samba - Dec 2011 - cant access shares on members of samba domain from windows domain

Hi,

I have a network with two domains. DOMAIN A has samba 3.0.28 as PDC
(I know its old but it cant be updated due to political reasons).
DOMAIN B is a Windows 2003 domain. Samba PDC (domain A) has few shares
on it and everyone can access those shares (everyone from domain A and
domain B). In domain A there are also few windows machines which also
have shares. I'd like for those shares to be available to everyone.
Currently, everyone on domain A can access those windows shares (which
are on domain A). I'd like for those shares to be available to domain
B users but currently only Domain Administrator from domain B has
access. I'd appreciate any help on getting this to work.


To sum up,

Domain A:  1.  Samba as PDC - share "Groups" shared to everyone and
available to everyone
                 2.   Windows 2003 - share  "Data" shared to everyone
but available to everyone in domain A and only to Domain Administrator
from domain B

Domain B:  1. Windows 2003 Active directory
                 2. Windows XP clients

---share "Data" needs to be available to everyone. Any ideas?

Here is the error message I get when trying to access share "Data" as
DomainB\user.

\\Robo is not accessible. You might not have permission to use this
network resource.
Contact the administrator of this server to find out if you have
access permissions.
A device attached to the system is not functioning.

From: damiien <damiien at gmail.com>
Date: Fri, 2 Dec 2011 09:44:42 +0100
> Currently, everyone on domain A can access those windows shares (which
> are on domain A). I'd like for those shares to be available to domain
> B users but currently only Domain Administrator from domain B has
> access. I'd appreciate any help on getting this to work.
First, you had better understand Windows domain trustrelationship
before working on Samba issue. Then you will understand what to be
done.

---

If you do not mind security, enabling Guest access is an easy way.

And if domain A users want to access a share on domain B, to specify
correct user and whose password will make them access.

Otherwise, you have to set up domain trustrelationship between domain
A and B, and set correct permissions on every share you want to enable
access from other domain's users.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

On 12/02/2011 03:44 AM, damiien wrote:
> Hi,
>
> I have a network with two domains. DOMAIN A has samba 3.0.28 as PDC
> (I know its old but it cant be updated due to political reasons).
> DOMAIN B is a Windows 2003 domain. Samba PDC (domain A) has few shares
> on it and everyone can access those shares (everyone from domain A and
> domain B). In domain A there are also few windows machines which also
> have shares. I'd like for those shares to be available to everyone.
> Currently, everyone on domain A can access those windows shares (which
> are on domain A). I'd like for those shares to be available to domain
> B users but currently only Domain Administrator from domain B has
> access. I'd appreciate any help on getting this to work.
>
>
> To sum up,
>
> Domain A:  1.  Samba as PDC - share "Groups" shared to everyone
and
> available to everyone
>                   2.   Windows 2003 - share  "Data" shared to
everyone
> but available to everyone in domain A and only to Domain Administrator
> from domain B
>
> Domain B:  1. Windows 2003 Active directory
>                   2. Windows XP clients
>
> ---share "Data" needs to be available to everyone
If you edit the Share or NTFS perms of a Domain A WIndows machine 
directory, are you able to view or select users/groups from domain B?  
When you log in to a Domain A Windows machine are you able to select 
"Domain B" as a login domain?    Are you sure domain trusts really are
set up properly on your PDC?  Does "wbinfo -u" and "wbinfo
-g" show the
trusted domain users and groups?  Does "getent passwd" or "getent
passwd
DOMAINB\\someuser" work?

My guess is that domain trusts are not working properly.    Trusted 
domain users need to map to a local unix id.   Domain B Administrator is 
probably able to log in to domain A since there is a matching unix name 
(i.e. Administrator.)     Assuming that samba can match the trusted 
domain user's name to a local unix id, it will then validate the user 
against the trusted domain PDC.     If you have "jsmith" in both 
domains, but with different passwords, if would appear to user
"jsmith"
that domain trusts were working properly.


I think you will not get this working properly with Samba 3.0.28.  I had 
a similar setup-  I would get it working for a short time but the idmap 
cache would expire and not renew.