I have been killing myself on this issue over the last 2 weeks. I have
setup pam AD authentication using winbind on our companies email
servers. That part is currently working. I have been trying to add an
existing "Trusted" child domain and allow authentication from that
domain as well. I am part of the way there, but not quite to the
functional point as of yet. Our primary domain is rdomainprv or
rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am
seeing, followed by my configs. Also, we had to open ports 88, 139 and
389 (I believe those are the correct ports, though the networking guys
opened them) from the email/winbind server to the child domain, at the
firewall. Any help would be very much appreciated!
mailtestbed:~# wbinfo --all-domains
BUILTIN
MAILTESTBED
RDOMAINPRV
KID
mailtestbed:~# wbinfo -u | grep testuser
KID\testuser
mailtestbed:~# wbinfo -a KID\\testuser%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Here is where it's falling apart:
mailtestbed:~# wbinfo -i KID\\testuser
Could not get info for user KID\testuser
mailtestbed:~# id KID\\testuser
id: KID\testuser: No such user
mailtestbed:~# id testuser
id: testuser: No such user
mailtestbed:~# getent passwd KID\\testuser
mailtestbed:~#
mailtestbed:~# getent passwd testuser
mailtestbed:~#
mailtestbed:~# id RDOMAINPRV\\testmer
uid=10001(testmer) gid=10001 groups=999(users)
mailtestbed:~# getent passwd RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash
mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer
testmer:*:10001:10001::/home/testmer:/bin/bash
Versions (Debian Lenny)
samba 2:3.2.5-4lenny9
winbind 2:3.2.5-4lenny9
smb.conf
[global]
workgroup = RDOMAINPRV
realm = RDOMAIN.PRV
server string = %h server
dns proxy = no
name resolve order = lmhosts host wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
encrypt passwords = yes
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
allow trusted domains = yes
winbind trusted domains only = no
idmap backend = ad
idmap uid = 10000-1000000
idmap gid = 10000-1000000
template homedir = /home/%U
winbind use default domain = yes
winbind nss info = rfc2307
winbind nested groups = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
winbind enum groups = no
winbind enum users = no
winbind cache time = 30
krb5.conf
[libdefaults]
default_realm = RDOMAIN.PRV
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5
des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
RDOMAIN.PRV = {
default_domain = RDOMAIN.PRV
master_kdc = dc02.rdomain.prv
admin_server = dc02.rdomain.prv
kdc = aurad.rdomain.prv
kdc = addc01.rdomain.prv
kdc = addc02.rdomain.prv
kdc = addc03.rdomain.prv
#kdc = addc04.rdomain.prv
kdc = addc05.rdomain.prv
kdc = chlddc01.kid.rdomain.prv
}
KID.RDOMAIN.PRV = {
default_domain = KID.RDOMAIN.PRV
kdc = chlddc01.kid.rdomain.prv
master_kdc = addc02.rdomain.prv
admin_server = addc02.rdomain.prv
kdc = addc01.rdomain.prv
kdc = addc02.rdomain.prv
}
[domain_realm]
.rdomain.prv = RDOMAIN.PRV
rdomain.prv = RDOMAIN.PRV
.kid.rdomain.prv = KID.RDOMAIN.PRV
kid.rdomain.prv = KID.RDOMAIN.PRV
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
[login]
krb4_convert = true
krb4_get_tickets = false
Hello, Thank you so much for your reply! We are using AD 2003 R2 on both the domain and the child domain. I am using 10000-29999 for IDs on the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). Interestingly, in the Unix tab (in AD Users and Computers for any object) under "NIS Domain" on any of the RDOMAIN servers we get the pulldown option "RDOMAIN" but on the Trusted domains server the only option is "KID". I'm not sure if that is expected or would affect this but I can't seem to get the RDOMAIN option in the KID Trusted domain. Thanks, -Paul On 3/30/2010 2:27 AM, Fran?ois Legal wrote:> Hello, > > I'm not familiar with this kind of setup, but I wonder whether or not the > KID domain has the SFU schema extensions setup for idmapping (see idmap > backend = ad) and if porperly setup, check that the defined uid/gid for > that domain fall in the idmap uid range > > Fran?ois > > On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> I have been killing myself on this issue over the last 2 weeks. I have >> setup pam AD authentication using winbind on our companies email >> servers. That part is currently working. I have been trying to add an >> existing "Trusted" child domain and allow authentication from that >> domain as well. I am part of the way there, but not quite to the >> functional point as of yet. Our primary domain is rdomainprv or >> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I am >> seeing, followed by my configs. Also, we had to open ports 88, 139 and >> 389 (I believe those are the correct ports, though the networking guys >> opened them) from the email/winbind server to the child domain, at the >> firewall. Any help would be very much appreciated! >> >> mailtestbed:~# wbinfo --all-domains >> BUILTIN >> MAILTESTBED >> RDOMAINPRV >> KID >> >> mailtestbed:~# wbinfo -u | grep testuser >> KID\testuser >> >> mailtestbed:~# wbinfo -a KID\\testuser%password >> plaintext password authentication succeeded >> challenge/response password authentication succeeded >> >> Here is where it's falling apart: >> mailtestbed:~# wbinfo -i KID\\testuser >> Could not get info for user KID\testuser >> >> mailtestbed:~# id KID\\testuser >> id: KID\testuser: No such user >> >> mailtestbed:~# id testuser >> id: testuser: No such user >> >> mailtestbed:~# getent passwd KID\\testuser >> mailtestbed:~# >> >> mailtestbed:~# getent passwd testuser >> mailtestbed:~# >> >> mailtestbed:~# id RDOMAINPRV\\testmer >> uid=10001(testmer) gid=10001 groups=999(users) >> >> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >> testmer:*:10001:10001::/home/testmer:/bin/bash >> >> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >> testmer:*:10001:10001::/home/testmer:/bin/bash >> >> Versions (Debian Lenny) >> samba 2:3.2.5-4lenny9 >> winbind 2:3.2.5-4lenny9 >> >> smb.conf >> [global] >> workgroup = RDOMAINPRV >> realm = RDOMAIN.PRV >> server string = %h server >> dns proxy = no >> name resolve order = lmhosts host wins bcast >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> security = ADS >> encrypt passwords = yes >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> pam password change = yes >> allow trusted domains = yes >> winbind trusted domains only = no >> idmap backend = ad >> idmap uid = 10000-1000000 >> idmap gid = 10000-1000000 >> template homedir = /home/%U >> winbind use default domain = yes >> winbind nss info = rfc2307 >> winbind nested groups = yes >> client use spnego = yes >> client ntlmv2 auth = yes >> restrict anonymous = 2 >> winbind enum groups = no >> winbind