Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
What do you get when you issue the command? This command will list the Interdomain Trusts net rpc trustdom list -U admin user If not you can add a relationship, it means the AD domain is trusted by your local domain (ex your samba) net rpc trustdom add AD name passwd -U admin user because you want a two-way trust add this one, local domain has given trust from the AD. net rpc trustdom establish SAMBA/local domain -U admin user If you now issue the command wbinfo -g, you will now displays the AD and samba groups. But be sure to check also in the AD, trust domain utility. Hope this will give you trust, in your trust relationship problem. I don't know if you broke the relationship upon upgrade that's why you got this one or in ADs. Regards, Mario On Sat, Feb 9, 2013 at 7:52 AM, Andrea Venturoli m...@netfence.it wrote: On 02/08/13 19:18, Oliver Freyd wrote: Hello, does wbinfo -u list the users of the trusted domain? No; however it doesn't do this with Samba 3.5 either (which works). and getent passwd, too? Same as above. Do you think I've got a config problem which only by chance does not show up with 3.5? By valid users you mean the parameter in smb.conf? Exactly: the one that controls which users can access a share. I'm usually using ACLs on shares (in the filesystem), so I haven't tried that. I'm not using ACL and the share I'm doing my tests with has 777 permissions; so I'm sure it's Samba that denies access. But I suppose it worked before... I can confirm this: it did work as expected with Samba 3.5. Actually it still does in the other server I have in the same site (on which I'm holding the upgrade until I find a solution). bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
On 02/09/13 12:59, Mario Codeniera wrote: What do you get when you issue the command? This command will list the Interdomain Trusts net rpc trustdom list -U admin user I see the foreign domain, with its SID, listed on both Trusted domains and Trusting domains. As I said, users from this domain are accepted on the other one, so one way the trust works perfectly. Also, authentication of user from the trusted domain succeeds or fails depending on the correctness of the password; so the trust is there. If not you can add a relationship, it means the AD domain is trusted by your local domain (ex your samba) net rpc trustdom add AD name passwd -U admin user because you want a two-way trust add this one, local domain has given trust from the AD. net rpc trustdom establish SAMBA/local domain -U admin user I've already tried several times to remove and recreate the trust. Furthermore, as I said, it's working on the BDC where I've left Samba 3.5 for now. If you now issue the command wbinfo -g, you will now displays the AD and samba groups. wbinfo -g gives empty output!!! I think the problem might lie here... But be sure to check also in the AD, trust domain utility. There are some message in event viewer which confirm the fact that my samba is contacting the Windows servers for authentication (which succeeds or fails normally). I'm investigating further. bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
Hello, I think I stumbled over the same issue when testing winbind and interdomain trusts on samba 3.6 these days. It is a bit hard to find, but man idmap_ldap says that the secret must be stored with net idmap secret DOMAIN SECRET and I think I used '*' as DOMAIN (for any domain) That made winbind with ldap work for me. Bye, Oliver Am 05.02.2013 09:04, schrieb Andrea Venturoli: On 02/04/13 19:25, Andrea Venturoli wrote: Hello. My setup: _ one Samba 3.5 domain (), with a PDC and a BDC, both running FreeBSD; _ one AD domain () running on two Windows 2003 DCs; _ bidirectional trust between the two domains. Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to 3.6; now, users from domain cannot access the PDC's shares. I used to have in smb.conf: idmap backend=ldap:ldap://localhost/ idmap alloc backend=ldap idmap alloc config:ldap_url=ldap://localhost idmap alloc config:ldap_base_dn=ou=idmap,dc=,dc=xx idmap alloc config:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 idmap uid=15-20 idmap gid=15-20 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 After the upgrade I changed it this way: idmap config *:backend=ldap idmap config *:range=15-20 idmap config *:ldap_url=ldap://localhost/ idmap config *:ldap_base_dn=ou=idmap,dc=,dc=xx idmap config *:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 I see many errors like the following in log.winbindd-idmap: [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain) idmap initialization returned NT_STATUS_ACCESS_DENIED In log.wb- [2013/02/04 19:20:59.364510, 0] rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp) cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED Please, any help is appreciated. bye Thanks av. P.S. I'm also seeing this: winbindd[65589]: get_credentials: Unable to fetch auth credentials for cn=root,dc=,dc=xx in * Connection to LDAP works form smbd (for which I had set credentials with smbpasswd -w); how whould I do it for winbindd? bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
On 02/08/13 13:48, Oliver Freyd wrote: Hello, I think I stumbled over the same issue when testing winbind and interdomain trusts on samba 3.6 these days. It is a bit hard to find, but man idmap_ldap says that the secret must be stored with net idmap secret DOMAIN SECRET and I think I used '*' as DOMAIN (for any domain) That made winbind with ldap work for me. Hello. First off, thanks for answering. After my previous message, I had already found out the above and did it. I saw some improvement: _ the logs about winbind not being able to fetch auth credentials are gone; _ smbclient -L ... succeeds, so authentication is in fact working; _ however, access to shares still is denied to users from the trusted domain. It looks like Samba authenticates the user (against the DCs of the trusted domain) and accepts it, but somehow fails to recognize him, so he won't be correctly matched against valid users. Just to be clear: users from the trusted domain can access public shares, as long as they provide a correct password. I'm still investigating this and I'll report anything I'll find. Any further suggestion is still appreciated. bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
