Thomas Munn
2006-May-16 14:50 UTC
[Samba] Winbind authenticating its default domain but not trusted domains
Dear Samba Team/Readers: I have been reading the mailing lists looking for a solution to a particular problem that I am having: The Setup: centos 4.3 (redhat enterprise server clone) running kerberos, samba Version 3.0.10-1.4E.2, 32 bit system. Running stock kernel 2.6.9-22. I am authenticating to a windows 2003 server, standard edition, with all service packs and patches applied. I am using winbind and AD integration to allow linux workstations to authenticate to our NT domains. What Works: I have two 'realms' here.com and corp.here.com, which correspond to the domains of 'here' and 'corp', respectively. Corp trusts 'here'. If the linux box is a member of 'corp' people from the corp domain can login fine. What Doesn't work But people in the 'trusted' domain 'here' cannot login. The system reports the user as not existing. I tried changing the smb.conf and the krb5.conf files to use 'here' domain, e.g. here.com while logging into corp.here.com domain controller. It worked miserably, nothing worked. I also listed my 'trusted domains' using the wbinfo command, and it lists corp as being trusted. I also have the allow trusted domains = yes and the use default domains = yes (tried no on this with NO luck!). I have looked at the list, and I saw a recent flame war in which an individual seemed to be trying to do what I am, and he was told politely that he 'should seek help elsewhere'. I am not sure exactly if my problem corresponds to his, but I list it to prove that I have at least tried reading the list. I haven't included all of .conf files, for brevity, but will include relevant parts of files: --------------- nsswitch.conf is setup to use winbind passwd: files winbind shadow: files winbind group: files winbind hosts: files dns protocols: files winbind services: files winbind netgroup: files winbind automount: files winbind ----------------- My krb5.conf file [libdefaults] default_realm = CORP.HERE.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] CORP.HERE.COM = { kdc = server1.corp.here.com:88 admin.server = server1.corp.here.com:749 default_domain = corp.here.com } [domain_realm] .corp.here.com = CORP.HERE.COM corp.here.com = CORP.HERE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ---------------- Finally, the [global] section of my smb.conf file:[global] workgroup = CORP netbios name=MYCOMPUTER server string = Samba Server printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = ads realm=CORP.HERE.COM encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd allow trusted domains = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes obey pam restrictions = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind use default domain = yes winbind separator = # winbind enum users = yes winbind enum groups = yes template shell=/bin/bash template homedir = /home/%U ----------------- Lastly, My system-auth file from my /etc/pam.d directory auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_mkhomedir.so skel=etc/skel/ umask=0027 session optional /lib/security/$ISA/pam_krb5.so ------------ I thank you for your time and patience. Sincerely, Thomas J. Munn
Gerald (Jerry) Carter
2006-May-16 14:55 UTC
[Samba] Winbind authenticating its default domain but not trusted domains
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thomas Munn wrote:> What Works: > > I have two 'realms' here.com and corp.here.com, which > correspond to the domains of 'here' and 'corp', > respectively. Corp trusts 'here'. > > If the linux box is a member of 'corp' people from > the corp domain can login fine. > > What Doesn't work > > But people in the 'trusted' domain 'here' cannot login. > The system reports the user as not existing.We do not at this time support one way trusts but it on my radar in the next month or so. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEaefDIR7qMdg1EfYRAtnbAKDjxSMcnPiVAWuS6noILdV8P4DnrgCfS9m+ glLiUyL1dLvt59FaOn/ohNI=SLvS -----END PGP SIGNATURE-----
Reasonably Related Threads
- Auto creation of home directories on Samba-3.5.4(CentOS 6) using PAM authenticating via ADS
- authentication to ADS via Kerberos at login?
- Samba, winbind, krb5 Auth problem
- Samba 3.5.10 pam authentication question
- AD logins using winbind looking for user in /etc/shadow