Christian Reischl
2015-Jun-08 18:39 UTC
[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member
Hello Everybody,
we have authentication problems with the mentioned configuration.
Current situation:
We have two Windows 2008 R2 domains (currently on 2003 level) in
separate forests. Recently we created a two-way trust with selective
authentication between them.
A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports
version) is member of our primary domain and provides file shares.
The problem:
Users of the trusted domain (TRUSTDOM) aren't able to access shares
hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A
username/password dialogue gets shown instead. We've correctly granted
the necessary "allowed to authenticate" right to all corresponding
users. In contrast accessing a share on a Windows machine works as expected.
Maybe I have to give some additional users somewhere the "allowed to
authenticate" permission. Please help me with that. I've tried to fix
it
for so many hours without success. Should I upgrade SAMBA and/or Debian?
Do you have any advice?
Authentication with "wbinfo -a TRUSTDOM+administrator" works fine
while
"wbinfo -i TRUSTDOM+administrator" fails with:
-------------------------------------------------------------------------
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user trustdom+user
-------------------------------------------------------------------------
log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"):
-------------------------------------------------------------------------
[2015/06/08 12:01:45.348081, 0] libads/sasl.c:908(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy
rejects request
-------------------------------------------------------------------------
The same error appears if I enter "wbinfo -a" in combination with a
username lacking the "allowed to authenticate" right.
smb.conf:
-------------------------------------------------------------------------
[global]
workgroup = PRIMDOM
realm = INT.PRIMDOM.DE
server string = FILE2
security = ADS
winbind separator = +
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config PRIMDOM : backend = rid
idmap config PRIMDOM : range = 10000-49999
idmap config TRUSTDOM : backend = rid
idmap config TRUSTDOM : range = 50000-99999
winbind enum users = yes
winbind enum groups = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1
bind interfaces only = yes
follow symlinks = yes
wide links = yes
unix extensions = no
log level = 0
load printers = no
disable spoolss = yes
[Share]
comment = Test Share
path = /srv/smb/Share
read only = No
create mask = 0777
directory mask = 0777
force unknown acl user = Yes
inherit acls = yes
-------------------------------------------------------------------------
Output of "net rpc trustdom list -U PRIMDOM+administrator":
-------------------------------------------------------------------------
Trusted domains list:
TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
Trusting domains list:
TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx
-------------------------------------------------------------------------
Output of "wbinfo -m":
-------------------------------------------------------------------------
BUILTIN
FILE2
PRIMDOM
TRUSTDOM
-------------------------------------------------------------------------
Output of "id TRUSTDOM+administrator":
-------------------------------------------------------------------------
id: TRUSTDOM+administrator: No such user
-------------------------------------------------------------------------
Output of "chown TRUSTDOM+administrator Share/":
-------------------------------------------------------------------------
chown: invalid user: ?TRUSTDOM+administrator?
-------------------------------------------------------------------------
"wbinfo -u" and "getent passwd" only shows users of PRIMDOM.
I've already tried these additional steps without success:
http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html
http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html
Kind regards,
Christian
--
__________________________________________
Christian Reischl
Fraunhofer Institut f?r
Verfahrenstechnik und Verpackung
Giggenhauser Str. 35
85354 Freising
Tel.: +49 8161 491-704
mailto:christian.reischl at ivv.fraunhofer.de
http://www.ivv.fraunhofer.de/
Christian Reischl
2015-Jun-12 11:28 UTC
[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member
Hi, I've finally found the solution by myself. After analyzing the network traffic with Wireshark I've found out that SAMBA tries to authenticate itself with its machine account on the trusted domain's controllers. The error-code was KRB5KDC_ERR_PREAUTH_REQUIRED (25). I've added the "allowed to authenticate" permission on "descendant computer objects" of the OU "Domain Controllers" in the trusted domain. Now "wbinfo -i" an everything else works for the trusted domain's accounts. Why is this necessary for SAMBA but not for Windows File Servers? Kind regards, Christian __________________________________________ Christian Reischl Fraunhofer Institut f?r Verfahrenstechnik und Verpackung Giggenhauser Str. 35 85354 Freising Tel.: +49 8161 491-704 mailto:christian.reischl at ivv.fraunhofer.de http://www.ivv.fraunhofer.de/ Christian Reischl schrieb:> Hello Everybody, > > we have authentication problems with the mentioned configuration. > > Current situation: > We have two Windows 2008 R2 domains (currently on 2003 level) in > separate forests. Recently we created a two-way trust with selective > authentication between them. > > A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports > version) is member of our primary domain and provides file shares. > > > The problem: > Users of the trusted domain (TRUSTDOM) aren't able to access shares > hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A > username/password dialogue gets shown instead. We've correctly granted > the necessary "allowed to authenticate" right to all corresponding > users. In contrast accessing a share on a Windows machine works as > expected. > > > Maybe I have to give some additional users somewhere the "allowed to > authenticate" permission. Please help me with that. I've tried to fix it > for so many hours without success. Should I upgrade SAMBA and/or Debian? > Do you have any advice? > > > Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while > "wbinfo -i TRUSTDOM+administrator" fails with: > ------------------------------------------------------------------------- > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user trustdom+user > ------------------------------------------------------------------------- > > > log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"): > ------------------------------------------------------------------------- > [2015/06/08 12:01:45.348081, 0] libads/sasl.c:908(ads_sasl_spnego_bind) > kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy > rejects request > ------------------------------------------------------------------------- > The same error appears if I enter "wbinfo -a" in combination with a > username lacking the "allowed to authenticate" right. > > > smb.conf: > ------------------------------------------------------------------------- > [global] > workgroup = PRIMDOM > realm = INT.PRIMDOM.DE > server string = FILE2 > security = ADS > > winbind separator = + > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > idmap config PRIMDOM : backend = rid > idmap config PRIMDOM : range = 10000-49999 > idmap config TRUSTDOM : backend = rid > idmap config TRUSTDOM : range = 50000-99999 > winbind enum users = yes > winbind enum groups = yes > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > > interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1 > bind interfaces only = yes > > follow symlinks = yes > wide links = yes > unix extensions = no > > log level = 0 > > load printers = no > disable spoolss = yes > > [Share] > comment = Test Share > path = /srv/smb/Share > read only = No > create mask = 0777 > directory mask = 0777 > force unknown acl user = Yes > inherit acls = yes > ------------------------------------------------------------------------- > > > Output of "net rpc trustdom list -U PRIMDOM+administrator": > ------------------------------------------------------------------------- > Trusted domains list: > > TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > > Trusting domains list: > > TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > ------------------------------------------------------------------------- > > > Output of "wbinfo -m": > ------------------------------------------------------------------------- > BUILTIN > FILE2 > PRIMDOM > TRUSTDOM > ------------------------------------------------------------------------- > > > Output of "id TRUSTDOM+administrator": > ------------------------------------------------------------------------- > id: TRUSTDOM+administrator: No such user > ------------------------------------------------------------------------- > > > Output of "chown TRUSTDOM+administrator Share/": > ------------------------------------------------------------------------- > chown: invalid user: ?TRUSTDOM+administrator? > ------------------------------------------------------------------------- > > > "wbinfo -u" and "getent passwd" only shows users of PRIMDOM. > > > I've already tried these additional steps without success: > http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html > > http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html > > > > Kind regards, > Christian