samba - Dec 2006 - Re: Need some guidance re: two domains sharing the same workstations

Hello Matt,

I've had similar misfortunes too with interdomain trusts.  I think 
you're working along the right lines since you seem to want to do the 
same thing as I.

However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying 
to connect to the IPC$ share of the PDC of the trusting domain.  In my 
case the trusting PDC is a Windows 2003 Server.

I know it's not an issue of credentials but something else; but I don't 
know what.  Judging by the traffic on this list someone HAS got this to 
work.  Anyone care to comment.

Kind regards,
-a.

samba-request@lists.samba.org wrote:
> Subject:
> [Samba] Need some guidance re: two domains sharing the same workstations
> From:
> Matt Hyclak <hyclak@math.ohiou.edu>
> Date:
> Fri, 15 Dec 2006 09:08:52 -0500
> To:
> samba@lists.samba.org
> 
> To:
> samba@lists.samba.org
> 
> 
> I fought with this a few months back, and was never able to resolve it, so
> I'm back at it trying to get things to work before classes start again
in
> January. Here's a brief summary of the situation:
> 
> I am responsible for 2 departments, Math and Socialwork, which are located
> in the same building and share the same network. Each department has its
own
> samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively.
> 
> There is one lab which both departments share, so I would like for users in
> either domain to be able to log in to the workstation using the credentials
> for their own domain. The way to do this *seems* to be with an Interdomain
> Trust.
> 
> I have followed the how-to chapter (19. Interdomain Trusts), and configured
> the trust. I added a socialwork$ user to the Math LDAP server, and vice
> versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command,
and the
> relationship is established, however there seems to be a problem with the
> "Trusting domains" area. I get the following:
> 
> Trusting domains list:
> 
> [2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
>   Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL
>   
> 
> I have googled this error and have seen it come up only a couple times with
> no solutions. The relevant sections of smb.conf are as follows:
> 
>   ldap suffix = dc=math,dc=ohiou,dc=edu
>   ldap group suffix = ou=Group
>   ldap machine suffix = ou=Computers
>   ldap user suffix = ou=People
>   ldap idmap suffix = ou=Idmap
>   ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu
>   ldap passwd sync = yes
>   ldap delete dn = no
>   passdb backend = ldapsam:ldaps://bing.math.ohiou.edu
>   idmap backend = ldap:ldaps://bing.math.ohiou.edu
>   
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind use default domain = no
>   winbind enum groups = yes
>   winbind enum users = yes
> 
> So, if someone could let me know if I'm moving in the right direction,
I'd
> really appreciate it, or if there's a better way to do this (putting
> everyone in the same LDAP tree? - I'd like to avoid that, but it's
a
> possibility).
>   
> Thanks in advance,
> Matt

On Sun, Dec 17, 2006 at 05:18:47PM +0000, Aidan Dixon enlightened
us:
> I've had similar misfortunes too with interdomain trusts.  I think 
> you're working along the right lines since you seem to want to do the 
> same thing as I.
> 
> However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying 
> to connect to the IPC$ share of the PDC of the trusting domain.  In my 
> case the trusting PDC is a Windows 2003 Server.
> 
> I know it's not an issue of credentials but something else; but I
don't
> know what.  Judging by the traffic on this list someone HAS got this to 
> work.  Anyone care to comment.
> 
> Kind regards,
> -a.
>
In some more diagnosis, here's where I seem to be:

The Interdomain Trust relationship works. I can log into a SW computer with
a SW account, and browse to MATH servers and see files.

If the account name exists in one user database, I can log in with
credentials from the other Domain. Specifically, I've got an account
(hyclak) which exists in both the MATH and SOCIALWORK domains. I can log
into a SW computer with my MATH credentials no problem, but if I use an
account that isn't in both domains, I can only log into machines in the
associated domain.

This leads me to believe either:

1. I need to use a single LDAP tree for all the accounts - feasible, but I'd
   rather avoid

2. There is some problem with my configuration (winbind?) that is not
   allowing the accounts to be looked up enough to see if the credentials in
   the other domain is correct.

Can anyone help with 2, or should I just give it up and go with 1?

Thanks,
Matt

> samba-request@lists.samba.org wrote:
> 
> >Subject:
> >[Samba] Need some guidance re: two domains sharing the same
workstations
> >From:
> >Matt Hyclak <hyclak@math.ohiou.edu>
> >Date:
> >Fri, 15 Dec 2006 09:08:52 -0500
> >To:
> >samba@lists.samba.org
> >
> >To:
> >samba@lists.samba.org
> >
> >
> >I fought with this a few months back, and was never able to resolve it,
so
> >I'm back at it trying to get things to work before classes start
again in
> >January. Here's a brief summary of the situation:
> >
> >I am responsible for 2 departments, Math and Socialwork, which are
located
> >in the same building and share the same network. Each department has
its
> >own
> >samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK,
respectively.
> >
> >There is one lab which both departments share, so I would like for
users in
> >either domain to be able to log in to the workstation using the
credentials
> >for their own domain. The way to do this *seems* to be with an
Interdomain
> >Trust.
> >
> >I have followed the how-to chapter (19. Interdomain Trusts), and
configured
> >the trust. I added a socialwork$ user to the Math LDAP server, and vice
> >versa. Ran the 'net rpc trustdom establish OTHERDOMAIN'
command, and the
> >relationship is established, however there seems to be a problem with
the
> >"Trusting domains" area. I get the following:
> >
> >Trusting domains list:
> >
> >[2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
> >  Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL
> >  
> >
> >I have googled this error and have seen it come up only a couple times
with
> >no solutions. The relevant sections of smb.conf are as follows:
> >
> >  ldap suffix = dc=math,dc=ohiou,dc=edu
> >  ldap group suffix = ou=Group
> >  ldap machine suffix = ou=Computers
> >  ldap user suffix = ou=People
> >  ldap idmap suffix = ou=Idmap
> >  ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu
> >  ldap passwd sync = yes
> >  ldap delete dn = no
> >  passdb backend = ldapsam:ldaps://bing.math.ohiou.edu
> >  idmap backend = ldap:ldaps://bing.math.ohiou.edu
> >  
> >  idmap uid = 10000-20000
> >  idmap gid = 10000-20000
> >  winbind use default domain = no
> >  winbind enum groups = yes
> >  winbind enum users = yes
> >
> >So, if someone could let me know if I'm moving in the right
direction, I'd
> >really appreciate it, or if there's a better way to do this
(putting
> >everyone in the same LDAP tree? - I'd like to avoid that, but
it's a
> >possibility).
> >  
> >Thanks in advance,
> >Matt


-- 
Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263