enum users = no>> winbind cache time = 30 >> >> krb5.conf >> [libdefaults] >> default_realm = RDOMAIN.PRV >> krb4_config = /etc/krb.conf >> krb4_realms = /etc/krb.realms >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >> permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 >> des-cbc-crc des-cbc-md5 >> v4_instance_resolve = false >> v4_name_convert = { >> host = { >> rcmd = host >> ftp = ftp >> } >> plain = { >> something = something-else >> } >> } >> fcc-mit-ticketflags = true >> [realms] >> RDOMAIN.PRV = { >> default_domain = RDOMAIN.PRV >> master_kdc = dc02.rdomain.prv >> admin_server = dc02.rdomain.prv >> kdc = aurad.rdomain.prv >> kdc = addc01.rdomain.prv >> kdc = addc02.rdomain.prv >> kdc = addc03.rdomain.prv >> #kdc = addc04.rdomain.prv >> kdc = addc05.rdomain.prv >> kdc = chlddc01.kid.rdomain.prv >> } >> KID.RDOMAIN.PRV = { >> default_domain = KID.RDOMAIN.PRV >> kdc = chlddc01.kid.rdomain.prv >> master_kdc = addc02.rdomain.prv >> admin_server = addc02.rdomain.prv >> kdc = addc01.rdomain.prv >> kdc = addc02.rdomain.prv >> } >> [domain_realm] >> .rdomain.prv = RDOMAIN.PRV >> rdomain.prv = RDOMAIN.PRV >> .kid.rdomain.prv = KID.RDOMAIN.PRV >> kid.rdomain.prv = KID.RDOMAIN.PRV >> [kdc] >> profile = /var/kerberos/krb5kdc/kdc.conf >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> validate = true >> } >> [login] >> krb4_convert = true >> krb4_get_tickets = false >>
The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. mailtestbed:~# wbinfo -t checking the trust secret via RPC calls succeeded On 3/30/2010 9:47 AM, Fran?ois Legal wrote:> I'm not sure to 100% understand what you mean (it's been a long time since > I last used an AD server with SFU). > However, next step now will be to increase winbindd debug level while > issuing the wbinfo -i command, and see what fails there. > > Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. > > Fran?ois > > On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> Hello, >> Thank you so much for your reply! We are using AD 2003 R2 on both the >> domain and the child domain. I am using 10000-29999 for IDs on the main >> domain (RDOMAIN) and 30000-100000 on the child domain (KID). >> Interestingly, in the Unix tab (in AD Users and Computers for any >> object) under "NIS Domain" on any of the RDOMAIN servers we get the >> pulldown option "RDOMAIN" but on the Trusted domains server the only >> option is "KID". I'm not sure if that is expected or would affect this >> but I can't seem to get the RDOMAIN option in the KID Trusted domain. >> >> Thanks, >> -Paul >> >> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >> >>> Hello, >>> >>> I'm not familiar with this kind of setup, but I wonder whether or not >>> > the > >>> KID domain has the SFU schema extensions setup for idmapping (see idmap >>> backend = ad) and if porperly setup, check that the defined uid/gid for >>> that domain fall in the idmap uid range >>> >>> Fran?ois >>> >>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss <plauss at protocolgs.com> >>> wrote: >>> >>> >>>> I have been killing myself on this issue over the last 2 weeks. I >>>> > have > >>>> setup pam AD authentication using winbind on our companies email >>>> servers. That part is currently working. I have been trying to add >>>> > an > >>>> existing "Trusted" child domain and allow authentication from that >>>> domain as well. I am part of the way there, but not quite to the >>>> functional point as of yet. Our primary domain is rdomainprv or >>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what I >>>> > am > >>>> seeing, followed by my configs. Also, we had to open ports 88, 139 >>>> > and > >>>> 389 (I believe those are the correct ports, though the networking guys >>>> opened them) from the email/winbind server to the child domain, at the >>>> firewall. Any help would be very much appreciated! >>>> >>>> mailtestbed:~# wbinfo --all-domains >>>> BUILTIN >>>> MAILTESTBED >>>> RDOMAINPRV >>>> KID >>>> >>>> mailtestbed:~# wbinfo -u | grep testuser >>>> KID\testuser >>>> >>>> mailtestbed:~# wbinfo -a KID\\testuser%password >>>> plaintext password authentication succeeded >>>> challenge/response password authentication succeeded >>>> >>>> Here is where it's falling apart: >>>> mailtestbed:~# wbinfo -i KID\\testuser >>>> Could not get info for user KID\testuser >>>> >>>> mailtestbed:~# id KID\\testuser >>>> id: KID\testuser: No such user >>>> >>>> mailtestbed:~# id testuser >>>> id: testuser: No such user >>>> >>>> mailtestbed:~# getent passwd KID\\testuser >>>> mailtestbed:~# >>>> >>>> mailtestbed:~# getent passwd testuser >>>> mailtestbed:~# >>>> >>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>> uid=10001(testmer) gid=10001 groups=999(users) >>>> >>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>> >>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>> >>>> Versions (Debian Lenny) >>>> samba 2:3.2.5-4lenny9 >>>> winbind 2:3.2.5-4lenny9 >>>> >>>> smb.conf >>>> [global] >>>> workgroup = RDOMAINPRV >>>> realm = RDOMAIN.PRV >>>> server string = %h server >>>> dns proxy = no >>>> name resolve order = lmhosts host wins bcast >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> syslog = 0 >>>> panic action = /usr/share/samba/panic-action %d >>>> security = ADS >>>> encrypt passwords = yes >>>> passdb backend = tdbsam >>>> obey pam restrictions = yes >>>> unix password sync = yes >>>> passwd program = /usr/bin/passwd %u >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>> pam password change = yes >>>> allow trusted domains = yes >>>> winbind trusted domains only = no >>>> idmap backend = ad >>>> idmap uid = 10000-1000000 >>>> idmap gid = 10000-1000000 >>>> template homedir = /home/%U >>>> winbind use default domain = yes >>>> winbind nss info = rfc2307 >>>> winbind nested groups = yes >>>> client use spnego = yes >>>> client ntlmv2 auth = yes >>>> restrict anonymous = 2 >>>> winbind enum groups = no >>>> winbind enum users = no >>>> >> >>>> winbind cache time = 30 >>>> >>>> krb5.conf >>>> [libdefaults] >>>> default_realm = RDOMAIN.PRV >>>> krb4_config = /etc/krb.conf >>>> krb4_realms = /etc/krb.realms >>>> kdc_timesync = 1 >>>> ccache_type = 4 >>>> forwardable = true >>>> proxiable = true >>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>> > des3-hmac-sha1 > >>>> des-cbc-crc des-cbc-md5 >>>> v4_instance_resolve = false >>>> v4_name_convert = { >>>> host = { >>>> rcmd = host >>>> ftp = ftp >>>> } >>>> plain = { >>>> something = something-else >>>> } >>>> } >>>> fcc-mit-ticketflags = true >>>> [realms] >>>> RDOMAIN.PRV = { >>>> default_domain = RDOMAIN.PRV >>>> master_kdc = dc02.rdomain.prv >>>> admin_server = dc02.rdomain.prv >>>> kdc = aurad.rdomain.prv >>>> kdc = addc01.rdomain.prv >>>> kdc = addc02.rdomain.prv >>>> kdc = addc03.rdomain.prv >>>> #kdc = addc04.rdomain.prv >>>> kdc = addc05.rdomain.prv >>>> kdc = chlddc01.kid.rdomain.prv >>>> } >>>> KID.RDOMAIN.PRV = { >>>> default_domain = KID.RDOMAIN.PRV >>>> kdc = chlddc01.kid.rdomain.prv >>>> master_kdc = addc02.rdomain.prv >>>> admin_server = addc02.rdomain.prv >>>> kdc = addc01.rdomain.prv >>>> kdc = addc02.rdomain.prv >>>> } >>>> [domain_realm] >>>> .rdomain.prv = RDOMAIN.PRV >>>> rdomain.prv = RDOMAIN.PRV >>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>> kid.rdomain.prv = KID.RDOMAIN.PRV >>>> [kdc] >>>> profile = /var/kerberos/krb5kdc/kdc.conf >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> validate = true >>>> } >>>> [login] >>>> krb4_convert = true >>>> krb4_get_tickets = false >>>> >>>>-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ADlogs.text URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/ea13781c/attachment.text>
