samba - Feb 2008 - domain member WIN2003 AD - Trusted Domain

Hi folks,

we have a problem with a win2003 DC and Samba. The authentification of users
from the dc works fine, but when we added users from a forest trust in a active
directory localgroup, samba don't find the users...

I post this problem here:
https://bugzilla.samba.org/show_bug.cgi?id=5245

Maybe you can help.

Cheers

Paul
-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

hans paul wrote:
> Hi folks,
>
> we have a problem with a win2003 DC and Samba. The authentification of
users from the dc works fine, but when we added users from a forest trust in a
active directory localgroup, samba don't find the users...
>   
IMHO, for this to work you should define "idmap domains = DOMAINA 
DOMAINB" and configure the idmap backend appropriately for both domains 
using idmap config DOMAIN:backend/range/default etc...

For more details see "man idmap_tdb, man idmap_ldap and man
idmap_rid".

--Sadique
> I post this problem here:
> https://bugzilla.samba.org/show_bug.cgi?id=5245
>
> Maybe you can help.
>
> Cheers
>
> Paul
>

> IMHO, for this to work you should define "idmap domains = DOMAINA
> DOMAINB" and configure the idmap backend appropriately for both
domains
> using idmap config DOMAIN:backend/range/default etc...
>
> For more details see "man idmap_tdb, man idmap_ldap and man
idmap_rid".
>
> --Sadique
Hi Sadique,

thanks for your response. I test it but I don't get it right...
I only can connect from DOMAINA, not from DOMAINB. The DOMAINB is trusting from
DOMAINA.

Adapt my config:
--------------------------
[global]
# domain settings
workgroup = DOMAINA
realm = DOMAINA.DOM.NET
security = ads
client use spnego = Yes
password server = passwordserver.DOMAINA.DOM.NET
server string = %h server
dns proxy = no
encrypt passwords = true
invalid users = root
socket options = TCP_NODELAY

# idmap - Posix Nummernbereich fuer die Abbildung
idmap uid = 100000-150000
idmap gid = 100000-150000

idmap domains = DOMAINA DOMAINB
idmap config DOMAINA:default = yes
idmap config DOMAINA:backend = tdb
idmap config DOMAINA:range = 100000-150000

idmap config DOMAINB:default = no
idmap config DOMAINB:backend = tdb
idmap config DOMAINB:range = 100000-150000

idmap alloc backend = tdb
idmap alloc config:range = 100000-150000

# winbind settings
winbind separator = /
winbind use default domain = Yes
# Zeitintervall fuer die Zwischenspeicherung von Informationen
winbind cache time = 30
# Auflistung der Benutzer erlauben (z.B: getent passwd)
winbind enum users = No
# Auflistung der Gruppen erlauben (z.B: getent group)
winbind enum groups = No
# Gruppen in Gruppen unterstuetzen
winbind nested groups = Yes
# Kerberos Ticket automatisch verlaengern
winbind refresh tickets = Yes
# kein offline Betrieb
winbind offline logon = No

allow trusted domains = yes

#printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

log level = 10

# shares
include = /etc/samba/shares.conf
--------------------------

Paul
-- 
Psssst! Schon vom neuen GMX MultiMessenger geh?rt?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

Hi,
we configured a Samba server for filesharing. Samba use kerberos and winbind to
authenticate the user on DomainA.

In DomainA we create a localgroup where we add users from the same domain. But
also we add users from the DomainB who is trusted.

Our problem is that users from DomainB can't get access to the sharing
folders.
The user get an logon popup from windows. If you type in your correct data the
window comes again and again...

Best regards

Paul

Samba 3.0.24
Suse SLE-10-i386

current stat:
Samba Server for Filesharing use ADS for user authentification
DomainA 
DomainB Trusted from DomainA 

Samba <> DomainA <> DomainB


 smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-07-05
[global]
# domain settings
workgroup = DOMAINA
realm = DOMAINA.DOM.NET
security = ads
client use spnego = Yes
password server = passwordserver.DOMAINA.DOM.NET
server string = %h server
dns proxy = no
encrypt passwords = true
invalid users = root
socket options = TCP_NODELAY

idmap uid = 100000-150000
idmap gid = 100000-150000

winbind separator = /
winbind use default domain = Yes
winbind cache time = 30
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
winbind refresh tickets = Yes
winbind offline logon = No

# log.winbindd
[2008/02/05 11:13:12, 6] param/loadparm.c:lp_file_list_changed(3048)
  lp_file_list_changed()
  file /etc/samba/shares.conf -> /etc/samba/shares.conf  last mod_time: Mon
Feb
 4 21:53:19 2008
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue Feb  5
11:12:17 2008
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info_map(161)
  make_user_info_map: Mapping user [DOMAINB]\[USER123] from workstation
[COMPUTER123]
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(75)
  attempting to make a user_info for USER123 (USER123)
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(85)
  making strings for USER123's user_info struct
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(117)
  making blobs for USER123's user_info struct
[2008/02/05 11:13:12, 10] auth/auth_util.c:make_user_info(135)
  made an encrypted user_info for USER123 (USER123)
[2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user
[DOMAINB]\[USER123]@[COMPUTER123] with the new password interface
[2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [DOMAINA]\[USER123]@[COMPUTER123]
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(233)
  check_ntlm_password: auth_context challenge created by NTLMSSP callback
(NTLM2)
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(235)
  challenge is:
[2008/02/05 11:13:12, 5] lib/util.c:dump_data(2225)
  [000] FA 5A F2 B5 11 F3 A4 A7                           .Z......
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: guest had nothing to say
[2008/02/05 11:13:12, 8] lib/util.c:is_myname(2043)
  is_myname("DOMAINA") returns 0
[2008/02/05 11:13:12, 6] auth/auth_sam.c:check_samstrict_security(414)
  check_samstrict_security: DOMAINA is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: sam had nothing to say
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/02/05 11:13:12, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/02/05 11:13:12, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2008/02/05 11:13:12, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/02/05 11:13:12, 5] auth/auth.c:check_ntlm_password(273)
  check_ntlm_password: winbind authentication for user [USER123] FAILED with
error NT_STATUS_NO_SUCH_USER
[2008/02/05 11:13:12, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [USER123] -> [USER123] FAILED
with error NT_STATUS_NO_SUCH_USER
-- 
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx

Hi folks,

we have a problem with a win2003 DC and Samba. The authentification of users
from the dc works fine, but when we added users from a forest trust in a active
directory localgroup, samba don't find the users...

I post this problem here:
https://bugzilla.samba.org/show_bug.cgi?id=5245

Maybe you can help.

Cheers

Paul
-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser