Greetings,
I figured out that since we made KID ADS native I have been able to
query for the SID successfully.  I was unable to do that before. wbinfo
-n testuser actually returns a sid but it doesn't seem to want to map it
to anything so I am thinking my issue may be with how I am configuring
idmap.  Any thoughts or suggestions?

Thanks,
-Paul

On 4/1/2010 8:55 AM, Paul Lauss wrote:
> We have corrected the issues of "KID" not being native but this does not
> seem to have helped.  We did however see this error in the Windows Event
> Viewer at the point that I am trying to make the connection.  I am not
> certain what it means that there are no logon servers available... 
> Thoughts?
>
> Event Type:        Warning
> Event Source:    LSASRV
> Event Category:                SPNEGO (Negotiator)
> Event ID:              40960
> Date:                     3/31/2010
> Time:                     3:19:00 AM
> User:                     N/A
> Computer:          CHLDDC01
> Description:
> The Security System detected an authentication error for the server
> ldap/chlddc01.kid.rdomain.prv.  The failure code from authentication
> protocol Kerberos was "There are currently no logon servers available to
> service the logon request.
>  (0xc000005e)".
>  
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 5e 00 00 c0               ^..À   
>
>
> On 3/30/2010 6:20 PM, [email protected] wrote:
>   
>> So, as I already told you, I'm not familiar with that kind of setup.
>>
>> From what I could see, the fact that domain KID is not in ADS native may be 
>> the problem as you've got security = ADS and that expects native mode.
>>
>> You should try to go back to the list to confirm that. Your setup does not 
>> seem to be that odd, I could read lots of people trying (successfully for 
>> most of them if I remember correctly) to accomplish that kind of things.
>>
>> Sorry to not be able to help you more.
>>
>> François
>>
>> -----Message d'origine-----
>> De : Paul Lauss [mailto:[email protected]] 
>> Envoyé : mardi 30 mars 2010 23:26
>> À : [email protected]
>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues
>>
>> This didn't seem to go through the listserv...
>>
>>
>> I am so sorry, I was trying to stay fairly concise... Here is the whole log 
>> file I extracted.
>>
>> On 3/30/2010 1:56 PM, [email protected] wrote:
>>   
>>     
>>> Could you provide the part that you removed, I can see that winbind is 
>>> trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you 
>>> removed that part of the transaction, and we end up with some info returned 
>>> from main domain dc.
>>>
>>> François
>>>
>>> -----Message d'origine-----
>>> De : [email protected] 
>>> [mailto:[email protected]] De la part de Paul Lauss Envoyé 
>>> : mardi 30 mars 2010 20:23 À : [email protected] Objet : Re: 
>>> [Samba] AD Auth Trusted Domain issues
>>>
>>> The trust check succeeded... I have attached the pertinent logs... it looks 
>>> like it is timing out... I am not sure why though.  The link should be a 
>>> little slower but it shouldn't be terrible, it is a 2Mb pipe.
>>>
>>> mailtestbed:~# wbinfo -t
>>> checking the trust secret via RPC calls succeeded
>>>
>>> On 3/30/2010 9:47 AM, François Legal wrote:
>>>   
>>>     
>>>       
>>>> I'm not sure to 100% understand what you mean (it's been a long time 
>>>> since I last used an AD server with SFU).
>>>> However, next step now will be to increase winbindd debug level while 
>>>> issuing the wbinfo -i command, and see what fails there.
>>>>
>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity.
>>>>
>>>> François
>>>>
>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss 
>>>> <[email protected]>
>>>> wrote:
>>>>   
>>>>     
>>>>       
>>>>         
>>>>> Hello,
>>>>> Thank you so much for your reply!  We are using AD 2003 R2 on both 
>>>>> the domain and the child domain.  I am using 10000-29999 for IDs on 
>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID).
>>>>> Interestingly, in the Unix tab (in AD Users and Computers for any
>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the 
>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only 
>>>>> option is "KID".  I'm not sure if that is expected or would affect 
>>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain.
>>>>>
>>>>> Thanks,
>>>>> -Paul
>>>>>
>>>>> On 3/30/2010 2:27 AM, François Legal wrote:
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> Hello,
>>>>>>
>>>>>> I'm not familiar with this kind of setup, but I wonder whether or 
>>>>>> not
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>> the
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>> KID domain has the SFU schema extensions setup for idmapping (see 
>>>>>> idmap backend = ad) and if porperly setup, check that the defined 
>>>>>> uid/gid for that domain fall in the idmap uid range
>>>>>>
>>>>>> François
>>>>>>
>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss 
>>>>>> <[email protected]>
>>>>>> wrote:
>>>>>>   
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>>>> I have been killing myself on this issue over the last 2 weeks.  I
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>> have
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>>> setup pam AD authentication using winbind on our companies email 
>>>>>>> servers.  That part is currently working.  I have been trying to 
>>>>>>> add
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>> an
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>>> existing "Trusted" child domain and allow authentication from that 
>>>>>>> domain as well.  I am part of the way there, but not quite to the 
>>>>>>> functional point as of yet.  Our primary domain is rdomainprv or 
>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv.  Below is 
>>>>>>> what I
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>> am
