Andrea Venturoli
2013-Feb-04 18:25 UTC
[Samba] Trust problems after upgrade from 3.5 to 3.6
Hello. My setup: _ one Samba 3.5 domain (XXXXXXXX), with a PDC and a BDC, both running FreeBSD; _ one AD domain (YYYYYYYY) running on two Windows 2003 DCs; _ bidirectional trust between the two domains. Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to 3.6; now, users from domain YYYYYYYY cannot access the PDC's shares. I used to have in smb.conf:> idmap backend=ldap:ldap://localhost/ > idmap alloc backend=ldap > idmap alloc config:ldap_url=ldap://localhost > idmap alloc config:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx > idmap alloc config:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx > idmap cache time=120 > idmap uid=150000-200000 > idmap gid=150000-200000 > template shell=/sbin/nologin > idmap config XXXXXXXX:backend=nss > idmap config XXXXXXXX:range=1000-999999After the upgrade I changed it this way:> idmap config *:backend=ldap > idmap config *:range=150000-200000 > idmap config *:ldap_url=ldap://localhost/ > idmap config *:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx > idmap config *:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx > idmap cache time=120 > template shell=/sbin/nologin > idmap config XXXXXXXX:backend=nss > idmap config XXXXXXXX:range=1000-999999I see many errors like the following in log.winbindd-idmap:> [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain) > idmap initialization returned NT_STATUS_ACCESS_DENIEDIn log.wb-YYYYYYYY> [2013/02/04 19:20:59.364510, 0] rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp) > cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIEDPlease, any help is appreciated. bye & Thanks av.
Andrea Venturoli
2013-Feb-05 08:04 UTC
[Samba] Trust problems after upgrade from 3.5 to 3.6
On 02/04/13 19:25, Andrea Venturoli wrote:> Hello. > > My setup: > _ one Samba 3.5 domain (XXXXXXXX), with a PDC and a BDC, both running > FreeBSD; > _ one AD domain (YYYYYYYY) running on two Windows 2003 DCs; > _ bidirectional trust between the two domains. > > > Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to > 3.6; now, users from domain YYYYYYYY cannot access the PDC's shares. > > > I used to have in smb.conf: >> idmap backend=ldap:ldap://localhost/ >> idmap alloc backend=ldap >> idmap alloc config:ldap_url=ldap://localhost >> idmap alloc config:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx >> idmap alloc config:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx >> idmap cache time=120 >> idmap uid=150000-200000 >> idmap gid=150000-200000 >> template shell=/sbin/nologin >> idmap config XXXXXXXX:backend=nss >> idmap config XXXXXXXX:range=1000-999999 > > After the upgrade I changed it this way: >> idmap config *:backend=ldap >> idmap config *:range=150000-200000 >> idmap config *:ldap_url=ldap://localhost/ >> idmap config *:ldap_base_dn=ou=idmap,dc=xxxxxxxx,dc=xx >> idmap config *:ldap_user_dn=cn=root,dc=xxxxxxxx,dc=xx >> idmap cache time=120 >> template shell=/sbin/nologin >> idmap config XXXXXXXX:backend=nss >> idmap config XXXXXXXX:range=1000-999999 > > > > I see many errors like the following in log.winbindd-idmap: >> [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain) >> idmap initialization returned NT_STATUS_ACCESS_DENIED > > In log.wb-YYYYYYYY >> [2013/02/04 19:20:59.364510, 0] >> rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp) >> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED > > > > Please, any help is appreciated. > > > bye & Thanks > av.P.S. I'm also seeing this:> winbindd[65589]: get_credentials: Unable to fetch auth credentials for cn=root,dc=xxxxxxxx,dc=xx in *Connection to LDAP works form smbd (for which I had set credentials with smbpasswd -w); how whould I do it for winbindd? bye & Thanks av.