I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote:> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. > > Fran?ois > > -----Message d'origine----- > De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss > Envoy? : mardi 30 mars 2010 20:23 > ? : samba at lists.samba.org > Objet : Re: [Samba] AD Auth Trusted Domain issues > > The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. > > mailtestbed:~# wbinfo -t > checking the trust secret via RPC calls succeeded > > On 3/30/2010 9:47 AM, Fran?ois Legal wrote: > >> I'm not sure to 100% understand what you mean (it's been a long time >> since I last used an AD server with SFU). >> However, next step now will be to increase winbindd debug level while >> issuing the wbinfo -i command, and see what fails there. >> >> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >> >> Fran?ois >> >> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss <plauss at protocolgs.com> >> wrote: >> >> >>> Hello, >>> Thank you so much for your reply! We are using AD 2003 R2 on both >>> the domain and the child domain. I am using 10000-29999 for IDs on >>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>> Interestingly, in the Unix tab (in AD Users and Computers for any >>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>> option is "KID". I'm not sure if that is expected or would affect >>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>> >>> Thanks, >>> -Paul >>> >>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>> >>> >>>> Hello, >>>> >>>> I'm not familiar with this kind of setup, but I wonder whether or >>>> not >>>> >>>> >> the >> >> >>>> KID domain has the SFU schema extensions setup for idmapping (see >>>> idmap backend = ad) and if porperly setup, check that the defined >>>> uid/gid for that domain fall in the idmap uid range >>>> >>>> Fran?ois >>>> >>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>> <plauss at protocolgs.com> >>>> wrote: >>>> >>>> >>>> >>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>> >>>>> >> have >> >> >>>>> setup pam AD authentication using winbind on our companies email >>>>> servers. That part is currently working. I have been trying to >>>>> add >>>>> >>>>> >> an >> >> >>>>> existing "Trusted" child domain and allow authentication from that >>>>> domain as well. I am part of the way there, but not quite to the >>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is what >>>>> I >>>>> >>>>> >> am >> >> >>>>> seeing, followed by my configs. Also, we had to open ports 88, 139 >>>>> >>>>> >> and >> >> >>>>> 389 (I believe those are the correct ports, though the networking >>>>> guys opened them) from the email/winbind server to the child >>>>> domain, at the firewall. Any help would be very much appreciated! >>>>> >>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>> KID >>>>> >>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>> >>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>> authentication succeeded challenge/response password authentication >>>>> succeeded >>>>> >>>>> Here is where it's falling apart: >>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>> KID\testuser >>>>> >>>>> mailtestbed:~# id KID\\testuser >>>>> id: KID\testuser: No such user >>>>> >>>>> mailtestbed:~# id testuser >>>>> id: testuser: No such user >>>>> >>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>> >>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>> >>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>> >>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>> >>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>> >>>>> Versions (Debian Lenny) >>>>> samba 2:3.2.5-4lenny9 >>>>> winbind 2:3.2.5-4lenny9 >>>>> >>>>> smb.conf >>>>> [global] >>>>> workgroup = RDOMAINPRV >>>>> realm = RDOMAIN.PRV >>>>> server string = %h server >>>>> dns proxy = no >>>>> name resolve order = lmhosts host wins bcast >>>>> log file = /var/log/samba/log.%m >>>>> max log size = 1000 >>>>> syslog = 0 >>>>> panic action = /usr/share/samba/panic-action %d >>>>> security = ADS >>>>> encrypt passwords = yes >>>>> passdb backend = tdbsam >>>>> obey pam restrictions = yes >>>>> unix password sync = yes >>>>> passwd program = /usr/bin/passwd %u >>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>> pam password change = yes >>>>> allow trusted domains = yes >>>>> winbind trusted domains only = no >>>>> idmap backend = ad >>>>> idmap uid = 10000-1000000 >>>>> idmap gid = 10000-1000000 >>>>> template homedir = /home/%U >>>>> winbind use default domain = yes >>>>> winbind nss info = rfc2307 >>>>> winbind nested groups = yes >>>>> client use spnego = yes >>>>> client ntlmv2 auth = yes >>>>> restrict anonymous = 2 >>>>> winbind enum groups = no >>>>> winbind enum users = no >>>>> >>>>> >>> >>> >>>>> winbind cache time = 30 >>>>> >>>>> krb5.conf >>>>> [libdefaults] >>>>> default_realm = RDOMAIN.PRV >>>>> krb4_config = /etc/krb.conf >>>>> krb4_realms = /etc/krb.realms >>>>> kdc_timesync = 1 >>>>> ccache_type = 4 >>>>> forwardable = true >>>>> proxiable = true >>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>> >>>>> >> des3-hmac-sha1 >> >> >>>>> des-cbc-crc des-cbc-md5 >>>>> v4_instance_resolve = false >>>>> v4_name_convert = { >>>>> host = { >>>>> rcmd = host >>>>> ftp = ftp >>>>> } >>>>> plain = { >>>>> something = something-else >>>>> } >>>>> } >>>>> fcc-mit-ticketflags = true >>>>> [realms] >>>>> RDOMAIN.PRV = { >>>>> default_domain = RDOMAIN.PRV >>>>> master_kdc = dc02.rdomain.prv >>>>> admin_server = dc02.rdomain.prv >>>>> kdc = aurad.rdomain.prv >>>>> kdc = addc01.rdomain.prv >>>>> kdc = addc02.rdomain.prv >>>>> kdc = addc03.rdomain.prv >>>>> #kdc = addc04.rdomain.prv >>>>> kdc = addc05.rdomain.prv >>>>> kdc = chlddc01.kid.rdomain.prv >>>>> } >>>>> KID.RDOMAIN.PRV = { >>>>> default_domain = KID.RDOMAIN.PRV >>>>> kdc = chlddc01.kid.rdomain.prv >>>>> master_kdc = addc02.rdomain.prv >>>>> admin_server = addc02.rdomain.prv >>>>> kdc = addc01.rdomain.prv >>>>> kdc = addc02.rdomain.prv >>>>> } >>>>> [domain_realm] >>>>> .rdomain.prv = RDOMAIN.PRV >>>>> rdomain.prv = RDOMAIN.PRV >>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>> debug = false >>>>> ticket_lifetime = 36000 >>>>> renew_lifetime = 36000 >>>>> forwardable = true >>>>> krb4_convert = false >>>>> validate = true >>>>> } >>>>> [login] >>>>> krb4_convert = true >>>>> krb4_get_tickets = false >>>>> >>>>> >>>>> >-------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ADLogs.text URL: <http://lists.samba.org/pipermail/samba/attachments/20100330/f2adf793/attachment-0001.text>
