Sandra.Geigenmueller@kion-ims.com
2007-Oct-09 12:09 UTC
[Samba] Winbind authentication over transitive trusts between multiple W2k3 Domains
Hallo, we use Samba 3.0.22 with MIT Kerberos and winbind on Ubuntu edgy in a Windows2003 ADS enviroment. Everything works fine like kinit, net ads join, getting the Domain accounts from the own and other domains, but one important thing fails - obviously winbind cannot resolve name to sid, when the account is in another domain, where is only a transitive trust, not a direct. Lets say there are 3 AD domains in one tree: NIRVANA.ROM as top, CA.NIRVANA.ROM and PO.NIRVANA.ROM as 2 child domains. Our Samba server IDEFIX is in domain PO. Our configuration ... krb5.conf: [libdefaults] default_realm = PO.NIRVANA.ROM ticket_lifetime = 36000 dns_lookup_realm = false dns_lookup_kdc = false clockskew = 300 [realms] CA.NIRVANA.ROM = { kdc = castor.ca.nirvana.rom admin_server = castor.ca.nirvana.rom default_domain = CA } PO.NIRVANA.ROM = { kdc = pollux.po.nirvana.rom admin_server = pollux.po.nirvana.rom default_domain = PO } NIRVANA.ROM = { kdc = thor.nirvana.rom admin_server = thor.nirvana.rom default_domain = NIRVANA } [domain_realm] .ca.nirvana.rom = CA.NIRVANA.ROM ca.nirvana.rom = CA.NIRVANA.ROM .po.nirvana.rom = PO.NIRVANA.ROM po.nirvana.rom = PO.NIRVANA.ROM .nirvana.rom = NIRVANA.ROM nirvana.rom = NIRVANA.ROM smb.conf: [global] workgroup = PO security = ADS realm = PO.NIRVANA.ROM netbios name = IDEFIX password server = * idmap uid = 10000-200000 idmap gid = 10000-200000 template shell = /bin/false allow trusted domains = Yes winbind trusted domains only = No winbind use default domain = No winbind nested groups = Yes winbind separator = + winbind cache time = 3600 winbind enum users = Yes winbind enum groups = Yes client use spnego = yes ... wbinfo -t says ok wbinfo --sequence get sequence numbers for all 3 domains wbinfo -u get all accounts from all 3 domains with the correct prefix getent passwd looks like wbinfo -u But users from the other child domain cannot be authenticated. We traced it down to the name-to-sid function. wbinfo -n PO+administrator> S-1-5-21-1669369028-1636446635-1573960127-500 User (1)wbinfo -n NIRVANA+administrator> S-1-5-21-1755308885-1021831964-821464085-500 User (1)wbinfo -n CA+administrator> Could not lookup name CA+administratorwinbindd with debug7 shows this ... 00001c smb_io_dom_rid2 001c type : 08 0020 rid : 00000000 0024 rid_idx: ffffffff 0028 mapped_count: 00000000 002c status : NT_STATUS_NONE_MAPPED lookup_name returned an error lookupname returned an error While the other queries show an NT_STATUS_OK and mapped_count 1 and so on. The only way we could make it work was to build a shortcut trust between the 2 child domains CA and PO, but since we have in productive enviroment more then 3 domains it wouldn't be a quite nice solution. Has anybody seen this behavior too? Is that really a bug or missing feature in the current samba version? Or do we have any missconfiguration (I hope)? Any help would be much appreciated. Thanks in advance. Mit freundlichen Gr??en With kind regards Sandra Geigenm?ller KION Information Management Services GmbH, Sitz der Gesellschaft: Wiesbaden, Registergericht: Wiesbaden HRB 22949, USt-Id-Nr. DE 252065348, Gesch?ftsf?hrung: Helmut Draxler, Holger Pudzich
Possibly Parallel Threads
- Same Box, Moved install to different drive, now get Connection failure: Connection refused??
- 2.4.1 Voltages are Great for CP1000AVRLCD, but usbfs messages in logs (a lot)
- update to cifs-mount-3.2.0-24.1.122 from .121 broke mount.cifs
- OT: DMARC / DKIM Failure Reports
- OT: DMARC / DKIM Failure Reports