Adrian Chow
2004-Oct-31 16:19 UTC
[Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? 2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well? 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) "getent group" shows all the local groups and also the groups shown in "wbinfo -g" (For DomainB) "getent group" shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in "wbinfo -g" does not come up. The logs is something like this:- ----------------------------------- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel --------------------------------------- Any ideas what had happened? Thanks. adrian
Igor Belyi
2004-Nov-01 18:52 UTC
[Samba] Re: Trusting and trusted domain (home mapping) problem
I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote:>Hi Igor, > >I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. > >1. What are the settings of your winbind? > >I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y <SID return in a previous command>>2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well? > >In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file)>3. My winbind works with :- >(For both sides) >wbinfo -t >wbinfo -p >wbinfo -u >wbinfo -g >getent passwd >(For DomainA) >"getent group" shows all the local groups and also the groups shown in "wbinfo -g" >(For DomainB) >"getent group" shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in "wbinfo -g" does not come up. > >The logs is something like this:- >----------------------------------- > >nsswitch/winbindd_group.c:fill_grent_mem(133) > could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) >[2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) > could not lookup domain group STAFF\wheel > >--------------------------------------- > >Do you mean that this error message was reported during "getent group" in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server. The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it. Igor
Adrian Chow
2004-Nov-02 13:01 UTC
[Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Do you have trustdomains in your "auth methods"? Currently I removed the winbind from nsswitch.conf. And "smbclient //domain_B_PDC//shared -U domain_A/domain_A_user" does not work. If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?????] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -------------- My smb.conf :- [Shared] path = /shared valid users = @"Domain Users", @"Domain_A\Domain Users" write list = @"Domain Users", @"Domain_A\Domain Users" browsable = yes guest ok = no writeable =no --------------- Do you have winbind in your nsswitch.conf? How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Igor Belyi wrote:> ====== (Header) e-mail Filtrado =====> I would guess that it means that DomainA trust DomainB but DomainB does > not trust DomainA. Can you verify that trust is mutual between them? > Check 'net rpc trustom list' on both machines. > > No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). > Winbind is used only by Samba when it maps users from trust domain into > local space. > > Adrian Chow wrote: > >> Hi Igor, >> >> I got stuck now. I did my best. I got stuck at the winbind which I >> suspected is the reason why the domainA_computer cannot map the >> domain_B user's home directory. >> >> 1. What are the settings of your winbind? >> >> > I have the following winbind related entries in smb.conf: > ldap idmap suffix = ou=Idmap > idmap backend = ldap:ldap://localhost > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > To see if winbind works you can also try to resolve a name into SID and > SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to > do the following: > wbinfo -n 'STAFF\wheel' > wbinfo -Y <SID return in a previous command> > >> 2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well? >> >> > In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I > understand this, winbind usage via NSS can confuse Samba into thinking > that those users and groups are defined locally and maybe allowing Samba > to use winbind directly is a better approach for trust between domains. > > I don't know why would you want to put winbind into libnss_ldap which is > configuration for LDAP interface for NSS (when you use 'ldap' in > /etc/nssswitch.conf file) > >> 3. My winbind works with :- >> (For both sides) >> wbinfo -t >> wbinfo -p >> wbinfo -u >> wbinfo -g >> getent passwd >> (For DomainA) >> "getent group" shows all the local groups and also the groups shown in >> "wbinfo -g" >> (For DomainB) >> "getent group" shows all the local groups and only the GUESTs group. >> Very weird. The rest of the groups in "wbinfo -g" does not come up. >> The logs is something like this:- >> ----------------------------------- >> >> nsswitch/winbindd_group.c:fill_grent_mem(133) >> could not lookup membership for group rid >> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: >> NT_STATUS_NO_SUCH_GROUP) >> [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) >> could not lookup domain group STAFF\wheel >> >> --------------------------------------- >> >> > Do you mean that this error message was reported during "getent group" > in DomainB? Because, without this error message I would assume that you > have winbind written in /etc/nsswithc.conf on your DomainA server but > not on your DomainB server. > > The error message means that Samba thinks that 'wheel' is a Domain group > of the 'STAFF' domain and fails to find its mapping. I would expect this > error to come up during login of a Domain user whose primary group is a > local 'wheel' group instead of a Domain group. If this user is supposed > to have 'wheel' as a primary group you probably forgot to create a > groupmap from a Domain group for it. > > Igor >