We have corrected the issues of "KID" not being native but this does not seem to have helped. We did however see this error in the Windows Event Viewer at the point that I am trying to make the connection. I am not certain what it means that there are no logon servers available... Thoughts? Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 3/31/2010 Time: 3:19:00 AM User: N/A Computer: CHLDDC01 Description: The Security System detected an authentication error for the server ldap/chlddc01.kid.rdomain.prv. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 5e 00 00 c0 ^..? On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote:> So, as I already told you, I'm not familiar with that kind of setup. > > From what I could see, the fact that domain KID is not in ADS native may be the problem as you've got security = ADS and that expects native mode. > > You should try to go back to the list to confirm that. Your setup does not seem to be that odd, I could read lots of people trying (successfully for most of them if I remember correctly) to accomplish that kind of things. > > Sorry to not be able to help you more. > > Fran?ois > > -----Message d'origine----- > De : Paul Lauss [mailto:plauss at protocolgs.com] > Envoy? : mardi 30 mars 2010 23:26 > ? : devel at thom.fr.eu.org > Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues > > This didn't seem to go through the listserv... > > > I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. > > On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: > >> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. >> >> Fran?ois >> >> -----Message d'origine----- >> De : samba-bounces at lists.samba.org >> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss Envoy? >> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >> [Samba] AD Auth Trusted Domain issues >> >> The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. >> >> mailtestbed:~# wbinfo -t >> checking the trust secret via RPC calls succeeded >> >> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >> >> >>> I'm not sure to 100% understand what you mean (it's been a long time >>> since I last used an AD server with SFU). >>> However, next step now will be to increase winbindd debug level while >>> issuing the wbinfo -i command, and see what fails there. >>> >>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>> >>> Fran?ois >>> >>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>> <plauss at protocolgs.com> >>> wrote: >>> >>> >>> >>>> Hello, >>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>> option is "KID". I'm not sure if that is expected or would affect >>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>>> >>>> Thanks, >>>> -Paul >>>> >>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>> >>>> >>>> >>>>> Hello, >>>>> >>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>> not >>>>> >>>>> >>>>> >>> the >>> >>> >>> >>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>> uid/gid for that domain fall in the idmap uid range >>>>> >>>>> Fran?ois >>>>> >>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>> <plauss at protocolgs.com> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>> >>>>>> >>>>>> >>> have >>> >>> >>> >>>>>> setup pam AD authentication using winbind on our companies email >>>>>> servers. That part is currently working. I have been trying to >>>>>> add >>>>>> >>>>>> >>>>>> >>> an >>> >>> >>> >>>>>> existing "Trusted" child domain and allow authentication from that >>>>>> domain as well. I am part of the way there, but not quite to the >>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>> what I >>>>>> >>>>>> >>>>>> >>> am >>> >>> >>> >>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>> 139 >>>>>> >>>>>> >>>>>> >>> and >>> >>> >>> >>>>>> 389 (I believe those are the correct ports, though the networking >>>>>> guys opened them) from the email/winbind server to the child >>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>> >>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>> KID >>>>>> >>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>> >>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>> authentication succeeded challenge/response password >>>>>> authentication succeeded >>>>>> >>>>>> Here is where it's falling apart: >>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>> KID\testuser >>>>>> >>>>>> mailtestbed:~# id KID\\testuser >>>>>> id: KID\testuser: No such user >>>>>> >>>>>> mailtestbed:~# id testuser >>>>>> id: testuser: No such user >>>>>> >>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>> >>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>> >>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>> >>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>> >>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>> >>>>>> Versions (Debian Lenny) >>>>>> samba 2:3.2.5-4lenny9 >>>>>> winbind 2:3.2.5-4lenny9 >>>>>> >>>>>> smb.conf >>>>>> [global] >>>>>> workgroup = RDOMAINPRV >>>>>> realm = RDOMAIN.PRV >>>>>> server string = %h server >>>>>> dns proxy = no >>>>>> name resolve order = lmhosts host wins bcast >>>>>> log file = /var/log/samba/log.