Greetings,
We are currently experiencing logon problems with a trusted domain user(s).
Example: We have DomainA and DomainB
DomainA and DomainB both have workstations joined on their respective
domain.
DomainA and DomainB both have trust relationships. DomainA trusts DomainB
and vise versa.
DomainA is where being served by a Samba PDC, while DomainB has a PDC using
Windows NT 4.0 Server
When users from DomainA logs in to DomainA using the workstation joined
under DomainA and/or DomainB, they can login without any problems.
The problem occurs when users from DomainB logs in to a workstation joined
under DomainA. The logon script is not executed and the user profile is not
loaded.
This problem does not occur when users logs in from DomainB workstations.
(their logon script is executed and profiles are loaded properly)
-We've checked that DomainB user can access the netlogon share from the
workstation (DomainA). Running it manually works.
-We've checked that DomainB user can access the profile share from the
workstation (DomainA).
-Tried different user and workstation but still same problems.
-We've tried updating samba to 3.0.28 but still same problem (we went back
to 3.0.23c please see reason below).
-Tried searching the net for same issue and tried some solutions, but still
did not work.
-Tried looking at log files, but could not find obvious errors.
The Samba version were using is 3.0.23c
The server is running CentOS 5.1 x86_64 version.
The original Samba version (3.0.25b) which came with the distro had some
problems. Changing passwords from Windows does not seem to fix it.
Downgrading to 3.0.23c seems to work.
If posting of the log files is needed, please tell us which log file to
look/post.
Thank you very much for taking time to read this post.
Regards,
Jay
Below is our smb.conf file
========================================
[global]
netbios name = aphrodite
workgroup = RLDP_DESIGN3A
server string = ""
security = user
passdb backend = ldapsam:ldap://ldapserver
enable privileges = yes
encrypt passwords = yes
allow trusted domains = yes
host msdfs = no
browse list = true
os level = 65
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
logon path = \\%L\profiles\%U
logon drive = G:
logon home = \\%L\home\%U
logon script = default.bat
log level = 3
log file = /var/log/samba/%m.log
max log size = 100
wins server = 192.168.3.2
dns proxy = no
name resolve order = wins host bcast
ldap suffix = dc=design3,dc=rldp,dc=com
ldap machine suffix = ou=computers
ldap user suffix = ou=People
ldap group suffix = ou=group
ldap idmap suffix = ou=idmap
ldap admin dn = cn=root,dc=design3,dc=rldp,dc=com
ldap passwd sync = only
idmap backend = ldap:ldap://ldapserver
idmap uid = 50000-65000
idmap gid = 50000-65000
template shell = /bin/bash
winbind use default domain = no
add user script = /opt/smbldap-tools/smbldap-useradd -m "%u"
delete user script = /opt/smbldap-tools/smbldap-userdel "%u"
add group script = /opt/smbldap-tools/smbldap-groupadd -p "%g"
delete group script = /opt/smbldap-tools/smbldap-groupdel "%g"
add user to group script = /opt/smbldap-tools/smbldap-groupmod -m
"%u"
"%g"
delete user from group script = /opt/smbldap-tools/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/smbldap-tools/smbldap-usermod -g
"%g"
"%u"
add machine script = /opt/smbldap-tools/smbldap-useradd -w "%u"
printer admin = administrator
#============================ Share Definitions
=============================
[netlogon]
path = /smbshare/netlogon
read only = yes
[profiles]
path = /smbshare/profile
read only = no
create mask = 0600
directory mask = 0700
[profiled]
path = /smbshare/profile_data
read only = no
create mask = 0600
directory mask = 0700
[home]
path = /smbshare/home
read only = no
create mask = 0600
directory mask = 0700
[teamd3]
path = /smbshare/workdir
read only = no
create mask = 0660
directory mask = 0770
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
[print$]
path = /smbshare/print_drivers
browseable = yes
guest ok = no
read only = yes
write list = administrator
