I have similar issues. II am running Samba 3.4 (compiled from source)
on Solaris 10- so selinux is NOT an issue for me. Otherwise I have
similar config (LDAP backend for samba, trusted domains to windows 2003
server.)
thought this used to work but a month or so ago it wasn't.
getent passwd and wbinfo -u showed users from the trusted domain.
wbinfo -s / wbinfo -n showed uid-to-sid and sid-to-uid mappings were
ok. The log seemed to show users in the trusted domain being valid, but
then complains that that user does not exisit.
--------------------------------------------------------------------------------------------------------------------------------------------------
[2010/09/13 08:02:04, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [WINDOMAIN]\[li
n...@[winserver] with the new password interface
[2010/09/13 08:02:04, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [windomain]\[winus...@[winserver]
...
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/13 08:02:04, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [winuser] -> [winuser]
FAILED with e
rror NT_STATUS_NO_SUCH_USER
--------------------------------------------------------------------------------------------------------------------------------------------------
I partly resolved this by creating dummy accounts for users
(/bin/false as the shell) for the trusted domains (the passwords are
different.) The trusted domain only has about 5 or 6 users.
I have not tried ssh'ing in as a trusted domain user (I definately don't
want that available..)
It is weird, because the trusted users ARE definately authenticating
using there own passwords. Maybe it is trying to validate the user
name via kerberos but then validates the password via NTLM?
Do you have an entry in krb5.conf for the trusted domain? I think that
is more of an issue for locating the DC.
At some point I changed the forest and domain modes on the Windows 2003
DC from mixed to native. That may have broken something but the end
users from the trusted domain might not have reported it until several
weeks later. (It is apparently a resource they only need occasionally.)
I haven't had a chance to look into this further, since I have a work
around.
On 10/21/2010 11:59 AM, Bruce Richardson wrote:
Having set up two way trust between a Samba domain (with LDAP backend)
and an AD domain, I find that
1. Users from the trusted domain are authenticated against the proper
DC (that is, their regular password works), but only if there is a
corresponding local domain user.
2. Users from the trusted domain are being mapped onto Samba/POSIX
users associated with the local Samba domain, despite the fact that the
correct idmap objects are being created in the directory. If they
connect to a share, they connect as the local domain user (although,
oddly, they can create new files and directories but not delete old
ones).
More information:
The local domain uses an LDAP backend, with ldapsam:editposix and
ldapsam:trusted set. LDAP is used for all domain configs (BUILTIN,
OFFICE domain and external domains). Winbind is used on the domain
controllers for GID/UID allocation (and for id mappings for foreign
domains), but nss_ldap is used on all the servers, DC or member, to
provide the POSIX user information via nsswitch.conf. winbind is not
currently running on the member servers (not needed for a single domain
because of nss_ldap).
All this was working perfectly. Adding the domain trust worked
flawlessly. Then I tried - on the PDC and BDC only - to try have users
from the trusted domain connecting to shares. So I changed
nsswitch.conf from
passwd: files ldap
group: files ldap
to
passwd: files ldap winbind
group: files ldap winbind
I added details of the AD domain's PDC to krb5.conf, set the auth user
file and restarted winbindd for luck.
* "wbinfo -u" and "wbinfo -g" list the trusted domain users and groups.
* "getent passwd" returns the trusted users in the list as
TRUSTED\user.name.
* The idmap OU in the directory now has two dozen
entries (the AD domain is only used for one specialist part of the
company).
So far so good. "getent group" and "getent passwd" shows the TRUSTED
domain users have been added and are visible as POSIX users. TRUSTED
userr can authenticate to any OFFICE member servers using their own
passwords (with the important caveat mentioned abouve). At this point,
I'm at something of a loss. I can ssh into the domain controller as
TRUSTED\test.user, whether or not there is a corresponding user in the
local domain, and the correct UID and GID will be assigned, but I can
only connect to Samba as that user if there is a corresponding local
domain user and I am then assigned their UID and GID.
Can anybody suggest what I may have missed? I can post the relevant
domain controller configs.
I don't know if it's relevant to this, but winbind keeps trying to write
to krb5.conf and being blocked by selinux. Haven't had time to
investigate that.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
