samba - Oct 2004 - Re: Trusting and trusted domain (home mapping) problem

Hi Igor,

I got stuck now.  I did my best.  I got stuck at the winbind which I suspected
is the reason why the domainA_computer cannot map the domain_B user's home
directory.

1.  What are the settings of your winbind?
2.  Do you use only "winbind" in your libnss_ldap or use
"ldap" as well?
3.  My winbind works with :-
(For both sides)
wbinfo -t
wbinfo -p
wbinfo -u
wbinfo -g
getent passwd
(For DomainA)
"getent group" shows all the local groups and also the groups shown in
"wbinfo -g"
(For DomainB)
"getent group" shows all the local groups and only the GUESTs group. 
Very weird.  The rest of the groups in "wbinfo -g" does not come up.

The logs is something like this:-
-----------------------------------

nsswitch/winbindd_group.c:fill_grent_mem(133)
  could not lookup membership for group rid
S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error:
NT_STATUS_NO_SUCH_GROUP)
[2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795)
  could not lookup domain group STAFF\wheel

---------------------------------------


Any ideas what had happened?

Thanks.

adrian

I would guess that it means that DomainA trust DomainB but DomainB does 
not trust DomainA. Can you verify that trust is mutual between them? 
Check 'net rpc trustom list' on both machines.

No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
Winbind is used only by Samba when it maps users from trust domain into 
local space.

Adrian Chow wrote:
>Hi Igor,
>
>I got stuck now.  I did my best.  I got stuck at the winbind which I
suspected is the reason why the domainA_computer cannot map the domain_B
user's home directory.
>
>1.  What are the settings of your winbind?
>  
>
I have the following winbind related entries in smb.conf:
  ldap idmap suffix = ou=Idmap
  idmap backend = ldap:ldap://localhost
  idmap uid = 10000-20000
  idmap gid = 10000-20000

To see if winbind works you can also try to resolve a name into SID and 
SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to
do the following:
wbinfo -n 'STAFF\wheel'
wbinfo -Y <SID return in a previous command>
>2.  Do you use only "winbind" in your libnss_ldap or use
"ldap" as well?
>  
>
In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as
I
understand this, winbind usage via NSS can confuse Samba into thinking 
that those users and groups are defined locally and maybe allowing Samba 
to use winbind directly is a better approach for trust between domains.

I don't know why would you want to put winbind into libnss_ldap which is 
configuration for LDAP interface for NSS (when you use 'ldap' in 
/etc/nssswitch.conf file)
>3.  My winbind works with :-
>(For both sides)
>wbinfo -t
>wbinfo -p
>wbinfo -u
>wbinfo -g
>getent passwd
>(For DomainA)
>"getent group" shows all the local groups and also the groups
shown in "wbinfo -g"
>(For DomainB)
>"getent group" shows all the local groups and only the GUESTs
group.  Very weird.  The rest of the groups in "wbinfo -g" does not
come up.
>
>The logs is something like this:-
>-----------------------------------
>
>nsswitch/winbindd_group.c:fill_grent_mem(133)
>  could not lookup membership for group rid
S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error:
NT_STATUS_NO_SUCH_GROUP)
>[2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795)
>  could not lookup domain group STAFF\wheel
>
>---------------------------------------
>  
>
Do you mean that this error message was reported during "getent group"
in DomainB? Because, without this error message I would assume that you 
have winbind written in /etc/nsswithc.conf on your DomainA server but 
not on your DomainB server.

The error message means that Samba thinks that 'wheel' is a Domain group
of the 'STAFF' domain and fails to find its mapping. I would expect this
error to come up during login of a Domain user whose primary group is a 
local 'wheel' group instead of a Domain group. If this user is supposed 
to have 'wheel' as a primary group you probably forgot to create a 
groupmap from a Domain group for it.

Igor

Hi Igor,

Do you have trustdomains in your "auth methods"?

Currently I removed the winbind from nsswitch.conf.  And "smbclient 
//domain_B_PDC//shared -U domain_A/domain_A_user" does not work.

If I put winbind in the nsswitch.conf, then I will be able to 
authenticated but cannot connect to shared folder with the following 
error:-
Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED

The log file from the Domain_B_PDC:-

[2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
   Client requested device type [?????] for share [SHARED]
[2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
   making a connection to 'normal' service shared
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
   Unable to get default yp domain
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
   Unable to get default yp domain
[2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
   user 'Domain_A\domain_a_user' (from session setup) not permitted to 
access this share (Shared)
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
   error string = No such file or directory
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

--------------

My smb.conf :-

[Shared]
         path = /shared
         valid users = @"Domain Users", @"Domain_A\Domain
Users"
         write list = @"Domain Users", @"Domain_A\Domain
Users"
         browsable = yes
         guest ok = no
         writeable =no


---------------


Do you have winbind in your nsswitch.conf?

How did you managed to get the mapped home directory for domain_a_user 
when he log on to the joined_domain_B_computer?

Hope to hear from you on this... thanks a lot.

adrian

p/s: hope you got my previous mail cos I forgotten to cc to sambalists

Igor Belyi wrote:
> ====== (Header) e-mail Filtrado =====> I would guess that it means that
DomainA trust DomainB but DomainB does
> not trust DomainA. Can you verify that trust is mutual between them? 
> Check 'net rpc trustom list' on both machines.
> 
> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). 
> Winbind is used only by Samba when it maps users from trust domain into 
> local space.
> 
> Adrian Chow wrote:
> 
>> Hi Igor,
>>
>> I got stuck now.  I did my best.  I got stuck at the winbind which I 
>> suspected is the reason why the domainA_computer cannot map the 
>> domain_B user's home directory.
>>
>> 1.  What are the settings of your winbind?
>>  
>>
> I have the following winbind related entries in smb.conf:
>  ldap idmap suffix = ou=Idmap
>  idmap backend = ldap:ldap://localhost
>  idmap uid = 10000-20000
>  idmap gid = 10000-20000
> 
> To see if winbind works you can also try to resolve a name into SID and 
> SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'.
Try to
> do the following:
> wbinfo -n 'STAFF\wheel'
> wbinfo -Y <SID return in a previous command>
> 
>> 2.  Do you use only "winbind" in your libnss_ldap or use
"ldap" as well?
>>  
>>
> In my /etc/nsswitch.conf I have only "ldap" without winbind. As
far as I
> understand this, winbind usage via NSS can confuse Samba into thinking 
> that those users and groups are defined locally and maybe allowing Samba 
> to use winbind directly is a better approach for trust between domains.
> 
> I don't know why would you want to put winbind into libnss_ldap which
is
> configuration for LDAP interface for NSS (when you use 'ldap' in 
> /etc/nssswitch.conf file)
> 
>> 3.  My winbind works with :-
>> (For both sides)
>> wbinfo -t
>> wbinfo -p
>> wbinfo -u
>> wbinfo -g
>> getent passwd
>> (For DomainA)
>> "getent group" shows all the local groups and also the groups
shown in
>> "wbinfo -g"
>> (For DomainB)
>> "getent group" shows all the local groups and only the GUESTs
group.
>> Very weird.  The rest of the groups in "wbinfo -g" does not
come up.
>> The logs is something like this:-
>> -----------------------------------
>>
>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>  could not lookup membership for group rid 
>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: 
>> NT_STATUS_NO_SUCH_GROUP)
>> [2004/11/01 00:13:10, 0]
nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>  could not lookup domain group STAFF\wheel
>>
>> ---------------------------------------
>>  
>>
> Do you mean that this error message was reported during "getent
group"
> in DomainB? Because, without this error message I would assume that you 
> have winbind written in /etc/nsswithc.conf on your DomainA server but 
> not on your DomainB server.
> 
> The error message means that Samba thinks that 'wheel' is a Domain
group
> of the 'STAFF' domain and fails to find its mapping. I would expect
this
> error to come up during login of a Domain user whose primary group is a 
> local 'wheel' group instead of a Domain group. If this user is
supposed
> to have 'wheel' as a primary group you probably forgot to create a 
> groupmap from a Domain group for it.
> 
> Igor
>