%m >>>>>> max log size = 1000 >>>>>> syslog = 0 >>>>>> panic action = /usr/share/samba/panic-action %d >>>>>> security = ADS >>>>>> encrypt passwords = yes >>>>>> passdb backend = tdbsam >>>>>> obey pam restrictions = yes >>>>>> unix password sync = yes >>>>>> passwd program = /usr/bin/passwd %u >>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>> pam password change = yes >>>>>> allow trusted domains = yes >>>>>> winbind trusted domains only = no >>>>>> idmap backend = ad >>>>>> idmap uid = 10000-1000000 >>>>>> idmap gid = 10000-1000000 >>>>>> template homedir = /home/%U >>>>>> winbind use default domain = yes >>>>>> winbind nss info = rfc2307 >>>>>> winbind nested groups = yes >>>>>> client use spnego = yes >>>>>> client ntlmv2 auth = yes >>>>>> restrict anonymous = 2 >>>>>> winbind enum groups = no >>>>>> winbind enum users = no >>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >>>>>> winbind cache time = 30 >>>>>> >>>>>> krb5.conf >>>>>> [libdefaults] >>>>>> default_realm = RDOMAIN.PRV >>>>>> krb4_config = /etc/krb.conf >>>>>> krb4_realms = /etc/krb.realms >>>>>> kdc_timesync = 1 >>>>>> ccache_type = 4 >>>>>> forwardable = true >>>>>> proxiable = true >>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>> >>>>>> >>>>>> >>> des3-hmac-sha1 >>> >>> >>> >>>>>> des-cbc-crc des-cbc-md5 >>>>>> v4_instance_resolve = false >>>>>> v4_name_convert = { >>>>>> host = { >>>>>> rcmd = host >>>>>> ftp = ftp >>>>>> } >>>>>> plain = { >>>>>> something = something-else >>>>>> } >>>>>> } >>>>>> fcc-mit-ticketflags = true [realms] >>>>>> RDOMAIN.PRV = { >>>>>> default_domain = RDOMAIN.PRV >>>>>> master_kdc = dc02.rdomain.prv >>>>>> admin_server = dc02.rdomain.prv >>>>>> kdc = aurad.rdomain.prv >>>>>> kdc = addc01.rdomain.prv >>>>>> kdc = addc02.rdomain.prv >>>>>> kdc = addc03.rdomain.prv >>>>>> #kdc = addc04.rdomain.prv >>>>>> kdc = addc05.rdomain.prv >>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>> } >>>>>> KID.RDOMAIN.PRV = { >>>>>> default_domain = KID.RDOMAIN.PRV >>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>> master_kdc = addc02.rdomain.prv >>>>>> admin_server = addc02.rdomain.prv >>>>>> kdc = addc01.rdomain.prv >>>>>> kdc = addc02.rdomain.prv >>>>>> } >>>>>> [domain_realm] >>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>> rdomain.prv = RDOMAIN.PRV >>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>> debug = false >>>>>> ticket_lifetime = 36000 >>>>>> renew_lifetime = 36000 >>>>>> forwardable = true >>>>>> krb4_convert = false >>>>>> validate = true >>>>>> } >>>>>> [login] >>>>>> krb4_convert = true >>>>>> krb4_get_tickets = false >>>>>> >>>>>> >>>>>> >>>>>> >> >> > > >
Yes, doing "wbinfo -u" retrieves all of the KID users, then again it always did. Being able to get the SID is new. I am attaching my log file which has been gziped to make it smaller... I hope this is not an issue. See a few of my tests below. Thanks, -Paul mailtestbed:~# wbinfo -n KID\\testuser S-1-5-21-29899443-2986348974-2400605501-1223 User (1) mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user KID\\testuser mailtestbed:~# wbinfo -u | grep KID [...] KID\co2s17 KID\testuser KID\co2s13 KID\co2s01 KID\jplaolet KID\co2stemp On 4/3/2010 5:04 AM, devel at thom.fr.eu.org wrote:> That's definitely a good point. > > Do you get the KID users in wbinfo -u ? > > Try increasing again loglevel for winbindd and send it for review. > > > Fran?ois > > -----Message d'origine----- > De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss > Envoy? : vendredi 2 avril 2010 20:57 > ? : samba at lists.samba.org > Objet : Re: [Samba] AD Auth Trusted Domain issues > > Greetings, > I figured out that since we made KID ADS native I have been able to > query for the SID successfully. I was unable to do that before. wbinfo > -n testuser actually returns a sid but it doesn't seem to want to map it > to anything so I am thinking my issue may be with how I am configuring > idmap. Any thoughts or suggestions? > > Thanks, > -Paul > > On 4/1/2010 8:55 AM, Paul Lauss wrote: > >> We have corrected the issues of "KID" not being native but this does not >> seem to have helped. We did however see this error in the Windows Event >> Viewer at the point that I am trying to make the connection. I am not >> certain what it means that there are no logon servers available... >> Thoughts? >> >> Event Type: Warning >> Event Source: LSASRV >> Event Category: SPNEGO (Negotiator) >> Event ID: 40960 >> Date: 3/31/2010 >> Time: 3:19:00 AM >> User: N/A >> Computer: CHLDDC01 >> Description: >> The Security System detected an authentication error for the server >> ldap/chlddc01.kid.rdomain.prv. The failure code from authentication >> protocol Kerberos was "There are currently no logon servers available to >> service the logon request. >> (0xc000005e)". >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> Data: >> 0000: 5e 00 00 c0 ^..? >> >> >> On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote: >> >> >>> So, as I already told you, I'm not familiar with that kind of setup. >>> >>> From what I could see, the fact that domain KID is not in ADS native may be the problem as you've got security = ADS and that expects native mode. >>> >>> You should try to go back to the list to confirm that. Your setup does not seem to be that odd, I could read lots of people trying (successfully for most of them if I remember correctly) to accomplish that kind of things. >>> >>> Sorry to not be able to help you more. >>> >>> Fran?ois >>> >>> -----Message d'origine----- >>> De : Paul Lauss [mailto:plauss at protocolgs.com] >>> Envoy? : mardi 30 mars 2010 23:26 >>> ? : devel at thom.fr.eu.org >>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >>> >>> This didn't seem to go through the listserv... >>> >>> >>> I am so sorry, I was trying to stay fairly concise... Here is the whole log file I extracted. >>> >>> On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: >>> >>> >>> >>>> Could you provide the part that you removed, I can see that winbind is trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you removed that part of the transaction, and we end up with some info returned from main domain dc. >>>> >>>> Fran?ois >>>> >>>> -----Message d'origine----- >>>> De : samba-bounces at lists.samba.org >>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss Envoy? >>>> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >>>> [Samba] AD Auth Trusted Domain issues >>>> >>>> The trust check succeeded... I have attached the pertinent logs... it looks like it is timing out... I am not sure why though. The link should be a little slower but it shouldn't be terrible, it is a 2Mb pipe. >>>> >>>> mailtestbed:~# wbinfo -t >>>> checking the trust secret via RPC calls succeeded >>>> >>>> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >>>> >>>> >>>> >>>> >>>>> I'm not sure to 100% understand what you mean (it's been a long time >>>>> since I last used an AD server with SFU). >>>>> However, next step now will be to increase winbindd debug level while >>>>> issuing the wbinfo -i command, and see what fails there. >>>>> >>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>>>> >>>>> Fran?ois >>>>> >>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>>> <plauss at protocolgs.com> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Hello, >>>>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>>>> option is "KID". I'm not sure if that is expected or would affect >>>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>>>>> >>>>>> Thanks, >>>>>> -Paul >>>>>> >>>>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>>>> not >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> the >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>>>> uid/gid for that domain fall in the idmap uid range >>>>>>> >>>>>>> Fran?ois >>>>>>> >>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>>> <plauss at protocolgs.com> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> have >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> setup pam AD authentication using winbind on our companies email >>>>>>>> servers. That part is currently working. I have been trying to >>>>>>>> add >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> an >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> existing "Trusted" child domain and allow authentication from that >>>>>>>> domain as well. I am part of the way there, but not quite to the >>>>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>>> what I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> am >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>>>> 139 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> and >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> 389 (I believe those are the correct ports, though the networking >>>>>>>> guys opened them) from the email/winbind server to the child >>>>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>>>> KID >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>>>> authentication succeeded challenge/response password >>>>>>>> authentication succeeded >>>>>>>> >>>>>>>> Here is where it's falling apart: >>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>>>> KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# id KID\\testuser >>>>>>>> id: KID\testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# id testuser >>>>>>>> id: testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> Versions (Debian Lenny) >>>>>>>> samba 2:3.2.5-4lenny9 >>>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>>> >>>>>>>> smb.conf >>>>>>>> [global] >>>>>>>> workgroup = RDOMAINPRV >>>>>>>> realm = RDOMAIN.PRV >>>>>>>> server string = %h server >>>>>>>> dns proxy = no >>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> max log size = 1000 >>>>>>>> syslog = 0 >>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>> security = ADS >>>>>>>> encrypt passwords = yes >>>>>>>> passdb backend = tdbsam >>>>>>>> obey pam restrictions = yes >>>>>>>> unix password sync = yes >>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>>>> pam password change = yes >>>>>>>> allow trusted domains = yes >>>>>>>> winbind trusted domains only = no >>>>>>>> idmap backend = ad >>>>>>>> idmap uid = 10000-1000000 >>>>>>>> idmap gid = 10000-1000000 >>>>>>>> template homedir = /home/%U >>>>>>>> winbind use default domain = yes >>>>>>>> winbind nss info = rfc2307 >>>>>>>> winbind nested groups = yes >>>>>>>> client use spnego = yes >>>>>>>> client ntlmv2 auth = yes >>>>>>>> restrict anonymous = 2 >>>>>>>> winbind enum groups = no >>>>>>>> winbind enum users = no >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>> winbind cache time = 30 >>>>>>>> >>>>>>>> krb5.conf >>>>>>>> [libdefaults] >>>>>>>> default_realm = RDOMAIN.PRV >>>>>>>> krb4_config = /etc/krb.conf >>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>> kdc_timesync = 1 >>>>>>>> ccache_type = 4 >>>>>>>> forwardable = true >>>>>>>> proxiable = true >>>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> des3-hmac-sha1 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> des-cbc-crc des-cbc-md5 >>>>>>>> v4_instance_resolve = false >>>>>>>> v4_name_convert = { >>>>>>>> host = { >>>>>>>> rcmd = host >>>>>>>> ftp = ftp >>>>>>>> } >>>>>>>> plain = { >>>>>>>> something = something-else >>>>>>>> } >>>>>>>> } >>>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>>> RDOMAIN.PRV = { >>>>>>>> default_domain = RDOMAIN.PRV >>>>>>>> master_kdc = dc02.rdomain.prv >>>>>>>> admin_server = dc02.rdomain.prv >>>>>>>> kdc = aurad.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> kdc = addc03.rdomain.prv >>>>>>>> #kdc = addc04.rdomain.prv >>>>>>>> kdc = addc05.rdomain.prv >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> } >>>>>>>> KID.RDOMAIN.PRV = { >>>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> master_kdc = addc02.rdomain.prv >>>>>>>> admin_server = addc02.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> } >>>>>>>> [domain_realm] >>>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>>> debug = false >>>>>>>> ticket_lifetime = 36000 >>>>>>>> renew_lifetime = 36000 >>>>>>>> forwardable = true >>>>>>>> krb4_convert = false >>>>>>>> validate = true >>>>>>>> } >>>>>>>> [login] >>>>>>>> krb4_convert = true >>>>>>>> krb4_get_tickets = false >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >
It's looking more and more like it is the Windows environment at issue here. If the KID domain was not using AD 2003 R2 and all of the other would that would cause the issue. I will talk to our Windows admins to see if we can resolve the mixed mode thing before moving on. Thanks! -Paul On 4/7/2010 3:20 AM, Fran?ois Legal wrote:> From what I could read, I'm not sure which of the 2 proposition is > correct, > > either winbindd tries to get idmap from rdomain.prv DC from domain kid > which does not exists > either winbindd tries to query idmap from kid.rdomain.prv DC and does not > find the right information (either the information is not there or not > using the same schema as rdomain.prv). > > Fran?ois > > On Tue, 06 Apr 2010 11:15:51 -0500, Paul Lauss <plauss at protocolgs.com> > wrote: > >> Here are the other logs. I just sent you the whole logs rather than >> paring down. >> >> On 4/6/2010 10:20 AM, Fran?ois Legal wrote: >> >>> By checking the log, I could not find so many interesting things. >>> I could see that domain KID is still reported as MIXED mode (and not >>> NATIVE) (in array starting at line 1002) >>> >>> Then, winbindd seems to be locked down trying to contact the >>> CORADDOM02.external.rdomain.prv machine for domain EXTRDOMAINPRV, but >>> > for > >>> some reason this fails and it keeps on trying at least for about 30 >>> minutes >>> outlined in the log. >>> I have no idea how to fix this. This can be asked to the list. I >>> > remember > >>> that someone had the same problem and I think this could be solved. >>> >>> Do you have anything interesting in log.wb-KID log.winbindd-dc-connect >>> and >>> log.winbindd-idmap ? >>> >>> Fran?ois >>> >>> On Tue, 06 Apr 2010 09:13:00 -0500, Paul Lauss <plauss at protocolgs.com> >>> wrote: >>> >>> >>>> Yes, doing "wbinfo -u" retrieves all of the KID users, then again it >>>> always did. Being able to get