samba - Feb 2015 - samba4 domain member and multiple domains

Hello.

I've got a samba4 domain member server. It works fine for the joined
domain, but I'm not able to let user from a different domain get
access. This worked fine on my samba3 member server, but I don't
remember if I did anything special.

I do have authentication set on the AD object for the users in
question and we have a one-way trust with the other domain. All DCs
are Windows servers.

DOMA = my domain
DOMB = other domain

wbinfo -m   lists both domains, among others
wbinfo --online-status shows DOMA as online, DOMB as offline

wbinfo -D DOMA works and shows everything as "Yes".
wbinfo -D DOMB works, but shows everything as "No", including the
"Active Directory" field. My samba3 machine shows "Yes".

wbinfo -i DOMA\user works.
wbinfo -i DOMB\user doesn't. I'm 100% positive the user exists. This
works on my Samba3 machine. On samba4 it throws:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DOMB\user


My samba3 machine doesn't even have a krb5.conf file, although it
generated one in /var/db/samba . DOMB isn't listed in it.

My current krb5.conf:
[libdefaults]
	default_realm = DOMA
	clockskew = 300
	dns_lookup_realm = true
	dns_lookup_kdc = true
	forwardable = yes

[domain_realm]
	DOMA = DOMA
	.DOMA = DOMA
	DOMB.realm = DOMB.realm
	.DOMB.realm = DOMB.realm


[realms]
DOMA = {
        kdc = ds1.DOMA.realm
        kdc = ds2.DOMA.realm
        kdc = ds3.DOMA.realm

        admin_server = ds1.DOMA
        default_domain = DOMA

}

DOMB.realm = {
        kdc = dc05.DOMB.realm
        kdc = dc07.DOMB.realm
        kdc = dc08.DOMB.realm
        admin_server = dc05.DOMB.realm
        default_domain = DOMB.realm


}
How do I get my DOMB to be "active directory" enabled and be marked
"online"?


henrik


-- 
Henrik Hudson
lists at rhavenn.net
-----------------------------------------
"God, root, what is difference?" Pitr; UF

> 
> I've got a samba4 domain member server. It works fine for the joined
> domain, but I'm not able to let user from a different domain get
> access. This worked fine on my samba3 member server, but I don't
> remember if I did anything special.
> 
According to FAQ on the Wiki page:

" Does Samba support trust relationship with AD?

Trusts are currently not finished implemented. Samba can be trusted, but 
can't trust yet.

But even this is unofficial and should not be relied on, because "parts 
that appear to work are a partial development that just happen to be in 
our released versions" (July 2014)."

https://wiki.samba.org/index.php/FAQ 

The FAQ also points to this:

Samba4 interdomain trust
https://lists.samba.org/archive/samba/2014-July/182830.html

On Wed, 25 Feb 2015, Miguel Medalha wrote:
> 
> > 
> > I've got a samba4 domain member server. It works fine for the
joined
> > domain, but I'm not able to let user from a different domain get
> > access. This worked fine on my samba3 member server, but I don't
> > remember if I did anything special.
> > 
> 
> According to FAQ on the Wiki page:
> 
> " Does Samba support trust relationship with AD?
> 
> Trusts are currently not finished implemented. Samba can be trusted, but 
> can't trust yet.
> 
> But even this is unofficial and should not be relied on, because
"parts
> that appear to work are a partial development that just happen to be in 
> our released versions" (July 2014)."
> 
Sure. That's if it's a Samba domain with Samba as the DC. I'm in a
Windows domain that has a trust already and Samba is just a domain
member, not a DC. It works fine on my Samba3 box.

henrik

-- 
Henrik Hudson
lists at rhavenn.net
-----------------------------------------
"God, root, what is difference?" Pitr; UF

Was busy, jumped back on here and answers Rowland's post (I think he
might be into something there) and overlooked your post. 

No, I haven't but, I will, soon. 

---

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [3]

"Everyone deserves an award!!"

On 2015-02-25 16:18, Miguel Medalha wrote: 
>> I've got a samba4 domain member server. It works fine for the
joined domain, but I'm not able to let user from a different domain get
access. This worked fine on my samba3 member server, but I don't remember if
I did anything special.
> 
> According to FAQ on the Wiki page:
> 
> " Does Samba support trust relationship with AD?
> 
> Trusts are currently not finished implemented. Samba can be trusted, but 
> can't trust yet.
> 
> But even this is unofficial and should not be relied on, because
"parts
> that appear to work are a partial development that just happen to be in 
> our released versions" (July 2014)."
> 
> https://wiki.samba.org/index.php/FAQ [1] 
> 
> The FAQ also points to this:
> 
> Samba4 interdomain trust
> https://lists.samba.org/archive/samba/2014-July/182830.html [2]
 

Links:
------
[1] https://wiki.samba.org/index.php/FAQ
[2] https://lists.samba.org/archive/samba/2014-July/182830.html
[3] http://www.donelsontrophy.com