samba - Oct 2008 - winbind does not list users from trusted domain

Hello all.

I've set up a testing environment with two Windows DCs. The first,
called DCA, is serving the domain DOMA and is running Windows 2003. The
second is called DCB and serves DOMB on Windows 2008.

The Samba machine I'm setting up (named ULYSSES) should be able to
authenticate users from both domains for shell login. I've installed
Samba 3.2.3 as a Debian package and closely followed the fine Howto by
Michael Battista
(http://www.ccs.neu.edu/home/battista/documentation/winbind/). Here are
the current settings from my smb.conf, stripped down to the relevant ones:

[global]
    realm = B.NET
    workgroup = B
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
;   winbind enum groups = yes
;   winbind enum users = yes
    winbind use default domain = no
    winbind nested groups = yes
    allow trusted domains = yes

PAM and NSS are configured as well, winbind is installed and running.
The Samba machine has successfully joined DOMB:
> wbinfo -t
checking the trust secret via RPC calls succeeded

Domain trusts seem to work:
> wbinfo -m
BUILTIN
ULYSSES
DOMA
DOMB

So far, everything works as expected. But when I try to get user info,
only users from DOMB (where the Samba machine is a member) are found by
winbind:
> wbinfo -u
ULYSSES\root
ULYSSES\nobody
[...]
DOMB\administrator
DOMB\brian

No entries for DOMA are listed. To track this further down, I issued the
following commands:
> wbinfo -i "DOMA\alvin"
Could not get info for user DOMA\alvin
> wbinfo -i "DOMB\brian"
DOMB\brian:*:10000:10000:Brian:/home/DOMB/brian:/bin/bash

The logfile (log.wb-DOMA) states:
[2008/10/10 12:32:23,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5
error code 68)
[2008/10/10 12:32:23,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
   ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5
error code 68)
[2008/10/10 12:32:23,  0] libads/sasl.c:ads_sasl_spnego_bind(819)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: KRB5 error code 68
[2008/10/10 12:32:23,  1] winbindd/winbindd_ads.c:ads_cached_connection(127)
   ads_connect for domain DOMA failed: KRB5 error code 68
[2008/10/10 12:32:23,  1]
winbindd/winbindd_user.c:winbindd_dual_userinfo(150)
   error getting user info for sid
S-1-5-21-1851683558-1272149263-2209706219-1104

So I suspect something with the Kerberos authentication to be wrong; but
why is that, since I can successfully authenticate users with winbind:
> wbinfo -a "DOMA\alvin%alvinpass"
plaintext password authentication succeeded
challenge/response password authentication succeeded
> wbinfo -a "DOMB\brian%brianpass"
plaintext password authentication succeeded
challenge/response password authentication succeeded

Why is winbind able to authenticate users, but cannot get user info
about them? Does anyone have a hint for me?


Thanks in advance,
marco


-- 
Marco Senft
http://www.t2g.ch/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marco Senft wrote:
> Hello all.
> 
> I've set up a testing environment with two Windows DCs. The first,
> called DCA, is serving the domain DOMA and is running Windows 2003. The
> second is called DCB and serves DOMB on Windows 2008.
What version of Samba are you running?

It looks like the trusted domains in this case are actually
other domain trees.  Are they in the same forest?






cheers, jerry
- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI71UYIR7qMdg1EfYRAs+yAKDslIL3c7Jxkm5gvSFu/ZdwkEix0wCfc/OL
7vpFjRQ8d4jxlTKWM+9FoWQ=4WWV
-----END PGP SIGNATURE-----