Am 08.02.2013 17:54, schrieb Andrea Venturoli: On 02/08/13 13:48, Oliver Freyd wrote: Hello, I think I stumbled over the same issue when testing winbind and interdomain trusts on samba 3.6 these days. It is a bit hard to find, but man idmap_ldap says that the secret must be stored with net idmap secret DOMAIN SECRET and I think I used '*' as DOMAIN (for any domain) That made winbind with ldap work for me. Hello. First off, thanks for answering. After my previous message, I had already found out the above and did it. I saw some improvement: _ the logs about winbind not being able to fetch auth credentials are gone; _ smbclient -L ... succeeds, so authentication is in fact working; _ however, access to shares still is denied to users from the trusted domain. It looks like Samba authenticates the user (against the DCs of the trusted domain) and accepts it, but somehow fails to recognize him, so he won't be correctly matched against valid users. Just to be clear: users from the trusted domain can access public shares, as long as they provide a correct password. I'm still investigating this and I'll report anything I'll find. Any further suggestion is still appreciated. bye Thanks av. Hello, does wbinfo -u list the users of the trusted domain? and getent passwd, too? By valid users you mean the parameter in smb.conf? I'm usually using ACLs on shares (in the filesystem), so I haven't tried that. But I suppose it worked before... bye, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
On 02/08/13 19:18, Oliver Freyd wrote: Hello, does wbinfo -u list the users of the trusted domain? No; however it doesn't do this with Samba 3.5 either (which works). and getent passwd, too? Same as above. Do you think I've got a config problem which only by chance does not show up with 3.5? By valid users you mean the parameter in smb.conf? Exactly: the one that controls which users can access a share. I'm usually using ACLs on shares (in the filesystem), so I haven't tried that. I'm not using ACL and the share I'm doing my tests with has 777 permissions; so I'm sure it's Samba that denies access. But I suppose it worked before... I can confirm this: it did work as expected with Samba 3.5. Actually it still does in the other server I have in the same site (on which I'm holding the upgrade until I find a solution). bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trust problems after upgrade from 3.5 to 3.6
On 02/04/13 19:25, Andrea Venturoli wrote: Hello. My setup: _ one Samba 3.5 domain (), with a PDC and a BDC, both running FreeBSD; _ one AD domain () running on two Windows 2003 DCs; _ bidirectional trust between the two domains. Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to 3.6; now, users from domain cannot access the PDC's shares. I used to have in smb.conf: idmap backend=ldap:ldap://localhost/ idmap alloc backend=ldap idmap alloc config:ldap_url=ldap://localhost idmap alloc config:ldap_base_dn=ou=idmap,dc=,dc=xx idmap alloc config:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 idmap uid=15-20 idmap gid=15-20 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 After the upgrade I changed it this way: idmap config *:backend=ldap idmap config *:range=15-20 idmap config *:ldap_url=ldap://localhost/ idmap config *:ldap_base_dn=ou=idmap,dc=,dc=xx idmap config *:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 I see many errors like the following in log.winbindd-idmap: [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain) idmap initialization returned NT_STATUS_ACCESS_DENIED In log.wb- [2013/02/04 19:20:59.364510, 0] rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp) cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED Please, any help is appreciated. bye Thanks av. P.S. I'm also seeing this: winbindd[65589]: get_credentials: Unable to fetch auth credentials for cn=root,dc=,dc=xx in * Connection to LDAP works form smbd (for which I had set credentials with smbpasswd -w); how whould I do it for winbindd? bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trust problems after upgrade from 3.5 to 3.6
Hello. My setup: _ one Samba 3.5 domain (), with a PDC and a BDC, both running FreeBSD; _ one AD domain () running on two Windows 2003 DCs; _ bidirectional trust between the two domains. Everything used to work until I moved the PDC from Samba 3.5 (EOL'ed) to 3.6; now, users from domain cannot access the PDC's shares. I used to have in smb.conf: idmap backend=ldap:ldap://localhost/ idmap alloc backend=ldap idmap alloc config:ldap_url=ldap://localhost idmap alloc config:ldap_base_dn=ou=idmap,dc=,dc=xx idmap alloc config:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 idmap uid=15-20 idmap gid=15-20 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 After the upgrade I changed it this way: idmap config *:backend=ldap idmap config *:range=15-20 idmap config *:ldap_url=ldap://localhost/ idmap config *:ldap_base_dn=ou=idmap,dc=,dc=xx idmap config *:ldap_user_dn=cn=root,dc=,dc=xx idmap cache time=120 template shell=/sbin/nologin idmap config :backend=nss idmap config :range=1000-99 I see many errors like the following in log.winbindd-idmap: [2013/02/04 19:22:20.847184, 1] winbindd/idmap.c:249(idmap_init_domain) idmap initialization returned NT_STATUS_ACCESS_DENIED In log.wb- [2013/02/04 19:20:59.364510, 0] rpc_client/cli_pipe.c:3240(cli_rpc_pipe_open_spnego_ntlmssp) cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED Please, any help is appreciated. bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba