Jason Haar
2006-Dec-05 07:11 UTC
[Samba] Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
Hi there We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100% fine when connected to from users who are members of the same ADS domain our Samba servers are members of. However, users from other ADS domains (we are all W2K3-based) on our network cannot connect - they get NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have no share-level permission checks - we want any valid account to be able to connect. auth methods = "sam, winbind", winbind is used and "wbinfo -m" shows the domains we trust. And yet people in those domains cannot login. ntlm_auth - which uses winbind - is able to authenticate such accounts - but it looks like Samba "doesn't care" what winbind thinks - it must be blocking for another reason. The logs show Samba starts as expected by looking up "otherDom\username", but it always falls back to doing Get_Pwnam_internals calls to winbind on the username by itself, and obviously receives a "no such user" error from winbind. winbind settings in smb.conf are: auth methods = winbind winbind separator = \ winbind cache time = 3600 winbind enum users = Yes winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind refresh tickets = No winbind offline logon = No We have tried this with both "security = domain" and "security = ADS" - no difference. "finger myDomain\\username" works, but "finger otherDomain\\username" immediately fails, with log.wb-otherDomain reporting error getting user info for sid S-1-5-21-1644491937-1078081533-682003330-6760 ...and yet "wbinfo --sid-to-name" maps that back to the correct username, and "wbinfo --name-to-sid" maps the username to the same SID. As mentioned earlier, ntlm_auth with such an account and correct password returns OK. Any ideas? It smells so close to working... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
mark.cuthbert@yorkshirewater.co.uk
2006-Dec-05 15:44 UTC
[Samba] Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
I had something similar, I had to include all relevant kdcs in the realms section of krb5.conf to Authenticate from trusted domains to the domain the member server is in eg [libdefaults] default_realm = CORP.YW.xxxxxx default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc [realms] CORP.YW.xxxxxx = { kdc=corpad1.corp.yw.xxxx } YW.xxxx = { kdc=ywad1.yw.xxxxxx } [domain_realms] .kerberos.server = CORP.YW.KELDA HTH Mark |---------+----------------------------------------------------------------> | | Jason Haar <Jason.Haar@trimble.co.nz> | | | Sent by: | | | samba-bounces+mark.cuthbert=yorkshirewater.co.uk@list| | | s.samba.org | | | | | | | | | 05/12/2006 07:04 | | | | | | Message Size: 7.4Kb | |---------+----------------------------------------------------------------> >----------------------------------------------------------------------------------------------| | | | To: samba@lists.samba.org | | cc: (bcc: Mark Cuthbert/Technology/YWS/Yorkshire Water) | | Subject: [Samba] Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD | | domains | >----------------------------------------------------------------------------------------------| Hi there We have a bunch of Samba 3.0.10+ CentOS4.4 servers that are working 100% fine when connected to from users who are members of the same ADS domain our Samba servers are members of. However, users from other ADS domains (we are all W2K3-based) on our network cannot connect - they get NT_STATUS_ACCESS_DENIED. The shares they are trying to connect to have no share-level permission checks - we want any valid account to be able to connect. auth methods = "sam, winbind", winbind is used and "wbinfo -m" shows the domains we trust. And yet people in those domains cannot login. ntlm_auth - which uses winbind - is able to authenticate such accounts - but it looks like Samba "doesn't care" what winbind thinks - it must be blocking for another reason. The logs show Samba starts as expected by looking up "otherDom\username", but it always falls back to doing Get_Pwnam_internals calls to winbind on the username by itself, and obviously receives a "no such user" error from winbind. winbind settings in smb.conf are: auth methods = winbind winbind separator = \ winbind cache time = 3600 winbind enum users = Yes winbind enum groups = No winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind refresh tickets = No winbind offline logon = No We have tried this with both "security = domain" and "security = ADS" - no difference. "finger myDomain\\username" works, but "finger otherDomain\\username" immediately fails, with log.wb-otherDomain reporting error getting user info for sid S-1-5-21-1644491937-1078081533-682003330-6760 .....and yet "wbinfo --sid-to-name" maps that back to the correct username, and "wbinfo --name-to-sid" maps the username to the same SID. As mentioned earlier, ntlm_auth with such an account and correct password returns OK. Any ideas? It smells so close to working... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ----------------------------------------- Is your home protected from frost this winter? Visit http://www.yorkshirewater.com/frost for advice on how you can avoid frost damage to water pipes. YORKSHIRE WATER - WINNER OF THE UTILITY OF THE YEAR AWARD 2004 AND 2005 The information in this e-mail is confidential and may also be legally privileged. The contents are intended for recipient only and are subject to the legal notice available at http://www.keldagroup.com/email.htm Yorkshire Water Services Limited Registered Office Western House Halifax Road Bradford BD6 2SZ Registered in England and Wales No 2366682
Possibly Parallel Threads
- Can Asterisk "proxy" a SIP phone to make it look like a Cisco skinny softphone?
- Win2K3 DNS losing Samba DNS entries?
- How do you properly use "--partial"?
- "text file busy" on cifs-mounted dir *doesn't* cause rsync error!
- Vista SP1-rc1 appears to break against Samba-3.0.27a