Yes, doing "wbinfo -u" retrieves all of the KID users, then again it always did. Being able to get the SID is new. I am attaching my log file which has been gziped to make it smaller... I hope this is not an issue. See a few of my tests below.
Thanks, -Paul mailtestbed:~# wbinfo -n KID\\testuser S-1-5-21-29899443-2986348974-2400605501-1223 User (1) mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user KID\\testuser mailtestbed:~# wbinfo -u | grep KID [...] KID\co2s17 KID\testuser KID\co2s13 KID\co2s01 KID\jplaolet KID\co2stemp On 4/3/2010 5:04 AM, [email protected] wrote: > That's definitely a good point. > > Do you get the KID users in wbinfo -u ? > > Try increasing again loglevel for winbindd and send it for review. > > > François > > -----Message d'origine----- > De : [email protected] [mailto:[email protected]] De > la part de Paul Lauss > Envoyé : vendredi 2 avril 2010 20:57 > À : [email protected] > Objet : Re: [Samba] AD Auth Trusted Domain issues > > Greetings, > I figured out that since we made KID ADS native I have been able to > query for the SID successfully. I was unable to do that before. wbinfo > -n testuser actually returns a sid but it doesn't seem to want to map it > to anything so I am thinking my issue may be with how I am configuring > idmap. Any thoughts or suggestions? > > Thanks, > -Paul > > On 4/1/2010 8:55 AM, Paul Lauss wrote: > >> We have corrected the issues of "KID" not being native but this does not >> seem to have helped. We did however see this error in the Windows Event >> Viewer at the point that I am trying to make the connection. I am not >> certain what it means that there are no logon servers available... >> Thoughts? >> >> Event Type: Warning >> Event Source: LSASRV >> Event Category: SPNEGO (Negotiator) >> Event ID: 40960 >> Date: 3/31/2010 >> Time: 3:19:00 AM >> User: N/A >> Computer: CHLDDC01 >> Description: >> The Security System detected an authentication error for the server >> ldap/chlddc01.kid.rdomain.prv. The failure code from authentication >> protocol Kerberos was "There are currently no logon servers available to >> service the logon request. >> (0xc000005e)". >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> Data: >> 0000: 5e 00 00 c0 ^..À >> >> >> On 3/30/2010 6:20 PM, [email protected] wrote: >> >> >>> So, as I already told you, I'm not familiar with that kind of setup. >>> >>> From what I could see, the fact that domain KID is not in ADS native may be >>> the problem as you've got security = ADS and that expects native mode. >>> >>> You should try to go back to the list to confirm that. Your setup does not >>> seem to be that odd, I could read lots of people trying (successfully for >>> most of them if I remember correctly) to accomplish that kind of things. >>> >>> Sorry to not be able to help you more. >>> >>> François >>> >>> -----Message d'origine----- >>> De : Paul Lauss [mailto:[email protected]] >>> Envoyé : mardi 30 mars 2010 23:26 >>> À : [email protected] >>> Objet : Fwd: Re: [Samba] AD Auth Trusted Domain issues >>> >>> This didn't seem to go through the listserv... >>> >>> >>> I am so sorry, I was trying to stay fairly concise... Here is the whole log >>> file I extracted. >>> >>> On 3/30/2010 1:56 PM, [email protected] wrote: >>> >>> >>> >>>> Could you provide the part that you removed, I can see that winbind is >>>> trying to connect to chlddc01.kid.rdomain.prv for domain kid, but then you >>>> removed that part of the transaction, and we end up with some info >>>> returned from main domain dc. >>>> >>>> François >>>> >>>> -----Message d'origine----- >>>> De : [email protected] >>>> [mailto:[email protected]] De la part de Paul Lauss Envoyé >>>> : mardi 30 mars 2010 20:23 À : [email protected] Objet : Re: >>>> [Samba] AD Auth Trusted Domain issues >>>> >>>> The trust check succeeded... I have attached the pertinent logs... it >>>> looks like it is timing