Hello all. I've set up a testing environment with two Windows DCs. The first, called DCA, is serving the domain DOMA and is running Windows 2003. The second is called DCB and serves DOMB on Windows 2008.
The Samba machine I'm setting up (named ULYSSES) should be able to authenticate users from both domains for shell login. I've installed Samba 3.2.3 as a Debian package and closely followed the fine Howto by Michael Battista (http://www.ccs.neu.edu/home/battista/documentation/winbind/). Here are the current settings from my smb.conf, stripped down to the relevant ones: [global] realm = B.NET workgroup = B idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash template homedir = /home/%D/%U ; winbind enum groups = yes ; winbind enum users = yes winbind use default domain = no winbind nested groups = yes allow trusted domains = yes PAM and NSS are configured as well, winbind is installed and running. The Samba machine has successfully joined DOMB:
wbinfo -t
checking the trust secret via RPC calls succeeded Domain trusts seem to work:
wbinfo -m
BUILTIN ULYSSES DOMA DOMB So far, everything works as expected. But when I try to get user info, only users from DOMB (where the Samba machine is a member) are found by winbind:
wbinfo -u
ULYSSES\root ULYSSES\nobody [...] DOMB\administrator DOMB\brian No entries for DOMA are listed. To track this further down, I issued the following commands:
wbinfo -i "DOMA\alvin"
Could not get info for user DOMA\alvin
wbinfo -i "DOMB\brian"
DOMB\brian:*:10000:10000:Brian:/home/DOMB/brian:/bin/bash The logfile (log.wb-DOMA) states: [2008/10/10 12:32:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (KRB5 error code 68) [2008/10/10 12:32:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (KRB5 error code 68) [2008/10/10 12:32:23, 0] libads/sasl.c:ads_sasl_spnego_bind(819) kinit succeeded but ads_sasl_spnego_krb5_bind failed: KRB5 error code 68 [2008/10/10 12:32:23, 1] winbindd/winbindd_ads.c:ads_cached_connection(127) ads_connect for domain DOMA failed: KRB5 error code 68 [2008/10/10 12:32:23, 1] winbindd/winbindd_user.c:winbindd_dual_userinfo(150) error getting user info for sid S-1-5-21-1851683558-1272149263-2209706219-1104 So I suspect something with the Kerberos authentication to be wrong; but why is that, since I can successfully authenticate users with winbind:
wbinfo -a "DOMA\alvin%alvinpass"
plaintext password authentication succeeded challenge/response password authentication succeeded
wbinfo -a "DOMB\brian%brianpass"
plaintext password authentication succeeded challenge/response password authentication succeeded Why is winbind able to authenticate users, but cannot get user info about them? Does anyone have a hint for me? Thanks in advance, marco -- Marco Senft http://www.t2g.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
