Greetings, I figured out that since we made KID ADS native I have been able to query for the SID successfully. I was unable to do that before. wbinfo -n testuser actually returns a sid but it doesn't seem to want to map it to anything so I am thinking my issue may be with how I am configuring idmap. Any thoughts or suggestions?
Thanks, -Paul On 4/1/2010 8:55 AM, Paul Lauss wrote: > We have corrected the issues of "KID" not being native but this does not > seem to have helped. We did however see this error in the Windows Event > Viewer at the point that I am trying to make the connection. I am not > certain what it means that there are no logon servers available... > Thoughts? > > Event Type: Warning > Event Source: LSASRV > Event Category: SPNEGO (Negotiator) > Event ID: 40960 > Date: 3/31/2010 > Time: 3:19:00 AM > User: N/A > Computer: CHLDDC01 > Description: > The Security System detected an authentication error for the server > ldap/chlddc01.kid.rdomain.prv. The failure code from authentication > protocol Kerberos was "There are currently no logon servers available to > service the logon request. > (0xc000005e)". > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 5e 00 00 c0 ^..À > > > On 3/30/2010 6:20 PM, [email protected] wrote: > >> So, as I already told you, I'm not familiar with that kind of setup. >> >> From what I could see, the fact that domain KID is not in ADS native may be >> the problem as you've got security = ADS and that expects native mode. >> >> You should try to go back to the list to confirm that. Your setup does not >> seem to be that odd, I could read lots of people trying (successfully for >> most of them if I remember correctly) to accomplish that kind of things. >> >> Sorry to not be able to help you more. >> >> François >> >> -----Message d'origine----- >> De : Paul Lauss [mailto:[email protected]] >> Envoyé : mardi 30 mars 2010 23:26 >> À : [email protected] >> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >> >> This didn't seem to go through the listserv... >> >> >> I am so sorry, I was trying to stay fairly concise... Here is the whole log >> file I extracted. >> >> On 3/30/2010 1:56 PM, [email protected] wrote: >> >> >>> Could you provide the part that you removed, I can see that winbind is >>> trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you >>> removed that part of the transaction, and we end up with some info returned >>> from main domain dc. >>> >>> François >>> >>> -----Message d'origine----- >>> De : [email protected] >>> [mailto:[email protected]] De la part de Paul Lauss Envoyé >>> : mardi 30 mars 2010 20:23 À : [email protected] Objet : Re: >>> [Samba] AD Auth Trusted Domain issues >>> >>> The trust check succeeded... I have attached the pertinent logs... it looks >>> like it is timing out... I am not sure why though. The link should be a >>> little slower but it shouldn't be terrible, it is a 2Mb pipe. >>> >>> mailtestbed:~# wbinfo -t >>> checking the trust secret via RPC calls succeeded >>> >>> On 3/30/2010 9:47 AM, François Legal wrote: >>> >>> >>> >>>> I'm not sure to 100% understand what you mean (it's been a long time >>>> since I last used an AD server with SFU). >>>> However, next step now will be to increase winbindd debug level while >>>> issuing the wbinfo -i command, and see what fails there. >>>> >>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>>> >>>> François >>>> >>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>> <[email protected]> >>>> wrote: >>>> >>>> >>>> >>>> >>>>> Hello, >>>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>>> option is "KID". I'm not sure if that is expected or would affect >>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted domain. >>>>> >>>>> Thanks, >>>>> -Paul >>>>> >>>>> On 3/30/2010 2:27 AM, François Legal wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Hello, >>>>>> >>>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>>> not >>>>>> >>>>>> >>>>>> >>>>>> >>>> the >>>> >>>> >>>> >>>> >>>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>>> uid/gid for that domain fall in the idmap uid range >>>>>> >>>>>> François >>>>>> >>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>> <[email protected]> >>>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> have >>>> >>>> >>>> >>>> >>>>>>> setup pam AD authentication using winbind on our companies email >>>>>>> servers. That part is currently working. I have been trying to >>>>>>> add >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> an >>>> >>>> >>>> >>>> >>>>>>> existing "Trusted" child domain and allow authentication from that >>>>>>> domain as well. I am part of the way there, but not quite to the >>>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>> what I >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> am >>>> >>>> >>>> >>>> >>>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>>> 139 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> and >>>> >>>> >>>> >>>> >>>>>>> 389 (I believe those are the correct ports, though the networking >>>>>>> guys opened them) from the email/winbind server to the child >>>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>>> >>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>>> KID >>>>>>> >>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>> >>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>>> authentication succeeded challenge/response password >>>>>>> authentication succeeded >>>>>>> >>>>>>> Here is where it's falling apart: >>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>>> KID\testuser >>>>>>> >>>>>>> mailtestbed:~# id KID\\testuser >>>>>>> id: KID\testuser: No such user >>>>>>> >>>>>>> mailtestbed:~# id testuser >>>>>>> id: testuser: No such user >>>>>>> >>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>> >>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>> >>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>> >>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>> >>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>> >>>>>>> Versions (Debian Lenny) >>>>>>> samba 2:3.2.5-4lenny9 >>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>> >>>>>>> smb.conf >>>>>>> [global] >>>>>>> workgroup = RDOMAINPRV >>>>>>> realm = RDOMAIN.PRV >>>>>>> server string = %h server >>>>>>> dns proxy = no >>>>>>> name resolve order = lmhosts host wins bcast >>>>>>> log file = /var/log/samba/log.%m >>>>>>> max log size = 1000 >>>>>>> syslog = 0 >>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>> security = ADS >>>>>>> encrypt passwords = yes >>>>>>> passdb backend = tdbsam >>>>>>> obey pam restrictions = yes >>>>>>> unix password sync = yes >>>>>>> passwd program = /usr/bin/passwd %u >>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>>> pam password change = yes >>>>>>> allow trusted domains = yes >>>>>>> winbind trusted domains only = no >>>>>>> idmap backend = ad >>>>>>> idmap uid = 10000-1000000 >>>>>>> idmap gid = 10000-1000000 >>>>>>> template homedir = /home/%U >>>>>>> winbind use default domain = yes >>>>>>> winbind nss info = rfc2307 >>>>>>> winbind nested groups = yes >>>>>>> client use spnego = yes >>>>>>> client ntlmv2 auth = yes >>>>>>> restrict anonymous = 2 >>>>>>> winbind enum groups = no >>>>>>> winbind enum users = no >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> winbind cache time = 30 >>>>>>> >>>>>>> krb5.conf >>>>>>> [libdefaults] >>>>>>> default_realm = RDOMAIN.PRV >>>>>>> krb4_config = /etc/krb.conf >>>>>>> krb4_realms = /etc/krb.realms >>>>>>> kdc_timesync = 1 >>>>>>> ccache_type = 4 >>>>>>> forwardable = true >>>>>>> proxiable = true >>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> des3-hmac-sha1 >>>> >>>> >>>> >>>> >>>>>>> des-cbc-crc des-cbc-md5 >>>>>>> v4_instance_resolve = false >>>>>>> v4_name_convert = { >>>>>>> host = { >>>>>>> rcmd = host >>>>>>> ftp = ftp >>>>>>> } >>>>>>> plain = { >>>>>>> something = something-else >>>>>>> } >>>>>>> } >>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>> RDOMAIN.PRV = { >>>>>>> default_domain = RDOMAIN.PRV >>>>>>> master_kdc = dc02.rdomain.prv >>>>>>> admin_server = dc02.rdomain.prv >>>>>>> kdc = aurad.rdomain.prv >>>>>>> kdc = addc01.rdomain.prv >>>>>>> kdc = addc02.rdomain.prv >>>>>>> kdc = addc03.rdomain.prv >>>>>>> #kdc = addc04.rdomain.prv >>>>>>> kdc = addc05.rdomain.prv >>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>> } >>>>>>> KID.RDOMAIN.PRV = { >>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>> master_kdc = addc02.rdomain.prv >>>>>>> admin_server = addc02.rdomain.prv >>>>>>> kdc = addc01.rdomain.prv >>>>>>> kdc = addc02.rdomain.prv >>>>>>> } >>>>>>> [domain_realm] >>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>> debug = false >>>>>>> ticket_lifetime = 36000 >>>>>>> renew_lifetime = 36000 >>>>>>> forwardable = true >>>>>>> krb4_convert = false >>>>>>> validate = true >>>>>>> } >>>>>>> [login] >>>>>>> krb4_convert = true >>>>>>> krb4_get_tickets = false >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>> >>> >>> >> >> >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
