Hello, Summary: a Linux server joined to domain GODMZ (which trusts another domain GOCORP), without network access to GOCORP domain controllers can authenticate but not retrieve user information (id) even though wbinfo -n can resolve a name to SID.
Long: We have two domains, both at server 2003 functional level. GOCORP contains users and intranet servers. GODMZ contains servers in the DMZ (web servers, etc). There is a one-way external trust -- GODMZ trusts GOCORP. GODMZ domain controllers can talk to GOCORP domain controllers, but member servers in the dmz cannot talk to GOCORP domain controllers. This mostly works for Windows servers in the DMZ to authorize GOCORPS users who are in GODMZ groups for resources in GODMZ (using magic MSRPC tunnels of some sort). I'm trying to get similar functionality for our Linux (RHEL 6.2) servers in the DMZ. When I connect the Linux server to a network that has access to domain controllers in both GODMZ and GOCORP, I can authenticate and get user info. When I connect the Linux server to a network that has access to domain controllers in GODMZ, but not GOCORP, I can authenticate (using ntlm_auth), but cannot get user info (id GOCORP\\me). Interestingly, wbinfo -n GOCORP\\me works. I realize this is a pretty odd setup, but any way to make this work? Thanks, Elijah [root@sambatest ~]# wbinfo -t checking the trust secret for domain GODMZ via RPC calls succeeded [root@sambatest ~]# net ads testjoin Join is OK [root@sambatest ~]# ntlm_auth --domain=GOCORP --username=me password: NT_STATUS_OK: Success (0x0) [root@sambatest ~]# wbinfo -n GOCORP\\me S-1-5-21-906331755-3892439966-4211215107-5803 SID_USER (1) [root@sambatest ~]# id GOCORP\\me id: GOCORP\me: No such user [root@sambatest ~]# id GODMZ\\notme uid=2107(GODMZ\notme)... [root@sambatest ~]# smbd --version Version 3.5.10-114.el6 #relevant /etc/smb.conf security = domain realm = GODMZ password server = * winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes winbind use default domain = no winbind trusted domains only = no client ntlmv2 auth = yes encrypt passwords = yes invalid users = root allow trusted domains = yes idmap backend = idmap_rid:GOCORP=10000-100000000 idmap backend = idmap_rid:GODMZ=1000-9999 #there are only a handful of users idmap uid = 1000-100000000 idmap gid = 1000-100000000 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
