Dale Wishner
2006-Feb-16 23:08 UTC
[Samba] kerberos error when users in trusted win2k domain try to browse samba server
I have users from Domain A trying to browse a domain member samba server in Domain B. Domain A and Domain B are both Windows 2k domains. Domain B has a one way trust to A. A users can browse Domain B Windows server with no problem so I no the trust is fine. Samba version is 3.0.21b on RH Linux ES 3. The winbindd log is giving me the following error: [2006/02/16 08:28:50, 0] nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 [2006/02/16 09:20:32, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) ads_krb5_mk_req: krb5_get_credentials failed for isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database) [2006/02/16 09:20:32, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539) spnego_gen_negTokenTarg failed: Server not found in Kerberos database [2006/02/16 09:21:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) ads_krb5_mk_req: krb5_get_credentials failed for isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database) [2006/02/16 09:21:02, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain ONTARIOPD failed: Server not found in Kerberos database [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 Both Domain A and Domain B realms are defined in the krb5.conf file. Users from Domain B browse the samba server just fine. I have been working on this problems for three days. I have searched the 'Net and found people with similar issues but no solution. Any help would be appreciated.
Don Meyer
2006-Feb-16 23:36 UTC
[Samba] kerberos error when users in trusted win2k domain try to browse samba server
We have the same situation here. Apparently, users from domain-A can properly connect/browse/etc. a server in domain-B (assuming permissions OK, W2K3-based ADS) if the domains have a two-way trust in place. But users from a "trusted" domain cannot access Samba-server based resources, generating the errors you note below. To me, these errors seem to indicate that the "trusted" domain is rejecting the servers credentials, as they are from the "trusting" domain, which by definition it does not "trust" in a one-way relationship. In the windows world, the Windows admin gui usually pops up a dialog to ask an admin for proper credentials on the "trusted" domain when initiating actions such as adding a user from the "trusted" domain to a domain local group in the "trusting" domain. There needs to be some mechanism identified to supply satisfactory credentials for the server to use to communicate with the "trusted" domain, in this one-way trust situation. Cheers, -D At 11:39 AM 2/16/2006, Dale Wishner wrote:>I have users from Domain A trying to browse a domain member samba server in >Domain B. Domain A and Domain B are both Windows 2k domains. Domain B has >a one way trust to A. A users can browse Domain B Windows server with no >problem so I no the trust is fine. Samba version is 3.0.21b on RH Linux ES >3. > >The winbindd log is giving me the following error: > >[2006/02/16 08:28:50, 0] nsswitch/winbindd_dual.c:child_read_request(49) > Got invalid request length: 0 >[2006/02/16 09:20:32, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) > ads_krb5_mk_req: krb5_get_credentials failed for >isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database) >[2006/02/16 09:20:32, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539) > spnego_gen_negTokenTarg failed: Server not found in Kerberos database >[2006/02/16 09:21:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) > ads_krb5_mk_req: krb5_get_credentials failed for >isd43m7pd21$@ONTARIOPD.ORG (Server not found in Kerberos database) >[2006/02/16 09:21:02, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) > ads_connect for domain ONTARIOPD failed: Server not found in Kerberos >database >[2006/02/16 09:21:02, 1] >nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) > error getting user info for sid >S-1-5-21-1813802168-3123542457-4032405765-1223 >[2006/02/16 09:21:02, 1] >nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) > error getting user info for sid >S-1-5-21-1813802168-3123542457-4032405765-1223 >[2006/02/16 09:21:02, 1] >nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) > error getting user info for sid >S-1-5-21-1813802168-3123542457-4032405765-1223 > >Both Domain A and Domain B realms are defined in the krb5.conf file. Users >from Domain B browse the samba server just fine. > >I have been working on this problems for three days. I have searched the >'Net and found people with similar issues but no solution. > >Any help would be appreciated. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/sambaDon Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759