Bruce Richardson
2010-Oct-21 15:59 UTC
[Samba] Trusted domain users unwantedly mapping onto local domain users
Having set up two way trust between a Samba domain (with LDAP backend) and an AD domain, I find that 1. Users from the trusted domain are authenticated against the proper DC (that is, their regular password works), but only if there is a corresponding local domain user. 2. Users from the trusted domain are being mapped onto Samba/POSIX users associated with the local Samba domain, despite the fact that the correct idmap objects are being created in the directory. If they connect to a share, they connect as the local domain user (although, oddly, they can create new files and directories but not delete old ones). More information: The local domain uses an LDAP backend, with ldapsam:editposix and ldapsam:trusted set. LDAP is used for all domain configs (BUILTIN, OFFICE domain and external domains). Winbind is used on the domain controllers for GID/UID allocation (and for id mappings for foreign domains), but nss_ldap is used on all the servers, DC or member, to provide the POSIX user information via nsswitch.conf. winbind is not currently running on the member servers (not needed for a single domain because of nss_ldap). All this was working perfectly. Adding the domain trust worked flawlessly. Then I tried - on the PDC and BDC only - to try have users from the trusted domain connecting to shares. So I changed nsswitch.conf from passwd: files ldap group: files ldap to passwd: files ldap winbind group: files ldap winbind I added details of the AD domain's PDC to krb5.conf, set the auth user file and restarted winbindd for luck. * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups. * "getent passwd" returns the trusted users in the list as TRUSTED\user.name. * The idmap OU in the directory now has two dozen entries (the AD domain is only used for one specialist part of the company). So far so good. "getent group" and "getent passwd" shows the TRUSTED domain users have been added and are visible as POSIX users. TRUSTED userr can authenticate to any OFFICE member servers using their own passwords (with the important caveat mentioned abouve). At this point, I'm at something of a loss. I can ssh into the domain controller as TRUSTED\test.user, whether or not there is a corresponding user in the local domain, and the correct UID and GID will be assigned, but I can only connect to Samba as that user if there is a corresponding local domain user and I am then assigned their UID and GID. Can anybody suggest what I may have missed? I can post the relevant domain controller configs. I don't know if it's relevant to this, but winbind keeps trying to write to krb5.conf and being blocked by selinux. Haven't had time to investigate that. -- Bruce I unfortunately do not know how to turn cheese into gold.
Gaiseric Vandal
2010-Oct-21 21:02 UTC
[Samba] Trusted domain users unwantedly mapping onto local domain users
I have similar issues. II am running Samba 3.4 (compiled from source) on Solaris 10- so selinux is NOT an issue for me. Otherwise I have similar config (LDAP backend for samba, trusted domains to windows 2003 server.) thought this used to work but a month or so ago it wasn't. getent passwd and wbinfo -u showed users from the trusted domain. wbinfo -s / wbinfo -n showed uid-to-sid and sid-to-uid mappings were ok. The log seemed to show users in the trusted domain being valid, but then complains that that user does not exisit. -------------------------------------------------------------------------------------------------------------------------------------------------- [2010/09/13 08:02:04, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [WINDOMAIN]\[li nus]@[WINSERVER] with the new password interface [2010/09/13 08:02:04, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER] ... pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/09/13 08:02:04, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [winuser] -> [winuser] FAILED with e rror NT_STATUS_NO_SUCH_USER -------------------------------------------------------------------------------------------------------------------------------------------------- I partly resolved this by creating dummy accounts for users (/bin/false as the shell) for the trusted domains (the passwords are different.) The trusted domain only has about 5 or 6 users. I have not tried ssh'ing in as a trusted domain user (I definately don't want that available..) It is weird, because the trusted users ARE definately authenticating using there own passwords. Maybe it is trying to validate the user name via kerberos but then validates the password via NTLM? Do you have an entry in krb5.conf for the trusted domain? I think that is more of an issue for locating the DC. At some point I changed the forest and domain modes on the Windows 2003 DC from mixed to native. That may have broken something but the end users from the trusted domain might not have reported it until several weeks later. (It is apparently a resource they only need occasionally.) I haven't had a chance to look into this further, since I have a work around. On 10/21/2010 11:59 AM, Bruce Richardson wrote:> Having set up two way trust between a Samba domain (with LDAP backend) > and an AD domain, I find that > > 1. Users from the trusted domain are authenticated against the proper > DC (that is, their regular password works), but only if there is a > corresponding local domain user. > > 2. Users from the trusted domain are being mapped onto Samba/POSIX > users associated with the local Samba domain, despite the fact that the > correct idmap objects are being created in the directory. If they > connect to a share, they connect as the local domain user (although, > oddly, they can create new files and directories but not delete old > ones). > > > More information: > > The local domain uses an LDAP backend, with ldapsam:editposix and > ldapsam:trusted set. LDAP is used for all domain configs (BUILTIN, > OFFICE domain and external domains). Winbind is used on the domain > controllers for GID/UID allocation (and for id mappings for foreign > domains), but nss_ldap is used on all the servers, DC or member, to > provide the POSIX user information via nsswitch.conf. winbind is not > currently running on the member servers (not needed for a single domain > because of nss_ldap). > > All this was working perfectly. Adding the domain trust worked > flawlessly. Then I tried - on the PDC and BDC only - to try have users > from the trusted domain connecting to shares. So I changed > nsswitch.conf from > > passwd: files ldap > group: files ldap > > to > > passwd: files ldap winbind > group: files ldap winbind > > I added details of the AD domain's PDC to krb5.conf, set the auth user > file and restarted winbindd for luck. > > * "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups. > * "getent passwd" returns the trusted users in the list as > TRUSTED\user.name. > * The idmap OU in the directory now has two dozen > entries (the AD domain is only used for one specialist part of the > company). > > So far so good. "getent group" and "getent passwd" shows the TRUSTED > domain users have been added and are visible as POSIX users. TRUSTED > userr can authenticate to any OFFICE member servers using their own > passwords (with the important caveat mentioned abouve). At this point, > I'm at something of a loss. I can ssh into the domain controller as > TRUSTED\test.user, whether or not there is a corresponding user in the > local domain, and the correct UID and GID will be assigned, but I can > only connect to Samba as that user if there is a corresponding local > domain user and I am then assigned their UID and GID. > > Can anybody suggest what I may have missed? I can post the relevant > domain controller configs. > > I don't know if it's relevant to this, but winbind keeps trying to write > to krb5.conf and being blocked by selinux. Haven't had time to > investigate that. > >