Hi. El Viernes, 25 de Enero de 2008, Jay Santillan escribi?:> Greetings, > > We are currently experiencing logon problems with a trusted domain user(s). > > Example: We have DomainA and DomainB > DomainA and DomainB both have workstations joined on their respective > domain. > DomainA and DomainB both have trust relationships. DomainA trusts DomainB > and vise versa. > DomainA is where being served by a Samba PDC, while DomainB has a PDC using > Windows NT 4.0 Server >We have a similar problem We are unable to estabilish a full bi directional trust between an NT domain and a smaba domain we can make the NT to trust the samba, but not in the reverse, the samba is not able to estabilish the trust with the NT in version 3.0.24 this make not much trouble as the system seems to work like the trust is correctly established, but in 3.0.25 through 3.0.28 does not work, and makes the samba browsing to lag continuously when we make net rpc trustdom establish NTDOMAIN ntpassword the system says that the trust could not be verified when we make net rpc trustdom list the system says trusted domains NTDOMAIN none trusting domains NTDOMAIN from the NT the trust seems to be estabilished but the reality is that the NT server is unable to browse the samba shares without entering a true samba user and password where you able to set the trust right? thanks -- Un saludo. Carlos Lorenzo Mat?s. clmates AT mundo-r DOT com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20080125/d42ec8a7/attachment.bin
Carlos Lorenzo Mat?s <clmates <at> mundo-r.com> writes:> We are unable to estabilish a full bi directional trust between an NT domain > and a smaba domain > > we can make the NT to trust the samba, but not in the reverse, the samba is > not able to estabilish the trust with the NTTry to manually authenticate a user from the NT-domain at the samba-server using wbinfo -a If that succeeds then try to access a samba-share with that user. It will not solve the problem, but it may point out where the problem is. -- Thorkil Olesen.
Greetings! To check trustdomains, i used the following to check: ----------------------------------------------------------------------------------------- [root@aphrodite ~]# net rpc trustdom list -U Administrator Password: Trusted domains list: RLDP_DESIGN3 S-1-5-21-1368937059-1125409327-331614939 RLDP_NT S-1-5-21-835351122-509441910-1850952788 none Trusting domains list: RLDP_NT S-1-5-21-835351122-509441910-1850952788 RLDP_DESIGN3 S-1-5-21-1368937059-1125409327-331614939 ------------------------------------------------------------------------------ Then, i also tried wbinfo -a, if samba could authenticate trusted domain users properly. ---------------------------------------------------------------------------------- [root@aphrodite ~]# wbinfo -a rldp_nt\\jay%secret plaintext password authentication succeeded challenge/response password authentication succeeded ---------------------------------------------------------------------------------- It seems to be running ok. I tried to set debug level to 10 and tried to look at the log files. I may have found something. On the logfile, the profile path, logon script and dir drive seems to be blank. I suspect that these might be the problem. If this is, any ideas what might have caused it? [2008/01/25 21:58:44, 10] passdb/pdb_get_set.c:pdb_set_logon_script(626) pdb_set_logon_script: setting logon script , was default.bat [2008/01/25 21:58:44, 10] passdb/pdb_get_set.c:pdb_set_profile_path(649) pdb_set_profile_path: setting profile path , was \\aphrodite\profiles\RLDP_NT\jay [2008/01/25 21:58:44, 10] passdb/pdb_get_set.c:pdb_set_homedir(696) pdb_set_homedir: setting home dir , was \\aphrodite\home\RLDP_NT\jay [2008/01/25 21:58:44, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(672) pdb_set_dir_drive: setting dir drive , was G: thanks regards, Jay
Hi. El Viernes, 25 de Enero de 2008, Thorkil Olesen escribi?:> Carlos Lorenzo Mat?s <clmates <at> mundo-r.com> writes: > > We are unable to estabilish a full bi directional trust between an NT > > domain and a smaba domain > > > > we can make the NT to trust the samba, but not in the reverse, the samba > > is not able to estabilish the trust with the NT > > Try to manually authenticate a user from the NT-domain at the samba-server > using wbinfo -a > > If that succeeds then try to access a samba-share with that user. > > It will not solve the problem, but it may point out where the problem is.I have logged in the samba server as root and tried this myserver:~ # wbinfo -a clorenzo%myrealpassword plaintext