out... I am not sure why though. The link should >>>> be a little slower but it shouldn't be terrible, it is a 2Mb pipe. >>>> >>>> mailtestbed:~# wbinfo -t >>>> checking the trust secret via RPC calls succeeded >>>> >>>> On 3/30/2010 9:47 AM, François Legal wrote: >>>> >>>> >>>> >>>> >>>>> I'm not sure to 100% understand what you mean (it's been a long time >>>>> since I last used an AD server with SFU). >>>>> However, next step now will be to increase winbindd debug level while >>>>> issuing the wbinfo -i command, and see what fails there. >>>>> >>>>> Try first an wbinfo -t, then if it succeeds, increase winbindd verbosity. >>>>> >>>>> François >>>>> >>>>> On Tue, 30 Mar 2010 09:09:09 -0500, Paul Lauss >>>>> <[email protected]> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Hello, >>>>>> Thank you so much for your reply! We are using AD 2003 R2 on both >>>>>> the domain and the child domain. I am using 10000-29999 for IDs on >>>>>> the main domain (RDOMAIN) and 30000-100000 on the child domain (KID). >>>>>> Interestingly, in the Unix tab (in AD Users and Computers for any >>>>>> object) under "NIS Domain" on any of the RDOMAIN servers we get the >>>>>> pulldown option "RDOMAIN" but on the Trusted domains server the only >>>>>> option is "KID". I'm not sure if that is expected or would affect >>>>>> this but I can't seem to get the RDOMAIN option in the KID Trusted >>>>>> domain. >>>>>> >>>>>> Thanks, >>>>>> -Paul >>>>>> >>>>>> On 3/30/2010 2:27 AM, François Legal wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm not familiar with this kind of setup, but I wonder whether or >>>>>>> not >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> the >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>> KID domain has the SFU schema extensions setup for idmapping (see >>>>>>> idmap backend = ad) and if porperly setup, check that the defined >>>>>>> uid/gid for that domain fall in the idmap uid range >>>>>>> >>>>>>> François >>>>>>> >>>>>>> On Mon, 29 Mar 2010 17:54:37 -0500, Paul Lauss >>>>>>> <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I have been killing myself on this issue over the last 2 weeks. I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> have >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> setup pam AD authentication using winbind on our companies email >>>>>>>> servers. That part is currently working. I have been trying to >>>>>>>> add >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> an >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> existing "Trusted" child domain and allow authentication from that >>>>>>>> domain as well. I am part of the way there, but not quite to the >>>>>>>> functional point as of yet. Our primary domain is rdomainprv or >>>>>>>> rdomain.prv and the child domain is kid.rdomain.prv. Below is >>>>>>>> what I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> am >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> seeing, followed by my configs. Also, we had to open ports 88, >>>>>>>> 139 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> and >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> 389 (I believe those are the correct ports, though the networking >>>>>>>> guys opened them) from the email/winbind server to the child >>>>>>>> domain, at the firewall. Any help would be very much appreciated! >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo --all-domains BUILTIN MAILTESTBED RDOMAINPRV >>>>>>>> KID >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -u | grep testuser KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -a KID\\testuser%password plaintext password >>>>>>>> authentication succeeded challenge/response password >>>>>>>> authentication succeeded >>>>>>>> >>>>>>>> Here is where it's falling apart: >>>>>>>> mailtestbed:~# wbinfo -i KID\\testuser Could not get info for user >>>>>>>> KID\testuser >>>>>>>> >>>>>>>> mailtestbed:~# id