samba - Oct 2013 - samba + kerberos + active directory with multiple domains

I've almost got this thing working.  I have it set up on a centos machine to
authenticate logins and automounts to windows file servers.  But it won't
allow me to specify a domain as part of the userid.  I can set a default domain
in smb.conf and logging into that domain works like a champ.  And I can list the
other domains with "wbinfo --online-status" (not sure what
"offline" means but I can list the groups even in the offline
domains).  But if I turn off the default domain in smb.conf
        winbind use default domain = false
and specify a delimiter
        winbind separator = \
and try "wbinfo -a somedomain\\someuser" I get "no such
user".  I assume the local /etc/passwd file has to include the
domain\userid as well, correct?  But maybe wbinfo -a doesn't reference the
local passwd file.
In any case, here are krb5.conf and smb.conf.   Can someone tell me what I'm
missing?
Many thanks for any help!!!


### /etc/krb5.conf ###

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = COL.MISSOURI.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 COL.MISSOURI.EDU = {
  kdc = col.missouri.edu
  admin_server = col.missouri.edu
  default_domain = col.missouri.edu
  kdc = col.missouri.edu
 }

[domain_realm]
 .missouri.edu = COL.MISSOURI.EDU
 missouri.edu = COL.MISSOURI.EDU

 col.missouri.edu = COL.MISSOURI.EDU
 .col.missouri.edu = COL.MISSOURI.EDU

[kdc]
profile= /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
        debug=false
        ticket_lifetime=36000
        renew_lifetime=36000
        forwardable=true
        krb4_convert=false
}

### /etc/samba/smb.conf ###

[global]
        workgroup = UMC-USERS
        password server = col.missouri.edu
        realm = COL.MISSOURI.EDU
        security = ADS
        allow trusted domains = yes
        idmap config *:backend = rid
        idmap config *:range = 1000-60000
        idmap uid = 60001-100000
        idmap gid = 60001-100000
        winbind use default domain = false
        winbind offline logon = true
        winbind separator = \
        netbios name = ZENA
        server string = Rouder Centos Samba Server Version %v
        interfaces = 128.206.38.63
        hosts allow = 128.206. 10.7.
        log file = /var/log/samba/log.%m
        max log size = 50
        preferred master = no
        encrypt passwords = yes
        log level 3
        local master = no
        preferred master = no
        dns proxy = no
        template shell = /bin/bash
        server string = Rouder Centos
        server signing = auto
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Could someone just send me a working config that works with multiple ad 
domains?  Anything would be helpful...

Thanks!
Rich

On 10/26/13 1:32 PM, Winkel, Richard J. wrote:
> I've almost got this thing working.  I have it set up on a centos
machine to authenticate logins and automounts to windows file servers.  But it
won't allow me to specify a domain as part of the userid.  I can set a
default domain in smb.conf and logging into that domain works like a champ.  And
I can list the other domains with "wbinfo --online-status" (not sure
what "offline" means but I can list the groups even in the offline
domains).  But if I turn off the default domain in smb.conf
>          winbind use default domain = false
> and specify a delimiter
>          winbind separator = \
> and try "wbinfo -a somedomain\\someuser" I get "no such
user".  I assume the local /etc/passwd file has to include the
domain\userid as well, correct?  But maybe wbinfo -a doesn't reference the
local passwd file.
> In any case, here are krb5.conf and smb.conf.   Can someone tell me what
I'm missing?
> Many thanks for any help!!!
>
>
> ### /etc/krb5.conf ###
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   default_realm = COL.MISSOURI.EDU
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>
> [realms]
>   COL.MISSOURI.EDU = {
>    kdc = col.missouri.edu
>    admin_server = col.missouri.edu
>    default_domain = col.missouri.edu
>    kdc = col.missouri.edu
>   }
>
> [domain_realm]
>   .missouri.edu = COL.MISSOURI.EDU
>   missouri.edu = COL.MISSOURI.EDU
>
>   col.missouri.edu = COL.MISSOURI.EDU
>   .col.missouri.edu = COL.MISSOURI.EDU
>
> [kdc]
> profile= /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
>          debug=false
>          ticket_lifetime=36000
>          renew_lifetime=36000
>          forwardable=true
>          krb4_convert=false
> }
>
> ### /etc/samba/smb.conf ###
>
> [global]
>          workgroup = UMC-USERS
>          password server = col.missouri.edu
>          realm = COL.MISSOURI.EDU
>          security = ADS
>          allow trusted domains = yes
>          idmap config *:backend = rid
>          idmap config *:range = 1000-60000
>          idmap uid = 60001-100000
>          idmap gid = 60001-100000
>          winbind use default domain = false
>          winbind offline logon = true
>          winbind separator = \
>          netbios name = ZENA
>          server string = Rouder Centos Samba Server Version %v
>          interfaces = 128.206.38.63
>          hosts allow = 128.206. 10.7.
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          preferred master = no
>          encrypt passwords = yes
>          log level 3
>          local master = no
>          preferred master = no
>          dns proxy = no
>          template shell = /bin/bash
>          server string = Rouder Centos
>          server signing = auto
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>