Christian Reischl
2015-Jun-08 18:39 UTC
[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member
Hello Everybody, we have authentication problems with the mentioned configuration. Current situation: We have two Windows 2008 R2 domains (currently on 2003 level) in separate forests. Recently we created a two-way trust with selective authentication between them. A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports version) is member of our primary domain and provides file shares. The problem: Users of the trusted domain (TRUSTDOM) aren't able to access shares hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A username/password dialogue gets shown instead. We've correctly granted the necessary "allowed to authenticate" right to all corresponding users. In contrast accessing a share on a Windows machine works as expected. Maybe I have to give some additional users somewhere the "allowed to authenticate" permission. Please help me with that. I've tried to fix it for so many hours without success. Should I upgrade SAMBA and/or Debian? Do you have any advice? Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while "wbinfo -i TRUSTDOM+administrator" fails with: ------------------------------------------------------------------------- failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user trustdom+user ------------------------------------------------------------------------- log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"): ------------------------------------------------------------------------- [2015/06/08 12:01:45.348081, 0] libads/sasl.c:908(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy rejects request ------------------------------------------------------------------------- The same error appears if I enter "wbinfo -a" in combination with a username lacking the "allowed to authenticate" right. smb.conf: ------------------------------------------------------------------------- [global] workgroup = PRIMDOM realm = INT.PRIMDOM.DE server string = FILE2 security = ADS winbind separator = + idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config PRIMDOM : backend = rid idmap config PRIMDOM : range = 10000-49999 idmap config TRUSTDOM : backend = rid idmap config TRUSTDOM : range = 50000-99999 winbind enum users = yes winbind enum groups = yes socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1 bind interfaces only = yes follow symlinks = yes wide links = yes unix extensions = no log level = 0 load printers = no disable spoolss = yes [Share] comment = Test Share path = /srv/smb/Share read only = No create mask = 0777 directory mask = 0777 force unknown acl user = Yes inherit acls = yes ------------------------------------------------------------------------- Output of "net rpc trustdom list -U PRIMDOM+administrator": ------------------------------------------------------------------------- Trusted domains list: TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx Trusting domains list: TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx ------------------------------------------------------------------------- Output of "wbinfo -m": ------------------------------------------------------------------------- BUILTIN FILE2 PRIMDOM TRUSTDOM ------------------------------------------------------------------------- Output of "id TRUSTDOM+administrator": ------------------------------------------------------------------------- id: TRUSTDOM+administrator: No such user ------------------------------------------------------------------------- Output of "chown TRUSTDOM+administrator Share/": ------------------------------------------------------------------------- chown: invalid user: ?TRUSTDOM+administrator? ------------------------------------------------------------------------- "wbinfo -u" and "getent passwd" only shows users of PRIMDOM. I've already tried these additional steps without success: http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html Kind regards, Christian -- __________________________________________ Christian Reischl Fraunhofer Institut f?r Verfahrenstechnik und Verpackung Giggenhauser Str. 35 85354 Freising Tel.: +49 8161 491-704 mailto:christian.reischl at ivv.fraunhofer.de http://www.ivv.fraunhofer.de/
Christian Reischl
2015-Jun-12 11:28 UTC
[Samba] Two-way forest trust with selective authentication and SAMBA 3.6 as member
Hi, I've finally found the solution by myself. After analyzing the network traffic with Wireshark I've found out that SAMBA tries to authenticate itself with its machine account on the trusted domain's controllers. The error-code was KRB5KDC_ERR_PREAUTH_REQUIRED (25). I've added the "allowed to authenticate" permission on "descendant computer objects" of the OU "Domain Controllers" in the trusted domain. Now "wbinfo -i" an everything else works for the trusted domain's accounts. Why is this necessary for SAMBA but not for Windows File Servers? Kind regards, Christian __________________________________________ Christian Reischl Fraunhofer Institut f?r Verfahrenstechnik und Verpackung Giggenhauser Str. 35 85354 Freising Tel.: +49 8161 491-704 mailto:christian.reischl at ivv.fraunhofer.de http://www.ivv.fraunhofer.de/ Christian Reischl schrieb:> Hello Everybody, > > we have authentication problems with the mentioned configuration. > > Current situation: > We have two Windows 2008 R2 domains (currently on 2003 level) in > separate forests. Recently we created a two-way trust with selective > authentication between them. > > A Debian Squeeze LTS machine running SAMBA 3.6.6 (latest Backports > version) is member of our primary domain and provides file shares. > > > The problem: > Users of the trusted domain (TRUSTDOM) aren't able to access shares > hosted on the SAMBA Server (FILE2) in the primary domain (PRIMDOM). A > username/password dialogue gets shown instead. We've correctly granted > the necessary "allowed to authenticate" right to all corresponding > users. In contrast accessing a share on a Windows machine works as > expected. > > > Maybe I have to give some additional users somewhere the "allowed to > authenticate" permission. Please help me with that. I've tried to fix it > for so many hours without success. Should I upgrade SAMBA and/or Debian? > Do you have any advice? > > > Authentication with "wbinfo -a TRUSTDOM+administrator" works fine while > "wbinfo -i TRUSTDOM+administrator" fails with: > ------------------------------------------------------------------------- > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user trustdom+user > ------------------------------------------------------------------------- > > > log.wb-TRUSTDOM (entry occurs directly after "wbinfo -i"): > ------------------------------------------------------------------------- > [2015/06/08 12:01:45.348081, 0] libads/sasl.c:908(ads_sasl_spnego_bind) > kinit succeeded but ads_sasl_spnego_krb5_bind failed: KDC policy > rejects request > ------------------------------------------------------------------------- > The same error appears if I enter "wbinfo -a" in combination with a > username lacking the "allowed to authenticate" right. > > > smb.conf: > ------------------------------------------------------------------------- > [global] > workgroup = PRIMDOM > realm = INT.PRIMDOM.DE > server string = FILE2 > security = ADS > > winbind separator = + > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > idmap config PRIMDOM : backend = rid > idmap config PRIMDOM : range = 10000-49999 > idmap config TRUSTDOM : backend = rid > idmap config TRUSTDOM : range = 50000-99999 > winbind enum users = yes > winbind enum groups = yes > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > > interfaces = 192.168.1.1/24 192.168.2.1/24 127.0.0.1 > bind interfaces only = yes > > follow symlinks = yes > wide links = yes > unix extensions = no > > log level = 0 > > load printers = no > disable spoolss = yes > > [Share] > comment = Test Share > path = /srv/smb/Share > read only = No > create mask = 0777 > directory mask = 0777 > force unknown acl user = Yes > inherit acls = yes > ------------------------------------------------------------------------- > > > Output of "net rpc trustdom list -U PRIMDOM+administrator": > ------------------------------------------------------------------------- > Trusted domains list: > > TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > > Trusting domains list: > > TRUSTDOM S-1-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > ------------------------------------------------------------------------- > > > Output of "wbinfo -m": > ------------------------------------------------------------------------- > BUILTIN > FILE2 > PRIMDOM > TRUSTDOM > ------------------------------------------------------------------------- > > > Output of "id TRUSTDOM+administrator": > ------------------------------------------------------------------------- > id: TRUSTDOM+administrator: No such user > ------------------------------------------------------------------------- > > > Output of "chown TRUSTDOM+administrator Share/": > ------------------------------------------------------------------------- > chown: invalid user: ?TRUSTDOM+administrator? > ------------------------------------------------------------------------- > > > "wbinfo -u" and "getent passwd" only shows users of PRIMDOM. > > > I've already tried these additional steps without success: > http://anexinetisg.blogspot.de/2014/05/how-to-properly-create-two-way-external.html > > http://anexinetisg.blogspot.de/2014/09/forest-trust-issue-with-selective.html > > > > Kind regards, > Christian