Good Morning! We got in some troubles using trusted domains and winbind. First i will tell you something about the network and samba configuration.
For our SMB Environment we use Samba 3.2.12. We have three trusted domains. Our Samba Server uses LDAP as Backend. Most of the time it worked nice, but after some time Winbind loses User Entrys. On the windows side i can see "unknown user 1-0-0". If i set winbind cache time to 0. Winbind will uses 100% off CPU time. So when i switch it back to something higher than 0, winbind will take 0% and alle Users can be mapped. After some time the problem returns slowly. "wbinfo -u" shows all users, but "getent passwd" not. Some Users are Missing. Domain Logon on trusted domains does work, but the User has no right on his files -> "unknown user 1-0-0"! Here is the Error Log: [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84) error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3840 [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766) could not lookup domain user c.akgay [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84) error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3842 [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766) could not lookup domain user p.singh [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84) error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3844 [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766) could not lookup domain user h.sahi [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84) error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3846 [2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766) could not lookup domain user a.nur [2009/07/08 07:36:54, 0] libsmb/clientgen.c:cli_receive_smb(165) Receiving SMB: Server stopped responding [2009/07/08 07:36:54, 1] winbindd/winbindd_cm.c:cm_prepare_connection(947) failed tcon_X with NT_STATUS_IO_TIMEOUT [2009/07/08 07:36:57, 0] libsmb/namequery.c:saf_store(75) saf_store: refusing to store 0 length domain or servername! [2009/07/08 07:37:07, 0] libsmb/clientgen.c:cli_receive_smb(165) Receiving SMB: Server stopped responding [2009/07/08 07:37:07, 1] winbindd/winbindd_cm.c:cm_prepare_connection(947) failed tcon_X with NT_STATUS_IO_TIMEOUT Whats Wrong? So we have switched on one Server to Samba 3.4.0. It seems to work! "wbinfo -u" and "getent passwd" shows the same count of users. But after one hour i got this when i logon from Domain1 to Domain2: "session setup failed: NT code 0x1c010002". "dom1:/# smbclient -U MITARBEITER+r.lamboj //server-dom2/all-homes". Domain Logons work. You can logon from a PC that is Member of Domain1 to Domain2. But i cant Access Shares from the other Domain. When i send a SIGHUP Signal to winbindd it will work again for one hour(or less), sometimes i need to kill winbindd and restart it. I have tried to Upgrade the other Samba PDC(from 3.2.12 to 3.4.0) Samba worked fine, but winbind wont work. It seems to hang. After all that trouble i have tried soemthing new. I will give every trusted domain its own range of user- and group- ids. idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at idmap alloc config:ldap_url = ldap://127.0.0.1/ idmap alloc config:range = 100000-300000 idmap alloc config:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at idmap config DOMAIN1:range = 100000-199999 idmap config DOMAIN1:backend = ldap idmap config DOMAIN1:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at idmap config DOMAIN1:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN1:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at idmap config DOMAIN2:range = 200000-299999 idmap config DOMAIN2:backend = ldap idmap config DOMAIN2:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at idmap config DOMAIN2:ldap_url = ldap://127.0.0.1/ idmap config DOMAIN2:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at But this doesnt work, it starts at a range from 10000 for all Domains. I also have set the secrets with: net idmap secret domain1 mypassword net idmap secret domain2 mypassword net idmap secret alloc mypassword Does i need to clear the idmap database? How can i CHANGE the range? Thos does not work too: idmap uid = 100000-200000 idmap gid = 100000-200000 It starts at 10000 and not at 100000. Full Configuration of one of the Samba Servers: [global] # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d netbios name = SERVER-DOM1 workgroup = DOMAIN1 server string = Samba PDC %v hosts allow = 127.0.0.0/8 192.168.10.0/24 security = user encrypt passwords = true interfaces = eth0 bind interfaces only = yes log level = 3 log file = /var/log/samba/log.