intartaglia.maximilien
2010-Feb-09 13:13 UTC
[Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
Hey, I've got a probleme. My AD is a windows 2008 R2 (sh?ma 2003) I have tow windows 2008 R2 rodc in my architecture. I've a squid under suse 11.1 x64 and daemon samba and winbind; The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11 I have tow domain windows 2008 r2 in my architecture Domain : medical Domain administrative. Squid/samba/suse is join to the domain Medical. Net ads testjoin: Ok My problem is the daemon winbind find all my user of domain medical but not the domain administratif. I've find it's a problem of winbind (fix 7037 3.5rc2?) Can you help me please: The configuration : /etc/krb5.conf: [logging] default = FILE:SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log [libdefaults] default_realm = MEDICAL.LOCAL dns_lookup_realm = false dns_lookup_kdc = false clockskew = 3000 [realms] MEDICAL.LOCAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 default_domain = MEDICAL } ADMINISTRATIF.LOCAL = { kdc = 172.22.45.1 admin_server = 192.168.11.40 default_domain = ADMINISTRATIF } MEDICAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 } ADMINISTRATIF = { kdc = 172.22.45.1 admin_server = 192.168.11.40 } [domain_realm] medical.local = MEDICAL.LOCAL .medical.local = MEDICAL.LOCAL administratif.local = ADMINISTRATIF.LOCAL .administratif.local = ADMINISTRATIF.LOCAL MEDICAL.LOCAL = MEDICAL.LOCAL .MEDICAL.LOCAL = MEDICAL.LOCAL .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL ADMINISTRATIF = ADMINISTRATIF.LOCAL .ADMINISTRATIF = ADMINISTRATIF.LOCAL [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd } Samba : # Samba config file created using SWAT # from relais (127.0.0.1) # Date: 2004/01/05 13:42:43 # Global parameters [global] log file = /var/log/samba/%m.log allow trusted domains = yes idmap gid = 10000-20000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 realm = MEDICAL.LOCAL winbind use default domain = no dns proxy = no printing = cups idmap uid = 10000-20000 local master = no domain master = no preferred master = no template homedir = /home/%D/%U workgroup = MEDICAL os level = 0 winbind refresh tickets = yes winbind enum groups = Yes winbind enum users = Yes security = ADS add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ winbind separator = / max log size = 1024 usershare allow guests = No the test are here : relay:~ # wbinfo -t checking the trust secret via RPC calls succeeded relay:~ # wbinfo -m BUILTIN RELAY MEDICAL ADMINISTRATIF relay:~ # wbinfo -u I have only the user from medical and not from administratif The log of /var/log/samba.log/wb-Administratif: [2010/02/08 13:02:36, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed but when I do this command (test user administratif) it's ok wbinfo -a administratif/almacom Enter administratif/almacom's password: plaintext password authentication succeeded Enter administratif/almacom's password: challenge/response password authentication succeeded
Volker Lendecke
2010-Feb-10 06:39 UTC
[Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
On Tue, Feb 09, 2010 at 02:13:31PM +0100, intartaglia.maximilien wrote:> wbinfo -u > > I have only the user from medical and not from administratif > > The log of /var/log/samba.log/wb-Administratif: > > > [2010/02/08 13:02:36, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) > ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed > > but when I do this command (test user administratif) it's ok > > wbinfo -a administratif/almacom > Enter administratif/almacom's password: > plaintext password authentication succeeded > Enter administratif/almacom's password: > challenge/response password authentication succeededThis is entirely possible if you just have a one-way trust or the dc from ADMINISTRATIF does not allow listing users for other reasons. A log file (debug level 10) log.wb-ADMINISTRATIF might show what is going on. BTW, why do you need the ADMINISTRATIF users in wbinfo -u? For squid, i.e. ntlm_auth, to work this should not be necessary. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20100210/5c0ad0b2/attachment.pgp>
intartaglia.maximilien
2010-Feb-11 11:21 UTC
[Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
De : intartaglia.maximilien Envoy? : mardi 9 f?vrier 2010 14:14 ? : 'samba at lists.samba.org' Objet : probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain Hey, I've got a probleme. My AD is a windows 2008 R2 (sh?ma 2003) I have tow windows 2008 R2 rodc in my architecture. I've a squid under suse 11.1 x64 and daemon samba and winbind; The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11 I have tow domain windows 2008 r2 in my architecture Domain : medical Domain administrative. Squid/samba/suse is join to the domain Medical. Net ads testjoin: Ok My problem is the daemon winbind find all my user of domain medical but not the domain administratif. I've find it's a problem of winbind (fix 7037 3.5rc2?) Can you help me please: The configuration : /etc/krb5.conf: [logging] default = FILE:SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log [libdefaults] default_realm = MEDICAL.LOCAL dns_lookup_realm = false dns_lookup_kdc = false clockskew = 3000 [realms] MEDICAL.LOCAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 default_domain = MEDICAL } ADMINISTRATIF.LOCAL = { kdc = 172.22.45.1 admin_server = 192.168.11.40 default_domain = ADMINISTRATIF } MEDICAL = { kdc = 172.22.45.5 admin_server = 192.168.11.70 } ADMINISTRATIF = { kdc = 172.22.45.1 admin_server = 192.168.11.40 } [domain_realm] medical.local = MEDICAL.LOCAL .medical.local = MEDICAL.LOCAL administratif.local = ADMINISTRATIF.LOCAL .administratif.local = ADMINISTRATIF.LOCAL MEDICAL.LOCAL = MEDICAL.LOCAL .MEDICAL.LOCAL = MEDICAL.LOCAL .ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL ADMINISTRATIF = ADMINISTRATIF.LOCAL .ADMINISTRATIF = ADMINISTRATIF.LOCAL [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd } Samba : # Samba config file created using SWAT # from relais (127.0.0.1) # Date: 2004/01/05 13:42:43 # Global parameters [global] log file = /var/log/samba/%m.log allow trusted domains = yes idmap gid = 10000-20000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 realm = MEDICAL.LOCAL winbind use default domain = no dns proxy = no printing = cups idmap uid = 10000-20000 local master = no domain master = no preferred master = no template homedir = /home/%D/%U workgroup = MEDICAL os level = 0 winbind refresh tickets = yes winbind enum groups = Yes winbind enum users = Yes security = ADS add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ winbind separator = / max log size = 1024 usershare allow guests = No the test are here : relay:~ # wbinfo -t checking the trust secret via RPC calls succeeded relay:~ # wbinfo -m BUILTIN RELAY MEDICAL ADMINISTRATIF relay:~ # wbinfo -u I have only the user from medical and not from administratif The log of /var/log/samba.log/wb-Administratif: [2010/02/08 13:02:36, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed but when I do this command (test user administratif) it's ok wbinfo -a administratif/almacom Enter administratif/almacom's password: plaintext password authentication succeeded Enter administratif/almacom's password: challenge/response password authentication succeeded
Reasonably Related Threads
- probleme with samba 3.4.5-5.1 + winbind+ windows 2008 R2 + trusted domain
- TR: probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
- bind failed on port 445 socket_addr = 0.0.0.0.
- SUSE 9.3 Winbind+ PAM+AD
- TDM400P with FXO/FXS hangup problem