samba - Feb 2010 - probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain

Hey,

I've got a probleme. My AD is a windows 2008 R2 (sh?ma 2003)

I have  tow windows 2008 R2 rodc in my architecture. I've a squid under suse
11.1 x64 and daemon samba and winbind;

The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administrative.

Squid/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not
the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
        default = FILE:SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

        default_realm = MEDICAL.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        clockskew = 3000



[realms]


MEDICAL.LOCAL = {
        kdc = 172.22.45.5
    admin_server = 192.168.11.70
        default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
        default_domain = ADMINISTRATIF
}

MEDICAL = {
        kdc = 172.22.45.5
        admin_server = 192.168.11.70
}
ADMINISTRATIF = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
}

[domain_realm]
        medical.local = MEDICAL.LOCAL
        .medical.local = MEDICAL.LOCAL
        administratif.local = ADMINISTRATIF.LOCAL
        .administratif.local = ADMINISTRATIF.LOCAL
        MEDICAL.LOCAL = MEDICAL.LOCAL
        .MEDICAL.LOCAL = MEDICAL.LOCAL
        .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
        ADMINISTRATIF = ADMINISTRATIF.LOCAL
        .ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 1
        use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
        log file = /var/log/samba/%m.log
        allow trusted domains = yes
        idmap gid = 10000-20000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        realm = MEDICAL.LOCAL
        winbind use default domain = no
        dns proxy = no
        printing = cups
        idmap uid = 10000-20000
        local master = no
        domain master = no
        preferred master = no
        template homedir = /home/%D/%U
        workgroup = MEDICAL
        os level = 0
        winbind refresh tickets = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        security = ADS
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$
        winbind separator = /
        max log size = 1024
        usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded

On Tue, Feb 09, 2010 at 02:13:31PM +0100, intartaglia.maximilien
wrote:
> wbinfo -u
> 
> I have only the user from medical and not from administratif
> 
> The log of /var/log/samba.log/wb-Administratif:
> 
> 
> [2010/02/08 13:02:36,  1]
winbindd/winbindd_ads.c:127(ads_cached_connection)
>   ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check
failed
> 
> but when I do this command (test user administratif)  it's ok
> 
> wbinfo -a administratif/almacom
> Enter administratif/almacom's password:
> plaintext password authentication succeeded
> Enter administratif/almacom's password:
> challenge/response password authentication succeeded
This is entirely possible if you just have a one-way trust
or the dc from ADMINISTRATIF does not allow listing users
for other reasons. A log file (debug level 10)
log.wb-ADMINISTRATIF might show what is going on.

BTW, why do you need the ADMINISTRATIF users in wbinfo -u?
For squid, i.e. ntlm_auth, to work this should not be
necessary.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100210/5c0ad0b2/attachment.pgp>

De : intartaglia.maximilien
Envoy? : mardi 9 f?vrier 2010 14:14
? : 'samba at lists.samba.org'
Objet : probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted
domain



Hey,

I've got a probleme. My AD is a windows 2008 R2 (sh?ma 2003)

I have  tow windows 2008 R2 rodc in my architecture. I've a squid under suse
11.1 x64 and daemon samba and winbind;

The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administrative.

Squid/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not
the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
        default = FILE:SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

        default_realm = MEDICAL.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
        clockskew = 3000



[realms]


MEDICAL.LOCAL = {
        kdc = 172.22.45.5
    admin_server = 192.168.11.70
        default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
        default_domain = ADMINISTRATIF
}

MEDICAL = {
        kdc = 172.22.45.5
        admin_server = 192.168.11.70
}
ADMINISTRATIF = {
        kdc = 172.22.45.1
        admin_server = 192.168.11.40
}

[domain_realm]
        medical.local = MEDICAL.LOCAL
        .medical.local = MEDICAL.LOCAL
        administratif.local = ADMINISTRATIF.LOCAL
        .administratif.local = ADMINISTRATIF.LOCAL
        MEDICAL.LOCAL = MEDICAL.LOCAL
        .MEDICAL.LOCAL = MEDICAL.LOCAL
        .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
        ADMINISTRATIF = ADMINISTRATIF.LOCAL
        .ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 1
        use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
        log file = /var/log/samba/%m.log
        allow trusted domains = yes
        idmap gid = 10000-20000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        realm = MEDICAL.LOCAL
        winbind use default domain = no
        dns proxy = no
        printing = cups
        idmap uid = 10000-20000
        local master = no
        domain master = no
        preferred master = no
        template homedir = /home/%D/%U
        workgroup = MEDICAL
        os level = 0
        winbind refresh tickets = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        security = ADS
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$
        winbind separator = /
        max log size = 1024
        usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded