This sounds like it might be somewhat related to the problem I posted
a query about earlier this week -- where domain local groups in
domain-A that contain users from (trusted/trusting) domain-B, are not
having the domain-B users being enumerated by winbind as group
members on Samba/winbind systems in domain-A. It appears that only
domain-A users can be enumerated as group members by winbind, even if
the group is defined as a domain local group, which can contain users
defined in a foreign, trusted domain. (On windows systems within the
domain, users from domain-B show up as group members just fine --
Samba appears to be dropping them off the list, though.)
It seems like there might be some sort of common inability to deal
with references to users in another (trusted) domain from within the
context of the local domain, in certain places at least...
Cheers,
-D
At 01:26 PM 2/16/2006, Devin Morton wrote:>I've come across a fairly unique situation and after much searching have
>not found a solution. I thought I would see if anyone here has had any
>experience with this before.
>
>I have a location with two ADS domains with a two-way trust configured.
>
>-For this example I will call them corp.company.com and bst.company.com.
>
>-I have a FreeBSD client running Samba version three
>-I want to use an account in corp with privileges over bst to join the
>client to the bst domain.
>
>No matter what format I use to specify the location of the admin account
>process always appends the specified user to the bst I'm attempting to
>join. That domain, of course, cannot find the user and I receive an
>"Invalid credentials" error. Here is an example:
>
>ESPN-IQ-1# net ads join -S bst.company.com -U
>CORP.company.com/domainadmin
>Password:
>[2006/02/16 12:20:42, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2006/02/16 12:20:42, 0] libads/kerberos.c:ads_kinit_password(133)
> kerberos_kinit_password CORP.company.com/domainadmin@BST.company.com
>failed: Client not
> found in Kerberos database
>[2006/02/16 12:20:42, 1] utils/net_ads.c:ads_startup(152)
> ads_connect: Invalid credentials
>
>
>Is there a way to specify a user account from a different domain when
>attempting to join in this fashion?
>
>Thanks in advance.
>Devin Morton
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <dlmeyer@uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759