the SID is new. I am attaching my log >>>> file which has been gziped to make it smaller... I hope this is not an >>>> issue. See a few of my tests below. >>>> >>>> Thanks, >>>> -Paul >>>> >>>> mailtestbed:~# wbinfo -n KID\\testuser >>>> S-1-5-21-29899443-2986348974-2400605501-1223 User (1) >>>> mailtestbed:~# wbinfo -i KID\\testuser >>>> Could not get info for user KID\\testuser >>>> mailtestbed:~# wbinfo -u | grep KID >>>> [...] >>>> KID\co2s17 >>>> KID\testuser >>>> KID\co2s13 >>>> KID\co2s01 >>>> KID\jplaolet >>>> KID\co2stemp >>>> >>>> On 4/3/2010 5:04 AM, devel at thom.fr.eu.org wrote: >>>> >>>> >>>>> That's definitely a good point. >>>>> >>>>> Do you get the KID users in wbinfo -u ? >>>>> >>>>> Try increasing again loglevel for winbindd and send it for review. >>>>> >>>>> >>>>> Fran?ois >>>>> >>>>> -----Message d'origine----- >>>>> De : samba-bounces at lists.samba.org >>>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss >>>>> Envoy? : vendredi 2 avril 2010 20:57 >>>>> ? : samba at lists.samba.org >>>>> Objet : Re: [Samba] AD Auth Trusted Domain issues >>>>> >>>>> Greetings, >>>>> I figured out that since we made KID ADS native I have been able to >>>>> query for the SID successfully. I was unable to do that before. >>>>> > wbinfo > >>>>> -n testuser actually returns a sid but it doesn't seem to want to map >>>>> >>>>> >>> it >>> >>> >>>>> to anything so I am thinking my issue may be with how I am >>>>> > configuring > >>>>> idmap. Any thoughts or suggestions? >>>>> >>>>> Thanks, >>>>> -Paul >>>>> >>>>> On 4/1/2010 8:55 AM, Paul Lauss wrote: >>>>> >>>>> >>>>> >>>>>> We have corrected the issues of "KID" not being native but this does >>>>>> >>>>>> >>> not >>> >>> >>>>>> seem to have helped. We did however see this error in the Windows >>>>>> >>>>>> >>> Event >>> >>> >>>>>> Viewer at the point that I am trying to make the connection. I am >>>>>> > not > >>>>>> certain what it means that there are no logon servers available... >>>>>> Thoughts? >>>>>> >>>>>> Event Type: Warning >>>>>> Event Source: LSASRV >>>>>> Event Category: SPNEGO (Negotiator) >>>>>> Event ID: 40960 >>>>>> Date: 3/31/2010 >>>>>> Time: 3:19:00 AM >>>>>> User: N/A >>>>>> Computer: CHLDDC01 >>>>>> Description: >>>>>> The Security System detected an authentication error for the server >>>>>> ldap/chlddc01.kid.rdomain.prv. The failure code from authentication >>>>>> protocol Kerberos was "There are currently no logon servers >>>>>> > available > >>>>>> >>>>>> >>> to >>> >>> >>>>>> service the logon request. >>>>>> (0xc000005e)". >>>>>> >>>>>> For more information, see Help and Support Center at >>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>> Data: >>>>>> 0000: 5e 00 00 c0 ^..? >>>>>> >>>>>> >>>>>> On 3/30/2010 6:20 PM, devel at thom.fr.eu.org wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> So, as I already told you, I'm not familiar with that kind of >>>>>>> > setup. > >>>>>>> From what I could see, the fact that domain KID is not in ADS >>>>>>> > native > >>>>>>> may be the problem as you've got security = ADS and that expects >>>>>>> >> >>>>>>> >>>>>>> >>> native >>> >>> >>>>>>> mode. >>>>>>> >>>>>>> You should try to go back to the list to confirm that. Your setup >>>>>>> >>>>>>> >>> does >>> >>> >>>>>>> not seem to be that odd, I could read lots of people trying >>>>>>> (successfully for most of them if I remember correctly) to >>>>>>> > accomplish > >>>>>>> that kind of things. >>>>>>> >>>>>>> Sorry to not be able to help you more. >>>>>>> >>>>>>> Fran?ois >>>>>>> >>>>>>> -----Message d'origine----- >>>>>>> De : Paul Lauss [mailto:plauss at protocolgs.com] >>>>>>> Envoy? : mardi 30 mars 2010 23:26 >>>>>>> ? : devel at thom.fr.eu.org >>>>>>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >>>>>>> >>>>>>> This didn't seem to go through the listserv... >>>>>>> >>>>>>> >>>>>>> I am so sorry, I was trying to stay fairly concise... Here is the >>>>>>> whole log file I extracted. >>>>>>> >>>>>>> On 3/30/2010 1:56 PM, devel at thom.fr.eu.org wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Could you provide the part that you removed, I can see that >>>>>>>> > winbind > >>>>>>>> is trying to connect to chlddc01.kid.rdomain.prv for domain kid, >>>>>>>> > but > >>>>>>>> then you removed that part of the transaction, and we end up with >>>>>>>> >>>>>>>> >>> some >>> >>> >>>>>>>> info returned from main domain dc. >>>>>>>> >>>>>>>> Fran?ois >>>>>>>> >>>>>>>> -----Message d'origine----- >>>>>>>> De : samba-bounces at lists.samba.org >>>>>>>> [mailto:samba-bounces at lists.samba.org] De la part de Paul Lauss >>>>>>>> Envoy? >>>>>>>> : mardi 30 mars 2010 20:23 ? : samba at lists.samba.org Objet : Re: >>>>>>>> [Samba] AD Auth Trusted Domain issues >>>>>>>> >>>>>>>> The trust check succeeded... I have attached the pertinent logs... >>>>>>>> >>>>>>>> >>> it >>> >>> >>>>>>>> looks like it is timing out... I am not sure why though. The link >>>>>>>> should be a little slower but it shouldn't be terrible, it is a >>>>>>>> > 2Mb > >>>>>>>> pipe. >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -t >>>>>>>> checking the trust secret via RPC calls succeeded >>>>>>>> >>>>>>>> On 3/30/2010 9:47 AM, Fran?ois Legal wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I'm not sure to 100% understand what you mean (it's been a long >>>>>>>>> >>>>>>>>> >>> time >>> >>> >>>>>>>>> since I last used an AD server with SFU). >>>>>>>>> However, next step now will be to increase winbindd debug level >>>>>>>>> while >>>>>>>>> issuing the wbinfo -i command, and see what fails there. >>>>>>>>> >>>>>>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd >>>>>>>>> verbosity. >>>>>>>>> >>>>>>>>> Fran?ois >>>>>>>>> >>>>>>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>>>>>>> <plauss at protocolgs.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> Thank you so much for your reply! We are using AD 2003 R2 on >>>>>>>>>> > both > >>>>>>>>>> >>>>>>>>>> >>> >>> >>>>>>>>>> the domain and the child domain. I am using 10000-29999 for IDs >>>>>>>>>> >>>>>>>>>> >>> on >>> >>> >>>>>>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain >>>>>>>>>> (KID). >>>>>>>>>> Interestingly, in the Unix tab (in AD Users and Computers for >>>>>>>>>> > any > >>>>>>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get >>>>>>>>>> >>>>>>>>>> >>> the >>> >>> >>>>>>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the >>>>>>>>>> only >>>>>>>>>> option is "KID". I'm not sure if that is expected or would >>>>>>>>>> > affect > >>>>>>>>>> >>>>>>>>>> >>> >>> >>>>>>>>>> this but I can't seem to get the RDOMAIN option in the KID >>>>>>>>>> > Trusted > >>>>>>>>>> domain. