This sounds like it might be somewhat related to the problem I posted
a query about earlier this week -- where domain local groups in
domain-A that contain users from (trusted/trusting) domain-B, are not
having the domain-B users being enumerated by winbind as group
members on Samba/winbind systems in domain-A. It appears that only
domain-A users can be enumerated as group members by winbind, even if
the group is defined as a domain local group, which can contain users
defined in a foreign, trusted domain. (On windows systems within the
domain, users from domain-B show up as group members just fine --
Samba appears to be dropping them off the list, though.)
It seems like there might be some sort of common inability to deal
with references to users in another (trusted) domain from within the
context of the local domain, in certain places at least...
Cheers,
-D
At 01:26 PM 2/16/2006, Devin Morton wrote:
I've come across a fairly unique situation and after much searching have
not found a solution. I thought I would see if anyone here has had any
experience with this before.
I have a location with two ADS domains with a two-way trust configured.
-For this example I will call them corp.company.com and bst.company.com.
-I have a FreeBSD client running Samba version three
-I want to use an account in corp with privileges over bst to join the
client to the bst domain.
No matter what format I use to specify the location of the admin account
process always appends the specified user to the bst I'm attempting to
join. That domain, of course, cannot find the user and I receive an
"Invalid credentials" error. Here is an example:
ESPN-IQ-1# net ads join -S bst.company.com -U
CORP.company.com/domainadmin
Password:
[2006/02/16 12:20:42, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2006/02/16 12:20:42, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password CORP.company.com/[EMAIL PROTECTED]
failed: Client not
found in Kerberos database
[2006/02/16 12:20:42, 1] utils/net_ads.c:ads_startup(152)
ads_connect: Invalid credentials
Is there a way to specify a user account from a different domain when
attempting to join in this fashion?
Thanks in advance.
Devin Morton
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
