Hello all. I've set up a testing environment with two Windows DCs. The first, called DCA, is serving the domain DOMA and is running Windows 2003. The second is called DCB and serves DOMB on Windows 2008. The Samba machine I'm setting up (named ULYSSES) should be able to authenticate users from both domains for shell login. I've installed Samba 3.2.3 as a Debian package and closely followed the fine Howto by Michael Battista (http://www.ccs.neu.edu/home/battista/documentation/winbind/). Here are the current settings from my smb.conf, stripped down to the relevant ones: [global] realm = B.NET workgroup = B idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U ; winbind enum groups = yes ; winbind enum users = yes winbind use default domain = no winbind nested groups = yes allow trusted domains = yes PAM and NSS are configured as well, winbind is installed and running. The Samba machine has successfully joined DOMB:> wbinfo -tchecking the trust secret via RPC calls succeeded Domain trusts seem to work:> wbinfo -mBUILTIN ULYSSES DOMA DOMB So far, everything works as expected. But when I try to get user info, only users from DOMB (where the Samba machine is a member) are found by winbind:> wbinfo -uULYSSES\root ULYSSES\nobody [...] DOMB\administrator DOMB\brian No entries for DOMA are listed. To track this further down, I issued the following commands:> wbinfo -i "DOMA\alvin"Could not get info for user DOMA\alvin> wbinfo -i "DOMB\brian"DOMB\brian:*:10000:10000:Brian:/home/DOMB/brian:/bin/bash The logfile (log.wb-DOMA) states: [2008/10/10 12:32:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5 error code 68) [2008/10/10 12:32:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dca$@DOMA.NET (KRB5 error code 68) [2008/10/10 12:32:23, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: KRB5 error code 68 [2008/10/10 12:32:23, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain DOMA failed: KRB5 error code 68 [2008/10/10 12:32:23, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-1851683558-1272149263-2209706219-1104 So I suspect something with the Kerberos authentication to be wrong; but why is that, since I can successfully authenticate users with winbind:> wbinfo -a "DOMA\alvin%alvinpass"plaintext password authentication succeeded challenge/response password authentication succeeded> wbinfo -a "DOMB\brian%brianpass"plaintext password authentication succeeded challenge/response password authentication succeeded Why is winbind able to authenticate users, but cannot get user info about them? Does anyone have a hint for me? Thanks in advance, marco -- Marco Senft http://www.t2g.ch/
Gerald (Jerry) Carter
2008-Oct-10 13:14 UTC
[Samba] winbind does not list users from trusted domain
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco Senft wrote:> Hello all. > > I've set up a testing environment with two Windows DCs. The first, > called DCA, is serving the domain DOMA and is running Windows 2003. The > second is called DCB and serves DOMB on Windows 2008.What version of Samba are you running? It looks like the trusted domains in this case are actually other domain trees. Are they in the same forest? cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI71UYIR7qMdg1EfYRAs+yAKDslIL3c7Jxkm5gvSFu/ZdwkEix0wCfc/OL 7vpFjRQ8d4jxlTKWM+9FoWQ=4WWV -----END PGP SIGNATURE-----
Possibly Parallel Threads
- wbinfo -r not listing domain local groups
- samba4 domain member and multiple domains
- How to stop winbind client connecting to trusted DC
- Samba trusted domains and access control lists problem (cannot delete or rename)
- smbclient can access sysvol Windows clients cannot