samba - Oct 2006 - NT4 to Samba Migration and Trusted Domains

Well, I'm attempting to migrate my old NT4-based domain to Samba3.  I've
got Samba set up with an LDAP backend, I've extended my NDS schema, and
I've got users in this new domain set up successfully and authenticating. 
I've decided that the best, most seamless way to migrate my domain is to
create a new domain which will run alongside the old domain.  A
two-way trust relationship between the two domains should allow me share
folders on servers located on either domain with users on either domain. 
This way, I'll be able to migrate users, groups, and computers at my
leisure from one domain to another.

So, I've also successfully configured the trust relationship (I think).  I
go to a Windows machine that is a member of my original domain (DOMA) and
I can log in with a user on either DOMA or my new domain (DOMB).  I can
also modify file shares on these computers and give users on either domain
access to my files, etc.

I have a multi-subnet environment, so my Windows NT4 machines are running
WINS to make sure that all computers in the domain can find a logon
server.  I've configured my new Samba servers to point to these WINS
servers for now to reduce the number of things that I have to deal with
migrating at one time.

The issue that I'm running into is this: my Samba servers on DOMA (my
primary file servers for the entire company) don't want to authenticate
users on DOMB.  Users from DOMA can successfully authenticate, but users
from DOMB get the following message from smbclient:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

If I look at the log file on the Samba server, I see the following
message:

[2006/10/17 11:50:05, 0] auth/auth_domain.c:domain_client_validate(242)
  domain_client_validate: unable to validate password for user USER in
domain DOMB to Domain controller DOMA-PDC. Error was
NT_STATUS_UNSUCCESSFUL.


It seems that Samba is connecting to the domain controller for which it is
a member (DOMA) and trying to authenticate the user from DOMB.  Obviously
this fails, and it seems that Samba doesn't know how to go find a
different domain controller for the correct domain and authenticate.

Some additional info - the Samba server having this issue is running Samba
3.0.22 on SuSE 10.1 Pro.  The usernames on DOMA and DOMB are exactly the
same, and the Samba server is getting username info from the same LDAP
directory that services the DOMB PDC and that Samba on that PDC points to
for its user information.  Here's the smb.conf file from one of the Samba
servers experiencing this problem:

[global]
        workgroup = DOMA
        security = domain
        wins server = 10.0.0.1 10.0.0.2 10.0.0.3
        allow trusted domains = yes
        password server = *
        # auth methods = trustdomain
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "Domain Users"
        template shell = "/bin/bash"
        log level = 3

[tmp]
        path = /tmp
        comment = Temp Directory

I can provide more detailed log files, if necessary.

Thanks,
Nick

Well, I've managed to trace down my issue to some degree or another.  I
was continuing to play with my Samba servers to figure out what was
going on, and I noticed that one of my older Samba3 servers worked okay.
I checked the version and it is running Samba 3.0.14.  My other server
that's causing problems, as well as the test machine that I'm using are
running version 3.0.22.  I started downloading and compiling the Samba
versions in between 3.0.14 and 3.0.22 and managed to track it down to a
something that changed in between version 3.0.20b and 3.0.21.  The RC
and PRE versions of 3.0.21 aren't available anymore, so I can't get much
more precise than that.  I also don't know exactly which change would
have caused this.  I'm in the process of looking at the WHATSNEW.txt
file and doing a diff between the two source trees to see if I can
figure out what change might be causing this.  I'm not a very good
programmer, so my odds of actually finding and correcting the problem
are probably fairly limited.  If anyone has any insight into what might
have changed or what can be done about it, that would be great.  I'll
also look into filing a bug report, unless sommeone can tell me that
this behavior is intentional.

Thanks,
Nick Couchman


On Tue, 2006-10-17 at 12:43 -0600, Nick Couchman wrote:
> Well, I'm attempting to migrate my old NT4-based domain to Samba3. 
I've
> got Samba set up with an LDAP backend, I've extended my NDS schema, and
> I've got users in this new domain set up successfully and
authenticating.
> I've decided that the best, most seamless way to migrate my domain is
to
> create a new domain which will run alongside the old domain.  A
> two-way trust relationship between the two domains should allow me share
> folders on servers located on either domain with users on either domain. 
> This way, I'll be able to migrate users, groups, and computers at my
> leisure from one domain to another.
> 
> So, I've also successfully configured the trust relationship (I think).
I
> go to a Windows machine that is a member of my original domain (DOMA) and
> I can log in with a user on either DOMA or my new domain (DOMB).  I can
> also modify file shares on these computers and give users on either domain
> access to my files, etc.
> 
> I have a multi-subnet environment, so my Windows NT4 machines are running
> WINS to make sure that all computers in the domain can find a logon
> server.  I've configured my new Samba servers to point to these WINS
> servers for now to reduce the number of things that I have to deal with
> migrating at one time.
> 
> The issue that I'm running into is this: my Samba servers on DOMA (my
> primary file servers for the entire company) don't want to authenticate
> users on DOMB.  Users from DOMA can successfully authenticate, but users
> from DOMB get the following message from smbclient:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
> 
> If I look at the log file on the Samba server, I see the following
> message:
> 
> [2006/10/17 11:50:05, 0] auth/auth_domain.c:domain_client_validate(242)
>   domain_client_validate: unable to validate password for user USER in
> domain DOMB to Domain controller DOMA-PDC. Error was
> NT_STATUS_UNSUCCESSFUL.
> 
> 
> It seems that Samba is connecting to the domain controller for which it is
> a member (DOMA) and trying to authenticate the user from DOMB.  Obviously
> this fails, and it seems that Samba doesn't know how to go find a
> different domain controller for the correct domain and authenticate.
> 
> Some additional info - the Samba server having this issue is running Samba
> 3.0.22 on SuSE 10.1 Pro.  The usernames on DOMA and DOMB are exactly the
> same, and the Samba server is getting username info from the same LDAP
> directory that services the DOMB PDC and that Samba on that PDC points to
> for its user information.  Here's the smb.conf file from one of the
Samba
> servers experiencing this problem:
> 
> [global]
>         workgroup = DOMA
>         security = domain
>         wins server = 10.0.0.1 10.0.0.2 10.0.0.3
>         allow trusted domains = yes
>         password server = *
>         # auth methods = trustdomain
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template primary group = "Domain Users"
>         template shell = "/bin/bash"
>         log level = 3
> 
> [tmp]
>         path = /tmp
>         comment = Temp Directory
> 
> I can provide more detailed log files, if necessary.
> 
> Thanks,
> Nick
>