As per earlier post, I was having problems getting trusts setup between
my Samba domain (3.0.x PDC, 3.4.x BDC on Solaris 10) and two Active
Directory domains (each in a separate forest.) One domain is a test
Win 2003 PDC in native Win 2003 mode, the other is a Win 2008 system
also in native Win 2003 mode.
To summarize some of the progess- things work better if the Samba 3.4
is the PDC, master browser and WINS server.
I now appear to have trusts setup between Samba and the two native
active directory domains.
"wbinfo -u" and "wbinfo -g" list users from the Win 2008 domain but not
from the Win 2003 domain.
winbindd.log shows
listent_recv: WIN_2003_DOMAIN returned no users
I did not have entries for either active directory domain in
krb5.conf. I have tried adding entries for those domains. (this had
helped with a test samba domain on fedora core.) Doesn't seem to
matter for the solaris PDC.
Any thoughts?
Thanks
On 05/02/2010 01:43 PM, Gaiseric Vandal wrote:
On my test Samba PDC, I updated the krb5.conf file to add realm info for
the Windows 2008. This seems to have resolved my "wbinfo" issue. "getent
passwd" is still not working (I did update nsswitch.conf) but I suspect
this is because of an idmap allocation issue. The syntax for idmap
allocation in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4.
I have also tried setting up a similar trust between the Windows 2008 and
my production Samba environment. The production samba environment had a
3.0.x PDC (DC1) and BDC and a 3.4.x BDC. 3.0.x seems to be incompatible
with Win 2008 so I promoted the 3.4.x BDC to PDC. However, the Windows
PDC cannot validate the trust
The verification of the incoming trust failed with the following error(s):
The target system DC1 does not support NetLogon trust password
verification.
A secure channel reset will be attempted.
The secure channel reset failed with error 1355: The specified domain
either does not exist or could not be contacted.
I suspect I need to reboot the Windows 2008 PDC to make it locate the new
samba PDC.
So why am I still using Samba 3.0.x? Because I am running Solaris and
Sun (now Oracle) seems to have lost interest in anything besides being a
server platform for oracle and has provided a production build of Samba
3.4.
-----Original Message-----
From: Gaiseric Vandal [mailto:[email protected]]
Sent: Friday, April 30, 2010 5:16 PM
To: Samba
Subject: Why do Interdomain trusts try to use kerberos
I have setup a test PDC with samba 3.4.7 on a fedora core 12 linux
machine. I have setup two way interdomain trusts with a Windows 2008
domain. The domain and forest functional levels are Windows 2003.
Since the samba machine is not emulating an Active Domain Controller,
the Windows 2008 machine should think it is talking to an NT4 server.
And since NT4-based domains don't use kerberos, I would have expected
kerberos should not be a factor.
On the Windows 2008 PDC I can grant samba users file access.
I setup up the samba domain to trust the windows domain. I started
the process on the windows PDC first.
--------------------------------------------------------------------------
----------------------------------
[samba_pdc]# net rpc trustdom establish win_domain
Enter SMB_DOMAIN$'s password:
Could not connect to server WIN_PDC
Trust to domain WIN_DOMAIN established
[samba_pdc]#
--------------------------------------------------------------------------
----------------------------------
Not sure if the "could not connect" error is a problem- I think I have
seen that even when trusts are OK.
--------------------------------------------------------------------------
----------------------------------
[samba_pdc# net rpc trustdom list -U Administrator -S samba_pdc
Enter Administrator's password:
Trusted domains list:
WIN_DOMAIN S-1-5-21-......................
Trusting domains list:
WIN_DOMAIN S-1-5-21-.....................
none
[samba_pdc
--------------------------------------------------------------------------
----------------------------------
On the samba server, "wbinfo -u" and "wbinfo -g" do not return any
entries from the WIN_DOMAIN. Log files show issues with idmap and
kerberos.
# cat log.winbindd-idmap
[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
[2010/04/30 15:36:53, 0] winbindd/idmap.c:589(idmap_alloc_init)
ERROR: Initialization failed for alloc backend, deferred!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module ldap already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module tdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module passdb already registered!
[2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module nss already registered!
[2010/04/30 15:36:53, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
idmap uid missing
[2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete
configuration
...
# cat log.wb-WIN_DOMAIN | more
...
[2010/04/30 16:15:19, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password [email protected] failed: Cannot find KDC for
requested realm
[2010/04/30 16:15:19, 1]
winbindd/winbindd_ads.c:127(ads_cached_connection)
ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for
requested realm
--------------------------------------------------------------------------
----------------------------------
Any thoughts? Can I force samba to not try kerberos? Are the two sets
of errors even related? Or can I just add a krb5.conf entry for the
WIN_DOMAIN even if I am not using kerberos otherwise?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