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> -Paul >>>>>>>>>> >>>>>>>>>> On 3/30/2010 2:27 AM, Fran?ois Legal wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I'm not familiar with this kind of setup, but I wonder whether >>>>>>>>>>> > or > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> not >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> the >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> KID domain has the SFU schema extensions setup for idmapping >>>>>>>>>>> > (see > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> idmap backend = ad) and if porperly setup, check that the >>>>>>>>>>> > defined > >>>>>>>>>>> >>>>>>>>>>> >>> >>> >>>>>>>>>>> uid/gid for that domain fall in the idmap uid range >>>>>>>>>>> >>>>>>>>>>> Fran?ois >>>>>>>>>>> >>>>>>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>>>>>>> <plauss at protocolgs.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> I have been killing myself on this issue over the last 2 >>>>>>>>>>>> > weeks. > >>>>>>>>>>>> >>>>>>>>>>>> >>> I >>> >>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> have >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> setup pam AD authentication using winbind on our companies >>>>>>>>>>>> > email > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> servers. That part is currently working. I have been trying >>>>>>>>>>>> > to > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> add >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> an >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> existing "Trusted" child domain and allow authentication from >>>>>>>>>>>> that >>>>>>>>>>>> domain as well. I am part of the way there, but not quite to >>>>>>>>>>>> >>>>>>>>>>>> >>> the >>> >>> >>>>>>>>>>>> functional point as of yet. Our primary domain is rdomainprv >>>>>>>>>>>> > or > >>>>>>>>>>>> >>>>>>>>>>>> >>> >>> >>>>>>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>>>>>>> > >>>>>>>>>>>> what I >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> am >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> seeing, followed by my configs. Also, we had to open ports >>>>>>>>>>>> > 88, > >>>>>>>>>>>> 139 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> and >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> 389 (I believe those are the correct ports, though the >>>>>>>>>>>> >>>>>>>>>>>> >>> networking >>> >>> >>>>>>>>>>>> guys opened them) from the email/winbind server to the child >>>>>>>>>>>> domain, at the firewall. Any help would be very much >>>>>>>>>>>> >>>>>>>>>>>> >>> appreciated! >>> >>> >>>>>>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED >>>>>>>>>>>> RDOMAINPRV >>>>>>>>>>>> KID >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext >>>>>>>>>>>> password >>>>>>>>>>>> authentication succeeded challenge/response password >>>>>>>>>>>> authentication succeeded >>>>>>>>>>>> >>>>>>>>>>>> Here is where it's falling apart: >>>>>>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for >>>>>>>>>>>> user >>>>>>>>>>>> KID\testuser >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id KID\\testuser >>>>>>>>>>>> id: KID\testuser: No such user >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id testuser >>>>>>>>>>>> id: testuser: No such user >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>>>>>> >>>>>>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>>>>>> >>>>>>>>>>>> Versions (Debian Lenny) >>>>>>>>>>>> samba 2:3.2.5-4lenny9 >>>>>>>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>>>>>>> >>>>>>>>>>>> smb.conf >>>>>>>>>>>> [global] >>>>>>>>>>>> workgroup = RDOMAINPRV >>>>>>>>>>>> realm = RDOMAIN.PRV >>>>>>>>>>>> server string = %h server >>>>>>>>>>>> dns proxy = no >>>>>>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>>>>> max log size = 1000 >>>>>>>>>>>> syslog = 0 >>>>>>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>>>>>> security = ADS >>>>>>>>>>>> encrypt passwords = yes >>>>>>>>>>>> passdb backend = tdbsam >>>>>>>>>>>> obey pam restrictions = yes >>>>>>>>>>>> unix password sync = yes >>>>>>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>>>>>> *Retype\snew\s*\spassword:* %n\n >>>>>>>>>>>> *password\supdated\ssuccessfully* . >>>>>>>>>>>> pam password change = yes >>>>>>>>>>>> allow trusted domains = yes >>>>>>>>>>>> winbind trusted domains only = no >>>>>>>>>>>> idmap backend = ad >>>>>>>>>>>> idmap uid = 10000-1000000 >>>>>>>>>>>> idmap gid = 10000-1000000 >>>>>>>>>>>> template homedir = /home/%U >>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>> winbind nested groups = yes >>>>>>>>>>>> client use spnego = yes >>>>>>>>>>>> client ntlmv2 auth = yes >>>>>>>>>>>> restrict anonymous = 2 >>>>>>>>>>>> winbind enum groups = no >>>>>>>>>>>> winbind enum users = no >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> winbind cache time = 30 >>>>>>>>>>>> >>>>>>>>>>>> krb5.conf >>>>>>>>>>>> [libdefaults] >>>>>>>>>>>> default_realm = RDOMAIN.PRV >>>>>>>>>>>> krb4_config = /etc/krb.conf >>>>>>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>>>>>> kdc_timesync = 1 >>>>>>>>>>>> ccache_type = 4 >>>>>>>>>>>> forwardable = true >>>>>>>>>>>> proxiable = true >>>>>>>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> des3-hmac-sha1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> des-cbc-crc des-cbc-md5 >>>>>>>>>>>> v4_instance_resolve = false >>>>>>>>>>>> v4_name_convert = { >>>>>>>>>>>> host = { >>>>>>>>>>>> rcmd = host >>>>>>>>>>>> ftp = ftp >>>>>>>>>>>> } >>>>>>>>>>>> plain = { >>>>>>>>>>>> something = something-else >>>>>>>>>>>> } >>>>>>>>>>>> } >>>>>>>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>>>>>>> RDOMAIN.PRV = { >>>>>>>>>>>> default_domain = RDOMAIN.PRV >>>>>>>>>>>> master_kdc = dc02.rdomain.prv >>>>>>>>>>>> admin_server = dc02.rdomain.prv >>>>>>>>>>>> kdc = aurad.rdomain.prv >>>>>>>>>>>> kdc = addc01.rdomain.prv >>>>>>>>>>>> kdc = addc02.rdomain.prv >>>>>>>>>>>> kdc = addc03.rdomain.prv >>>>>>>>>>>> #kdc = addc04.rdomain.prv >>>>>>>>>>>> kdc = addc05.rdomain.prv >>>>>>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>>>>>> } >>>>>>>>>>>> KID.RDOMAIN.PRV = { >>>>>>>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>>>>>> master_kdc = addc02.rdomain.prv >>>>>>>>>>>> admin_server = addc02.rdomain.prv >>>>>>>>>>>> kdc = addc01.rdomain.prv >>>>>>>>>>>> kdc = addc02.rdomain.prv >>>>>>>>>>>> } >>>>>>>>>>>> [domain_realm] >>>>>>>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>>>>>>> debug = false >>>>>>>>>>>> ticket_lifetime = 36000 >>>>>>>>>>>> renew_lifetime = 36000 >>>>>>>>>>>> forwardable = true >>>>>>>>>>>> krb4_convert = false >>>>>>>>>>>> validate = true >>>>>>>>>>>> } >>>>>>>>>>>> [login] >>>>>>>>>>>> krb4_convert = true >>>>>>>>>>>> krb4_get_tickets = false >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>