
ADS.  Testing with wbinfo -u and -g only show accounts and group information
from my local Domain, Test2,  and not from the trusted Domain.  A wbinfo -m does
show me a list of all trusted domain.

 From the log.winbind file I can also see 'trustdom_store: storing SID
S-1-5-21-1060284298-1078145449-682003330 of domain TEST1", so It appears
winbind if working.

 The account name on TEST1 is ibaccaril,  the account on TEST2 is ibaccarilsu
and the unix account is baccari.  I currently have no control of the account
names in Test1 and test2.   When I tail the log.isaunders-n-1file I extract the
error below,  Any help would be appreciated.


2004/03/16 13:12:34, 5] auth/auth_util.c:make_user_info(184)
  making blobs for baccari's user_info struct
[2004/03/16 13:12:34, 10] auth/auth_util.c:make_user_info(193)
  made an encrypted user_info for baccari (iBaccaril)
[2004/03/16 13:12:34, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[TEST1]\[iBaccaril]@[ISAUNDERS-N-1] with the new password interface
[2004/03/16 13:12:34, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [TEST2]\[baccari]@[ISAUNDERS-N-1]
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(231)
  check_ntlm_password: auth_context challenge created by random
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(233)
  challenge is:
[2004/03/16 13:12:34, 5] lib/util.c:dump_data(1830)
  [000] 11 25 5A CA CE C1 F4 25                           .%Z????%
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/03/16 13:12:34, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/03/16 13:12:34, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/16 13:12:34, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/16 13:12:34, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [iBaccaril] FAILED with
error NT_STATUS_NO_SUCH_USER
[2004/03/16 13:12:34, 6] auth/auth_sam.c:check_samstrict_security(271)
  check_samstrict_security: TEST2 is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(259)
  check_ntlm_password: sam had nothing to say
[2004/03/16 13:12:34, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [iBaccaril] -> [baccari]
FAILED with error NT_STATUS_NO_SUCH_USER
[2004/03/16 13:12:34, 5] auth/auth_util.c:free_user_info(1278)
  attempting to free (and zero) a user_info structure
[2004/03/16 13:12:34, 10] auth/auth_util.c:free_user_info(1281)
  structure was created for iBaccaril
[2004/03/16 13:12:34, 6] lib/util_sock.c:write_socket(407)
  write_socket(5,104)
[2004/03/16 13:12:34, 6] lib/util_sock.c:write_socket(410)
  write_socket(5,104) wrote 104
[2004/03/16 13:12:35, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
[2004/03/16 13:12:35, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2004/03/16 13:12:35, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2004/03/16 13:12:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/16 13:12:35, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/16 13:12:35, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/16 13:12:35, 5] smbd/uid.c:change_to_root_user(218)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/03/16 13:12:35, 2] smbd/server.c:exit_server(558)

 
Lou Baccari
lou.baccari@hp.com
HP Labs, Hewlett-Packard Company
617-551-7623

Hi,

 Just thought I would update these message.  The solution to the problem was to
add the realm and domain_realm information for the trust domain to krb5.conf.  I
needed to know more about kerberos before posting.

Lou.
 
-----Original Message-----
From: samba-bounces+baccari=crl.dec.com@lists.samba.org
[mailto:samba-bounces+baccari=crl.dec.com@lists.samba.org]On Behalf Of
Baccari, Lou
Sent: Tuesday, March 16, 2004 1:56 PM
To: samba@lists.samba.org
Subject: [Samba] Samba-3 / ADS problems with trusted domain




Hello,

 I'm running Mandrake 9.2 and Samba-3.0.2a

 I'm connecting a Samba Server as a Domain member to an 2003 ADS, called
TEST2.  I've been able to create the computer account.  I've also tested
successfully,  from Chapter 7 of ' Samba HOWTO Collection'  with a W2K
client logon/mount a share  from the samba server using Kerberos.  The testing
of the smbclient was also successful.

 The problem that I'm having now is that I can not successfully logon/mount
a share with Kerberos from a client logon from a trusted domain, TEST1, with the
ADS.  Testing with wbinfo -u and -g only show accounts and group information
from my local Domain, Test2,  and not from the trusted Domain.  A wbinfo -m does
show me a list of all trusted domain.

 From the log.winbind file I can also see 'trustdom_store: storing SID
S-1-5-21-1060284298-1078145449-682003330 of domain TEST1", so It appears
winbind if working.

 The account name on TEST1 is ibaccaril,  the account on TEST2 is ibaccarilsu
and the unix account is baccari.  I currently have no control of the account
names in Test1 and test2.   When I tail the log.isaunders-n-1file I extract the
error below,  Any help would be appreciated.


2004/03/16 13:12:34, 5] auth/auth_util.c:make_user_info(184)
  making blobs for baccari's user_info struct
[2004/03/16 13:12:34, 10] auth/auth_util.c:make_user_info(193)
  made an encrypted user_info for baccari (iBaccaril)
[2004/03/16 13:12:34, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[TEST1]\[iBaccaril]@[ISAUNDERS-N-1] with the new password interface
[2004/03/16 13:12:34, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [TEST2]\[baccari]@[ISAUNDERS-N-1]
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(231)
  check_ntlm_password: auth_context challenge created by random
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(233)
  challenge is:
[2004/03/16 13:12:34, 5] lib/util.c:dump_data(1830)
  [000] 11 25 5A CA CE C1 F4 25                           .%Z????%
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/03/16 13:12:34, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/03/16 13:12:34, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/16 13:12:34, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/16 13:12:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/16 13:12:34, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [iBaccaril] FAILED with
error NT_STATUS_NO_SUCH_USER
[2004/03/16 13:12:34, 6] auth/auth_sam.c:check_samstrict_security(271)
  check_samstrict_security: TEST2 is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2004/03/16 13:12:34, 10] auth/auth.c:check_ntlm_password(259)
  check_ntlm_password: sam had nothing to say
[2004/03/16 13:12:34, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [iBaccaril] -> [baccari]
FAILED with error NT_STATUS_NO_SUCH_USER
[2004/03/16 13:12:34, 5] auth/auth_util.c:free_user_info(1278)
  attempting to free (and zero) a user_info structure
[2004/03/16 13:12:34, 10] auth/auth_util.c:free_user_info(1281)
  structure was created for iBaccaril
[2004/03/16 13:12:34, 6] lib/util_sock.c:write_socket(407)
  write_socket(5,104)
[2004/03/16 13:12:34, 6] lib/util_sock.c:write_socket(410)
  write_socket(5,104) wrote 104
[2004/03/16 13:12:35, 3] smbd/process.c:timeout_processing(1104)
  timeout_processing: End of file from client (client has disconnected).
[2004/03/16 13:12:35, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2004/03/16 13:12:35, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2004/03/16 13:12:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/16 13:12:35, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/16 13:12:35, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/16 13:12:35, 5] smbd/uid.c:change_to_root_user(218)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/03/16 13:12:35, 2] smbd/server.c:exit_server(558)

 
Lou Baccari
lou.baccari@hp.com
HP Labs, Hewlett-Packard Company
617-551-7623


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba