samba - Oct 2006 - [Fwd: Interdomain Trust: winbind not working]

Anyone?
Could you write me the exact steps to have a working
configuration of Samba/winbind domain trusting Windows 2000 Dom?
I've followed the one proposed in the samba howtos but is not
working.

thanks

-------- Original Message --------
Subject: [Samba] Interdomain Trust: winbind not working
Date: Mon, 11 Sep 2006 16:09:49 +0200
From: Matteo Calcagnini <calcagnini@publinet.it>
To: samba@lists.samba.org

Hi there,
i got a problem trying configuring an Interdomain trust, this is
my scenario (very simple one):

domain domA (windows 2000 mixed mode) trusting domB (samba 3.0.23a-1)
and vice-versa.

some wbinfo:

ale:~# wbinfo -m
RGM5

ale:~# wbinfo --sequence
RGM5 : DISCONNECTED
BUILTIN : 1157982872
SYS2 : 1157982872

ale:~# wbinfo -t
checking the trust secret via RPC calls succeeded

ale:~# wbinfo -u
Error looking up domain users

ale:~# wbinfo -g
BUILTIN\administrators
BUILTIN\users

ale:~# wbinfo -a RGM5\\publinetrgm%*******
plaintext password authentication succeeded
challenge/response password authentication succeeded

(this seems to authorise a user of the trusted domain...)


I joined the samba pdc to his domain (SYS2) and made the trust with

net rpc trustdom establish SYS2

everything seems working fine since i can smbclien with a user of the
trusted domain, the only thing that's not working is winbind,
i can't map the trusted dom users to the unix users.
I noticed that samba creates a unix account everytime i log into it with
a user of the trusted dom, but how i can get winbind work??


this is my smb.conf

#======================= Global Settings ======================
[global]

  netbios name  = ALE
  workgroup = SYS2
  os level = 64
  preferred master = yes
  domain master = yes
  local master = yes
  domain logons = yes

  nt acl support = yes

  logon path   logon drive = H:
  logon home = \\ale\%U
  logon script = logon.bat

##### Add/Remove user scripts #####
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

#### WINBINDD configuration #####
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 30
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes


## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of

# server string is the equivalent of the NT Description field
    server string = PDC Sys2

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
    wins server = 192.168.92.205 192.168.92.206

# This will prevent nmbd to search for NetBIOS names through DNS.
    dns proxy = yes

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast

remote announce = 192.168.92.205
remote browse sync = 192.168.92.205
wins proxy = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
    log file = /var/log/samba/log.%m
    #log level = 3

# Put a capping on the size of the log files (in Kb).
    max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
    syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
    panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix
account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
    security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
    encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
    passdb backend = tdbsam

;   obey pam restrictions = yes

    guest account = nobody
;   invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
;   unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton
<aluton@hybrigenics.fr> for
# sending the correct chat script for the passwd program in Debian Potato).
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no

#### *********** Unix/Windows Username Mapping file *********** ####
username map = /etc/samba/users.map


########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
    load printers = yes

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
    printing = cups
    printcap name = cups

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


#======================= Share Definitions ======================
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    create mask = 0700
    directory mask = 0700
    path = /home/%U/

# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no
    browsable = no

#[profiles]
#  path = /var/lib/samba/profiles
#  profile acls = yes
#  read only = no
#  create mask = 0600
#  directory mask = 0700
#  browsable = no
#  force user = %U

[printers]
    comment = All Printers
    browseable = no
    path = /tmp
    printable = yes
    public = no
    writable = no
    create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
    write list = root, @ntadmins


####  **************** Custom Shares for SYS2 ***************** ####

[z]
	comment = risorsa condivisa z
	path = /home/shares/z
	admin users = @ntadmins, "@RGM5\Domain Admins"
	public = yes
	writable = yes
	printable = no
	create mask = 0110
	directory mask = 0775
	force create mode = 0664
	force directory mode = 0775


thank you all

--
__________________________________
Matteo Calcagnini


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
--
Matteo Calcagnini

Matteo Calcagnini <calcagnini <at> publinet.it> writes:
> 
> Anyone?
> Could you write me the exact steps to have a working
> configuration of Samba/winbind domain trusting Windows 2000 Dom?
> I've followed the one proposed in the samba howtos but is not
> working.
I cannot make it better than the how-to. I have an interdomain trust working to
a W2K3-server, and I just followed the how-to.

Though I got a problem like yours when I upgraded to the 3.0.23-series. I tried
a lot of things, and eventually I made it work again, but I'm not quite sure
how. One step was a restart of the Windows-server. (I know it sounds strange for
a *NIX-admin, but this is Windows...) 
> domain domA (windows 2000 mixed mode) trusting domB (samba 3.0.23a-1)
> and vice-versa.
I think you should upgrade to the latest version 3.0.23c. The first versions in
the 3.0.23-series are buggy, and it might involve the interdomain trust.

 
> ale:~# wbinfo --sequence
> RGM5 : DISCONNECTED
It looks like the problem I had.
> ale:~# wbinfo -u
> Error looking up domain users
This one as well.
> this is my smb.conf
[...]
> winbind use default domain = Yes
> winbind trusted domains only = Yes
> winbind nested groups = Yes
I don't use these. I think you should avoid "winbind trusted domains
only" when
you don't use LDAP.

Good luck!

-- 
Thorkil Olesen,
Hanstholm, Denmark.