Hi, I am having the exact same problem as the user quoted below - I have 3.0.28a installed at both ends (I've tried 3.0.30 but that seems to make wbinfo -t fail with "DOMAIN CONTROLLER NOT FOUND" errors). It's a bidirectional trust - the end remote to me works fine but the local end reports as below. wbinfo -u/g fails on both ends with "Error looking up domain users".
Here is the relevant part of my smb.conf on the local end: [global] unix charset = LOCALE workgroup = IFA_NET netbios name = PDC interfaces = eth0, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 445 name resolve order = wins lmhosts bcast hosts time server = no #printcap name = CUPS show add printer wizard = Yes enable privileges = yes ldap suffix = dc=ifa,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=manager,dc=ifa,dc=net ldap ssl = no ldap timeout = 20 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind nested groups = yes winbind trusted domains only = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes winbind cache time = 6000 allow trusted domains = yes map acl inherit = Yes ea support = Yes #printing = cups # printer admin = root wins support = yes log level = 3 domain logons = yes domain master = yes preferred master = yes logon drive = H: #os level = 35 passdb expand explicit = yes add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' enable privileges = Yes set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' and remote: [global] #unix charset = LOCALE workgroup = INTEGRALIFE_NET netbios name = DC interfaces = eth1, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://127.0.0.1 logon drive = H: logon home = \\%L\%U logon path = \\%L\%U\profile os level = 33 #auth methods = guest sam winbind username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins lmhosts bcast hosts time server = Yes printcap name = CUPS show add printer wizard = Yes #add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' enable privileges = Yes set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -a -w '%u' logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes #wins support = Yes wins server = 192.168.20.137 wins proxy = no ldap suffix = dc=integralife,dc=net ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=People,ou=Accounts ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=integralife,dc=net ldap ssl = no ldap timeout = 20 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind nested groups = yes winbind use default domain = no winbind trusted domains only = yes winbind enum users = yes winbind enum groups = yes allow trusted domains = Yes map acl inherit = Yes ea support = Yes disable spoolss = No printing = cups printer admin = root Any help I can get gratefully received! Thanks Alex On Wed, 2008-05-07 at 16:43 -0400, Charlie wrote: > Greetings Sambistas! > > I can't seem to get domain trusts to work in both directions. Details > follow. > > I have a network running many OSes on four geographically separate > sites with an OpenLDAP authentication backbone. Desktops are windows > XP authenticating to samba 3.0.25b servers which in turn are > configured to use LDAP. Our net has been running samba in various > flavors and versions for over ten years, and we have been running > OpenLDAP for about seven years. > > Each physical site is a separate samba domain but all use the same > LDAP backend data. All linux samba servers are running 3.0.25b, some > of them using Red Hat native packages on RHEL5 and others using my own > backported RPMs of the same. HP-UX servers run HP's CIFS9000 product > which is essentially a samba fork. > > Each samba server has a local LDAP replica and a local slave BIND > DNS server. PAM, NSS, and samba are all configured for automatic LDAP > failover, this is tested and working. We use unencrypted LDAP on > 127.0.0.1 as the primary (for speed) and LDAPS to the master server as > secondary (for security). If I kill the local LDAP daemon samba > continues to work fine, drawing passwords etc. from the master server > over SSL. > > From the main site, I can do this: > > # net rpc trustdom list -Udomadmin > Password: > > Trusted domains list: > > LA S-1-5-21-laSIDredacted > MD S-1-5-21-mdSIDredacted > MA S-1-5-21-maSIDredacted > none > > Trusting domains list: > > MAIN S-1-5-21-LocalSIDredacted > MA S-1-5-21-maSIDredacted > LA S-1-5-21-laSIDredacted > MD S-1-5-21-mdSIDredacted > > But, from the MD server, if I issue the same command, I get this: > > # net rpc trustdom list -Umdadmin > Password: > Trusted domains list: > > MAIN S-1-5-21-LocalSIDredacted > MA S-1-5-21-maSIDredacted > LA S-1-5-21-laSIDredacted > none > > Trusting domains list: > > [2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208) > Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED > > I have been unable to find anything on the net that details the LDAP > entries for interdomain trust accounts. I do not know if a single > LDAP dn can be used to establish the trust in both directions or if I > need two for each link in the mesh. If anyone could post examples of > working LDAP accounts used for interdomain trust purposes I would be > tremendously grateful! > > Thanks, > --Charlie -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