password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc0000008) error messsage was: Invalid handle Could not authenticate user clorenzo%myrealpassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc0000008) error messsage was: Invalid handle Could not authenticate user clorenzo with challenge/response And if i try logged as my user it says clorenzo@myserver:~> wbinfo -a clorenzo%myrealpassword plaintext password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc0000008) error messsage was: Invalid handle Could not authenticate user clorenzo%myrealpassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. Could not authenticate user clorenzo with challenge/response wbinfo -u and wbinfo -g gets right the list of users and groups from the NT domain Thanks -- Un saludo. Carlos Lorenzo Mat?s. clmates AT mundo-r DOT com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20080128/11aac48c/attachment.bin
Carlos Lorenzo Mat?s <clmates <at> mundo-r.com> writes:> I have logged in the samba server as root and tried this > > myserver:~ # wbinfo -a clorenzo%myrealpassword > plaintext password authentication failed > error code was NT_STATUS_INVALID_HANDLE (0xc0000008) > error messsage was: Invalid handle > Could not authenticate user clorenzo%myrealpassword with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_INVALID_HANDLE (0xc0000008) > error messsage was: Invalid handle > Could not authenticate user clorenzo with challenge/responseMaybe you should try: wbinfo -a NTDOMAIN\\clorenzo%myrealpassword> wbinfo -u and wbinfo -g gets right the list of users and groups from the NT > domainThat is a good sign! wbinfo is a great tool to examine how winbind sees the world. I spent some time on an interdomain trust to a W2k3-server, but I think my problem was different from yours. Have you set up nsswitch.conf? Can you see a user with getent? -- Thorkil Olesen, Denmark
Hi. El Martes, 29 de Enero de 2008, Thorkil Olesen escribi?:> Carlos Lorenzo Mat?s <clmates <at> mundo-r.com> writes: > > I have logged in the samba server as root and tried this > > > > myserver:~ # wbinfo -a clorenzo%myrealpassword > > plaintext password authentication failed > > error code was NT_STATUS_INVALID_HANDLE (0xc0000008) > > error messsage was: Invalid handle > > Could not authenticate user clorenzo%myrealpassword with plaintext > > password challenge/response password authentication failed > > error code was NT_STATUS_INVALID_HANDLE (0xc0000008) > > error messsage was: Invalid handle > > Could not authenticate user clorenzo with challenge/response > > Maybe you should try: > > wbinfo -a NTDOMAIN\\clorenzo%myrealpasswordThis was my first try and it says exactly the same.> > > wbinfo -u and wbinfo -g gets right the list of users and groups from the > > NT domain > > That is a good sign! > > wbinfo is a great tool to examine how winbind sees the world. I spent some > time on an interdomain trust to a W2k3-server, but I think my problem was > different from yours. Have you set up nsswitch.conf? Can you see a user > with getent?We have the very same users groups and passwords in the NT Domain and in the samba Domain, our samba domain uses ldap for storage. Here is our nsswitch.conf # This works: #passwd: ldap compat #group: ldap compat # As does this: passwd: files ldap group: files ldap hosts: files dns wins networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis ldap aliases: files ldap passwd_compat: ldap winbind group_compat: ldap winbind shadow: compat #passwd_compat: ldap #group_compat: ldap #shadow: compat getent returns the ldap users, groups and paswwords, should getent also return the NT domain users when they are the same? Thanks -- Un saludo. Carlos Lorenzo Mat?s. clmates AT mundo-r DOT com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20080129/91d9c19c/attachment.bin
Hello Mr. Carlos,>getent returns the ldap users, groups and paswwords, should getent also return >the NT domain users when they are the same?I think,This will depend on your smb.conf. if you set 'winbind enum users' and 'winbind enum groups' to yes, getent should also display the users. by default, these are set to 'no'. regards, Jay <samba%40lists.samba.org?Subject=%5BSamba%5D%20Re%3A%20Trusted%20domain%20user%20login&In-Reply-To=loom.20080129T163727-468%40post.gmane.org>