intartaglia.maximilien
2010-Feb-08 16:11 UTC
[Samba] TR: probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
Hey, I've got a probleme. My AD is a windows 2008 R2 (sh?ma 2003) I have tow windows 2008 R2 rodc in my architecture. I've a squid under suse 11.1 x64 and daemon samba and winbind; The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11 I have tow domain windows 2008 r2 in my architecture Domain : medical Domain administrative. Squid/samba/suse is join to the domain Medical. Net ads testjoin: Ok My problem is the daemon winbind find all my user of domain medical but not the domain administratif. I've find it's a problem of winbind (fix 7037 3.5rc2?) Can you help me please: The configuration : /etc/krb5.conf: [logging] default = FILE:SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log [libdefaults] default_realm = MEDICAL.LOCAL dns_lookup_realm = false dns_lookup_kdc = false clockskew = 3000 [realms] MEDICAL.LOCAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 default_domain = MEDICAL } ADMINISTRATIF.LOCAL = { kdc = 172.22.45.1 admin_server = 192.168.11.40 default_domain = ADMINISTRATIF } MEDICAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 } ADMINISTRATIF = { kdc = 172.22.45.1 admin_server = 192.168.11.40 } [domain_realm] medical.local = MEDICAL.LOCAL .medical.local = MEDICAL.LOCAL administratif.local = ADMINISTRATIF.LOCAL .administratif.local = ADMINISTRATIF.LOCAL MEDICAL.LOCAL = MEDICAL.LOCAL .MEDICAL.LOCAL = MEDICAL.LOCAL .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL ADMINISTRATIF = ADMINISTRATIF.LOCAL .ADMINISTRATIF = ADMINISTRATIF.LOCAL [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd } Samba : # Samba config file created using SWAT # from relais (127.0.0.1) # Date: 2004/01/05 13:42:43 # Global parameters [global] log file = /var/log/samba/%m.log allow trusted domains = yes idmap gid = 10000-20000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 realm = MEDICAL.LOCAL winbind use default domain = no dns proxy = no printing = cups idmap uid = 10000-20000 local master = no domain master = no preferred master = no template homedir = /home/%D/%U workgroup = MEDICAL os level = 0 winbind refresh tickets = yes winbind enum groups = Yes winbind enum users = Yes security = ADS add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ winbind separator = / max log size = 1024 usershare allow guests = No the test are here : relay:~ # wbinfo -t checking the trust secret via RPC calls succeeded relay:~ # wbinfo -m BUILTIN RELAY MEDICAL ADMINISTRATIF relay:~ # wbinfo -u I have only the user from medical and not from administratif The log of /var/log/samba.log/wb-Administratif: [2010/02/08 13:02:36, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed but when I do this command (test user administratif) it's ok wbinfo -a administratif/almacom Enter administratif/almacom's password: plaintext password authentication succeeded Enter administratif/almacom's password: challenge/response password authentication succeeded