%m max log size = 10000 local master = yes #os level = 65 os level = 254 domain master = yes preferred master = yes domain logons = yes logon script = default.bat logon path = \\%L\profiles logon drive = H: null passwords = no hide unreadable = yes hide dot files = yes ldap passwd sync = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = yes ldap ssl = no ldap admin dn = cn=Manager,dc=intern,dc=domain,dc=at ldap suffix = dc=intern,dc=domain,dc=at ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" encrypt passwords = yes pam password change = yes unix password sync = no map acl inherit = Yes dos charset = 850 #client code page = 850 #character set = ISO8859-1 unix charset = UTF-8 display charset = UTF-8 wins support = yes dns proxy = yes #name resolve order = wins hosts bcast name resolve order = lmhosts hosts wins bcast time server = yes allow trusted domains = yes load printers = yes printing = cups printcap name = cups show add printer wizard = Yes username map = /etc/samba/user.map admin users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users", "MITARBEITER+r.lamboj", "MITARBEITER+a.firato" idmap cache time = 3600 winbind cache time = 3600 # Trenne Domäne und Benutzername durch '/', wie DOMÄNE/benutzername winbind separator = + # Verwende UIDs von 10000 bis 20000 für Domänen-Benutzer idmap uid = 10000-20000 #idmap uid = 100000-300000 # Verwende GIDs von 10000 bis 20000 für Domänen-Gruppen idmap gid = 10000-20000 #idmap gid = 100000-300000 # Erlaube die Aufzählung von winbind-Benutzern und -Gruppen winbind enum users = yes winbind enum groups = yes winbind offline logon = Yes winbind trusted domains only = No idmap backend = ldap:ldap://127.0.0.1/ ldap idmap suffix = ou=Idmap #idmap alloc backend = ldap #idmap alloc config:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at #idmap alloc config:ldap_url = ldap://127.0.0.1/ #idmap alloc config:range = 100000-300000 #idmap alloc config:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at # Trusted Domain 2 #idmap config DOMAIN2:range = 100000-199999 #idmap config DOMAIN2:backend = ldap #idmap config DOMAIN2:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at #idmap config DOMAIN2:ldap_url = ldap://127.0.0.1/ #idmap config DOMAIN2:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at # Trusted Domain 3 #idmap config DOMAIN3:range = 200000-299999 #idmap config DOMAIN3:backend = ldap #idmap config DOMAIN3:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at #idmap config DOMAIN3:ldap_url = ldap://127.0.0.1/ #idmap config DOMAIN3:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at #socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=16384 SO_SNDBUF=16384 #read raw = yes #write raw = yes #oplocks = yes #max xmit = 65535 #dead time = 15 dead time = 0 getwd cache = yes directory name cache size = 1000 # Just for testing kernel oplocks = no oplocks = no level2 oplocks = no client schannel = no [netlogon] path = /home/samba/netlogon public = no writeable = no browseable = no write list = "@Domain Admins", "@MITARBEITER+Domain Admins" [profiles] force user = %U #path=/home/%U/profiles path = %H/profiles browseable = no writeable = yes guest ok = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ create mode = 0660 directory mode = 0770 [profdata] force user = %U #path=/home/%U/profdata path = %H/profdata browseable = no writeable = yes guest ok = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ create mode = 0660 directory mode = 0770 csc policy = disable [homes] force user = %U path = /home/%U browseable = no valid users = %S writeable = yes guest ok = no inherit permissions = yes hide files = /profiles/profdata/mails/ # PAPIERKORB + ANTIVIRUS(ClamAV) #vfs objects = recycle, vscan-clamav vfs objects = recycle # ANTIVIRUS(ClamAV) #vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # PAPIERKORB # Name des Papierkorbs recycle: repository = Papierkorb # Alte Ordnerstruktur beibehalten recycle: keeptree = Yes # Dateien mit dieser Dateiendung nicht sichern recycle: exclude = *.tmp, *.temp, *.log, *.ldb # Verzechnisse mit diesem Namen ausschliesen recycle: exclude_dir = tmp # Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt recycle:versions = Yes [programmieren] path = /home/%U/programmieren browseable = no valid users = %S writeable = yes guest ok = no inherit permissions = yes dos filetimes = yes fake directory create times = yes dos filetime resolution = yes delete readonly = yes # PAPIERKORB + ANTIVIRUS(ClamAV) #vfs objects = recycle, vscan-clamav vfs objects = recycle # ANTIVIRUS(ClamAV) #vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # PAPIERKORB # Name des Papierkorbs recycle: repository = Papierkorb # Alte Ordnerstruktur beibehalten recycle: keeptree = Yes # Dateien mit dieser Dateiendung nicht sichern recycle: exclude = *.tmp, *.temp, *.log, *.ldb # Verzechnisse mit diesem Namen ausschliesen recycle: exclude_dir = tmp # Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt recycle:versions = Yes [all-homes] comment = Alle Benutzerverzeichnisse path = /home browseable = yes guest ok = no read only = no valid users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" #force group = "Domain Users" force user = root inherit owner = yes # PAPIERKORB + ANTIVIRUS(ClamAV) #vfs objects = recycle, vscan-clamav vfs objects = recycle # ANTIVIRUS(ClamAV) #vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # PAPIERKORB # Name des Papierkorbs recycle: repository = Papierkorb # Alte Ordnerstruktur beibehalten recycle: keeptree = Yes # Dateien mit dieser Dateiendung nicht sichern recycle: exclude = *.tmp, *.temp, *.log, *.ldb # Verzechnisse mit diesem Namen ausschliesen recycle: exclude_dir = tmp # Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt recycle:versions = Yes [public] comment = Public path = /home/public browseable = yes writeable = yes write list = "@Domain Users", "@Domain Admins", "@MITARBEITER+Domain Users", "@MITARBEITER+Domain Admins" create mode = 0666 directory mode = 0777 valid users = "@Domain Users", "@Domain Admins", "@MITARBEITER+Domain Users", "@MITARBEITER+Domain Admins" guest ok = no #force group = "Domain Users" #force user = root # PAPIERKORB + ANTIVIRUS(ClamAV) #vfs objects = recycle, vscan-clamav #vfs objects = extd_audit recycle vfs objects = recycle # ANTIVIRUS(ClamAV) #vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # PAPIERKORB # Name des Papierkorbs recycle: repository = Papierkorb # Alte Ordnerstruktur beibehalten recycle: keeptree = Yes # Dateien mit dieser Dateiendung nicht sichern recycle: exclude = *.tmp, *.temp, *.log, *.ldb # Verzechnisse mit diesem Namen ausschliesen recycle: exclude_dir = tmp # Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt #recycle:versions = Yes [wpkg] comment = Windows Packager path = /home/samba/wpkg #read only = yes write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" browseable = no guest ok = yes force user = root oplocks = no [os] comment = Operating Systems path = /home/samba/os read only = yes write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" browseable = yes guest ok = yes force user = root oplocks = no [treiber] comment = Treiber path = /home/samba/treiber read only = yes write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" browseable = yes guest ok = yes force user = root oplocks = no [programme] comment = Programme path = /home/samba/programme read only = yes write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" browseable = yes guest ok = yes force user = root oplocks = no [skeleton] comment = Skeleton Ordner path = /etc/skel browseable = yes guest ok = no read only = no valid users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users" #force group = "Domain Users" force user = root inherit owner = yes [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = Yes [print$] comment = Printer Drivers #path = /etc/samba/drivers path = /var/lib/samba/printers browseable = yes guest ok = no read only = yes write list = "@Domain Admins" Maybe you can tell me what i can make better in my Samba Configuration. Every Samba Server here is a Full PDC and have a trusted relationship to one of the other Domain. The Domain Controllers for DOMAIN2 and DOMAIN3 uses the WINS Server from the PDC from DOMAIN1. "net rpc trustdom list" shows all trusted domains. DOMAIN2:/# net rpc trustdom establish DOMAIN1 Enter DOMAIN2$'s password: Could not connect to server SERVER-DOM1 Trust to domain DOMAIN1 established Why is "Could not connect to server SERVER-DOM1" popup? I Have a working WINS, LMHOSTS and HOSTS File. The trusted domain accounts are createt with this command: "smbldap-useradd -a -i -P domain1" NSCD is NOT running on any Server! Thx for your help :) MfG Richard Lamboj -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba