Linsey Smeltzer
2008-Aug-21 01:26 UTC
[Samba] InterDomain Trust Issue; Active directory domain does not return users and groups
I have created a two way Interdomain Trust between a Samba 3.21 Domain and a Windows 2003 Server Domain. I am able to log into the Active Directory domain with my Samba users and I am able to access shares set up in the AD Domain. However, when I attempt to log into the samba domain with a user from the Windows 2003 domain, I get an error saying the username/password is not correct. From the Samba server, I run the command: Trusted domains list: POWERTECH S-1-5-21-1030712963-4274246568-774726483 none Trusting domains list: POWERTECH S-1-5-21-1030712963-4274246568-774726483 I can also validate both Trusts from the Server 2003 domain. On the Samba server, I have been able to successfully authenicate Active Directory users using the command: wbinfo -a 'ADDomain\username'%password However, when I run wbinfo -u or wbinfo -g, I only get the list of users and groups from the Samba domain. I do not see any of the users or groups from the Active Directory Domain. In the winbindd log after running the command wbinfo -u, I see the following: [2008/08/20 17:33:37, 10] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine FILESRV pipe \lsarpc fnum 0x4001 returned 408 bytes. lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2 out: struct lsa_QueryInfoPolicy2 info : * info : * info : union lsa_PolicyInformation(case 12) dns: struct lsa_DnsDomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'POWERTECH' dns_domain: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'powertech.local' dns_forest: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'powertech.local' domain_guid : d4dbb4cc-6dca-4701-8715-4875aaf5ce9c sid : * sid : S-1-5-21-1030712963-4274246568-774726483 result : NT_STATUS_OK [2008/08/20 17:33:37, 5] winbindd/winbindd_cm.c:set_dc_type_and_flags_connect(1841) set_dc_type_and_flags_connect: domain POWERTECH is NOT in native mode. [2008/08/20 17:33:37, 5] winbindd/winbindd_cm.c:set_dc_type_and_flags_connect(1844) set_dc_type_and_flags_connect: domain POWERTECH is running active directory. [2008/08/20 17:33:37, 6] libsmb/clientgen.c:write_socket(236) write_socket(16,45) [2008/08/20 17:33:37, 6] libsmb/clientgen.c:write_socket(239) write_socket(16,45) wrote 45 [2008/08/20 17:33:37, 10] lib/util_sock.c:read_smb_length_return_keepalive(1118) got smb length of 35 [2008/08/20 17:33:37, 5] lib/util.c:show_msg(645) [2008/08/20 17:33:37, 5] lib/util.c:show_msg(655) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=2049 smb_pid=1767 smb_uid=2049 smb_mid=12 smt_wct=0 smb_bcc=0 [2008/08/20 17:33:37, 10] libsmb/clientgen.c:cli_rpc_pipe_close(567) cli_rpc_pipe_close: closed pipe \lsarpc to machine FILESRV [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/547561 [2008/08/20 17:33:37, 10] lib/events.c:event_add_timed(128) Added timed event "async_request_timeout": 94f3a90 [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/547500 [2008/08/20 17:33:37, 10] lib/events.c:timed_event_destructor(65) Destroying timed event 94f3798 "async_request_timeout" [2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442) Retrieving response for pid 2155 [2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2464) Retrieving extra data length=820 [2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(193) listent_recv: RGGNET returned users. [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/442396 [2008/08/20 17:33:37, 10] lib/events.c:timed_event_destructor(65) Destroying timed event 94f3a90 "async_request_timeout" [2008/08/20 17:33:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442) Retrieving response for pid 2452 [2008/08/20 17:33:37, 5] winbindd/winbindd_async.c:listent_recv(465) list_ent() failed! [2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(206) listent_recv: POWERTECH returned no users. [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/430000 [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/429965 [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/429916 [2008/08/20 17:33:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 175/374344 [2008/08/20 17:34:07, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 145/380895 [2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 115/379055 [2008/08/20 17:34:37, 10] lib/events.c:event_add_timed(128) Added timed event "async_request_timeout": 94dad98 [2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 115/378721 [2008/08/20 17:34:37, 10] lib/events.c:timed_event_destructor(65) Destroying timed event 94dad98 "async_request_timeout" [2008/08/20 17:34:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2442) Retrieving response for pid 2155 [2008/08/20 17:34:37, 10] winbindd/winbindd_cache.c:cache_retrieve_response(2464) Retrieving extra data length=61 [2008/08/20 17:34:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 115/374757 [2008/08/20 17:35:07, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 85/380467 [2008/08/20 17:35:37, 10] lib/events.c:get_timed_events_timeout(318) timed_events_timeout: 55/379323 It shows the errors: [2008/08/20 17:33:37, 5] winbindd/winbindd_async.c:listent_recv(465) list_ent() failed! [2008/08/20 17:33:37, 5] winbindd/winbindd_misc.c:listent_recv(206) listent_recv: POWERTECH returned no users. I see the same errors when running the wbinfo -g command. Following is my smb.conf file: # Global parameters [global] # Domain Settings workgroup = rggnet netbios name = auth1 interfaces = 192.168.134.5 username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes name resolve order = wins lmhosts hosts bcast #Maximum time to live in seconds for a requested NetBIOS Name # Default is 518400 (6 days) max wins ttl = 36000 # Specifies the minimum time to live in seconds for NetBIOS names # given out by Samba as a WINS server; default is 21600(6 hours) min wins ttl = 14400 obey pam restrictions = No # passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* passwd program = /usr/sbin/smbldap-passwd %u ldap passwd sync = Yes log level = 10 syslog = 0 log file = /var/log/samba/log.%m max log size = 10000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script logon drive logon home logon path # LDAP setup for Winbind for Trust to 2003 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 20000 - 30000 idmap gid = 20000 - 30000 #LDAP Database information passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" ldap admin dn = "cn=Manager,dc=rggnet,dc=com" ldap suffix = dc=rggnet,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap ssl = no ldap delete dn = Yes # Scripts to add,delete users, groups and PCs add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -a -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" # Add Share Scripts; will not use because removes entries from # smb.conf file; will add any shares through Linux #add share command = /usr/local/bin/modify_samba_config.pl #delete share command = /usr/local/bin/modify_samba_config.pl #change share command = /usr/local/bin/modify_samba_config.pl # printers configuration # printer admin = @"Print Operators",root load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = Yes printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Never dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no Any help resolving this problem would be greatly appreciated. Thank you. Linsey Smeltzer
Reasonably Related Threads
Wisdom of the Ancients