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>>> seeing, followed by my configs.  Also, we had to open ports 88, 
>>>>>>> 139
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>> and
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>>> 389 (I believe those are the correct ports, though the networking 
>>>>>>> guys opened them) from the email/winbind server to the child 
>>>>>>> domain, at the firewall.  Any help would be very much appreciated!
>>>>>>>
>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV 
>>>>>>> KID
>>>>>>>
>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser
>>>>>>>
>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password 
>>>>>>> authentication succeeded challenge/response password 
>>>>>>> authentication succeeded
>>>>>>>
>>>>>>> Here is where it's falling apart:
>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user 
>>>>>>> KID\testuser
>>>>>>>
>>>>>>> mailtestbed:~# id KID\\testuser
>>>>>>> id: KID\testuser: No such user
>>>>>>>
>>>>>>> mailtestbed:~# id testuser
>>>>>>> id: testuser: No such user
>>>>>>>
>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~#
>>>>>>>
>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~#
>>>>>>>
>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer
>>>>>>> uid=10001(testmer) gid=10001 groups=999(users)
>>>>>>>
>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer 
>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>>>>
>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer 
>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash
>>>>>>>
>>>>>>> Versions (Debian Lenny)
>>>>>>> samba    2:3.2.5-4lenny9
>>>>>>> winbind  2:3.2.5-4lenny9
>>>>>>>
>>>>>>> smb.conf
>>>>>>> [global]
>>>>>>>    workgroup = RDOMAINPRV
>>>>>>>    realm = RDOMAIN.PRV
>>>>>>>    server string = %h server
>>>>>>>    dns proxy = no
>>>>>>>    name resolve order = lmhosts host wins bcast
>>>>>>>    log file = /var/log/samba/log.%m
>>>>>>>    max log size = 1000
>>>>>>>    syslog = 0
>>>>>>>    panic action = /usr/share/samba/panic-action %d
>>>>>>>    security = ADS
>>>>>>>    encrypt passwords = yes
>>>>>>>    passdb backend = tdbsam
>>>>>>>    obey pam restrictions = yes
>>>>>>>    unix password sync = yes
>>>>>>>    passwd program = /usr/bin/passwd %u
>>>>>>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>>>>    pam password change = yes
>>>>>>>    allow trusted domains = yes
>>>>>>>    winbind trusted domains only = no
>>>>>>>    idmap backend = ad
>>>>>>>    idmap uid = 10000-1000000
>>>>>>>    idmap gid = 10000-1000000
>>>>>>>    template homedir = /home/%U
>>>>>>>    winbind use default domain = yes
>>>>>>>    winbind nss info = rfc2307
>>>>>>>    winbind nested groups = yes
>>>>>>>    client use spnego = yes
>>>>>>>    client ntlmv2 auth = yes
>>>>>>>    restrict anonymous = 2
>>>>>>>    winbind enum groups = no
>>>>>>>    winbind enum users = no
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>>>    winbind cache time = 30
>>>>>>>
>>>>>>> krb5.conf
>>>>>>> [libdefaults]
>>>>>>>         default_realm = RDOMAIN.PRV
>>>>>>>         krb4_config = /etc/krb.conf
>>>>>>>         krb4_realms = /etc/krb.realms
>>>>>>>         kdc_timesync = 1
>>>>>>>         ccache_type = 4
>>>>>>>         forwardable = true
>>>>>>>         proxiable = true
>>>>>>>         default_tgs_enctypes = aes256-cts arcfour-hmac-md5
>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>>>>         default_tkt_enctypes = aes256-cts arcfour-hmac-md5
>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5
>>>>>>>         permitted_enctypes = aes256-cts arcfour-hmac-md5
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>> des3-hmac-sha1
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>>> des-cbc-crc des-cbc-md5
>>>>>>>         v4_instance_resolve = false
>>>>>>>         v4_name_convert = {
>>>>>>>                 host = {
>>>>>>>                         rcmd = host
>>>>>>>                         ftp = ftp
>>>>>>>                 }
>>>>>>>                 plain = {
>>>>>>>                         something = something-else
>>>>>>>                 }
>>>>>>>         }
>>>>>>>         fcc-mit-ticketflags = true [realms]
>>>>>>>         RDOMAIN.PRV = {
>>>>>>>                 default_domain = RDOMAIN.PRV
>>>>>>>                 master_kdc = dc02.rdomain.prv
>>>>>>>                 admin_server = dc02.rdomain.prv
>>>>>>>                 kdc = aurad.rdomain.prv
>>>>>>>                 kdc = addc01.rdomain.prv
>>>>>>>                 kdc = addc02.rdomain.prv
>>>>>>>                 kdc = addc03.rdomain.prv
>>>>>>>                 #kdc = addc04.rdomain.prv
>>>>>>>                 kdc = addc05.rdomain.prv
>>>>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>>>>         }
>>>>>>>         KID.RDOMAIN.PRV = {
>>>>>>>                 default_domain = KID.RDOMAIN.PRV
>>>>>>>                 kdc = chlddc01.kid.rdomain.prv
>>>>>>>                master_kdc = addc02.rdomain.prv
>>>>>>>                 admin_server = addc02.rdomain.prv
>>>>>>>                 kdc = addc01.rdomain.prv
>>>>>>>                 kdc = addc02.rdomain.prv
>>>>>>>         }
>>>>>>> [domain_realm]
>>>>>>>         .rdomain.prv = RDOMAIN.PRV
>>>>>>>         rdomain.prv = RDOMAIN.PRV
>>>>>>>         .kid.rdomain.prv = KID.RDOMAIN.PRV
>>>>>>>         kid.rdomain.prv = KID.RDOMAIN.PRV [kdc]  profile = 
>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults]  pam = {
>>>>>>>    debug = false
>>>>>>>    ticket_lifetime = 36000
>>>>>>>    renew_lifetime = 36000
>>>>>>>    forwardable = true
>>>>>>>    krb4_convert = false
>>>>>>>    validate = true
>>>>>>>  }
>>>>>>> [login]
>>>>>>>         krb4_convert = true
>>>>>>>         krb4_get_tickets = false
>>>>>>>
>>>>>>>         
>>>>>>>           
>>>>>>>             
>>>>>>>               
>>>   
>>>     
>>>       
>>
>>   
>>     

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to