KID\\testuser >>>>>>>> id: KID\testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# id testuser >>>>>>>> id: testuser: No such user >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd KID\\testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd testuser mailtestbed:~# >>>>>>>> >>>>>>>> mailtestbed:~# id RDOMAINPRV\\testmer >>>>>>>> uid=10001(testmer) gid=10001 groups=999(users) >>>>>>>> >>>>>>>> mailtestbed:~# getent passwd RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> mailtestbed:~# wbinfo -i RDOMAINPRV\\testmer >>>>>>>> testmer:*:10001:10001::/home/testmer:/bin/bash >>>>>>>> >>>>>>>> Versions (Debian Lenny) >>>>>>>> samba 2:3.2.5-4lenny9 >>>>>>>> winbind 2:3.2.5-4lenny9 >>>>>>>> >>>>>>>> smb.conf >>>>>>>> [global] >>>>>>>> workgroup = RDOMAINPRV >>>>>>>> realm = RDOMAIN.PRV >>>>>>>> server string = %h server >>>>>>>> dns proxy = no >>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> max log size = 1000 >>>>>>>> syslog = 0 >>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>> security = ADS >>>>>>>> encrypt passwords = yes >>>>>>>> passdb backend = tdbsam >>>>>>>> obey pam restrictions = yes >>>>>>>> unix password sync = yes >>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>>>> pam password change = yes >>>>>>>> allow trusted domains = yes >>>>>>>> winbind trusted domains only = no >>>>>>>> idmap backend = ad >>>>>>>> idmap uid = 10000-1000000 >>>>>>>> idmap gid = 10000-1000000 >>>>>>>> template homedir = /home/%U >>>>>>>> winbind use default domain = yes >>>>>>>> winbind nss info = rfc2307 >>>>>>>> winbind nested groups = yes >>>>>>>> client use spnego = yes >>>>>>>> client ntlmv2 auth = yes >>>>>>>> restrict anonymous = 2 >>>>>>>> winbind enum groups = no >>>>>>>> winbind enum users = no >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>> winbind cache time = 30 >>>>>>>> >>>>>>>> krb5.conf >>>>>>>> [libdefaults] >>>>>>>> default_realm = RDOMAIN.PRV >>>>>>>> krb4_config = /etc/krb.conf >>>>>>>> krb4_realms = /etc/krb.realms >>>>>>>> kdc_timesync = 1 >>>>>>>> ccache_type = 4 >>>>>>>> forwardable = true >>>>>>>> proxiable = true >>>>>>>> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> des3-hmac-sha1 des-cbc-crc des-cbc-md5 >>>>>>>> permitted_enctypes = aes256-cts arcfour-hmac-md5 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> des3-hmac-sha1 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> des-cbc-crc des-cbc-md5 >>>>>>>> v4_instance_resolve = false >>>>>>>> v4_name_convert = { >>>>>>>> host = { >>>>>>>> rcmd = host >>>>>>>> ftp = ftp >>>>>>>> } >>>>>>>> plain = { >>>>>>>> something = something-else >>>>>>>> } >>>>>>>> } >>>>>>>> fcc-mit-ticketflags = true [realms] >>>>>>>> RDOMAIN.PRV = { >>>>>>>> default_domain = RDOMAIN.PRV >>>>>>>> master_kdc = dc02.rdomain.prv >>>>>>>> admin_server = dc02.rdomain.prv >>>>>>>> kdc = aurad.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> kdc = addc03.rdomain.prv >>>>>>>> #kdc = addc04.rdomain.prv >>>>>>>> kdc = addc05.rdomain.prv >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> } >>>>>>>> KID.RDOMAIN.PRV = { >>>>>>>> default_domain = KID.RDOMAIN.PRV >>>>>>>> kdc = chlddc01.kid.rdomain.prv >>>>>>>> master_kdc = addc02.rdomain.prv >>>>>>>> admin_server = addc02.rdomain.prv >>>>>>>> kdc = addc01.rdomain.prv >>>>>>>> kdc = addc02.rdomain.prv >>>>>>>> } >>>>>>>> [domain_realm] >>>>>>>> .rdomain.prv = RDOMAIN.PRV >>>>>>>> rdomain.prv = RDOMAIN.PRV >>>>>>>> .kid.rdomain.prv = KID.RDOMAIN.PRV >>>>>>>> kid.rdomain.prv = KID.RDOMAIN.PRV [kdc] profile = >>>>>>>> /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { >>>>>>>> debug = false >>>>>>>> ticket_lifetime = 36000 >>>>>>>> renew_lifetime = 36000 >>>>>>>> forwardable = true >>>>>>>> krb4_convert = false >>>>>>>> validate = true >>>>>>>> } >>>>>>>> [login] >>>>>>>> krb4_convert = true >>>>>>>> krb4_get_tickets = false >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
