[Samba] interdomain trusts / wbinfo and listent_recv: returned no users
in [Samba]
|
From: Gaiseric Vandal on 4 May 2010 16:20 As per earlier post, I was having problems getting trusts setup between my Samba domain (3.0.x PDC, 3.4.x BDC on Solaris 10) and two Active Directory domains (each in a separate forest.) One domain is a test Win 2003 PDC in native Win 2003 mode, the other is a Win 2008 system also in native Win 2003 mode. To summarize some of the progess- things work better if the Samba 3.4 is the PDC, master browser and WINS server. I now appear to have trusts setup between Samba and the two native active directory domains. "wbinfo -u" and "wbinfo -g" list users from the Win 2008 domain but not from the Win 2003 domain. winbindd.log shows listent_recv: WIN_2003_DOMAIN returned no users I did not have entries for either active directory domain in krb5.conf. I have tried adding entries for those domains. (this had helped with a test samba domain on fedora core.) Doesn't seem to matter for the solaris PDC. Any thoughts? Thanks On 05/02/2010 01:43 PM, Gaiseric Vandal wrote: > On my test Samba PDC, I updated the krb5.conf file to add realm info for > the Windows 2008. This seems to have resolved my "wbinfo" issue. "getent > passwd" is still not working (I did update nsswitch.conf) but I suspect > this is because of an idmap allocation issue. The syntax for idmap > allocation in smb.conf seems to change between 3.0, 3.2, 3.3 and 3.4. > > > I have also tried setting up a similar trust between the Windows 2008 and > my production Samba environment. The production samba environment had a > 3.0.x PDC (DC1) and BDC and a 3.4.x BDC. 3.0.x seems to be incompatible > with Win 2008 so I promoted the 3.4.x BDC to PDC. However, the Windows > PDC cannot validate the trust > > The verification of the incoming trust failed with the following error(s): > The target system DC1 does not support NetLogon trust password > verification. > A secure channel reset will be attempted. > The secure channel reset failed with error 1355: The specified domain > either does not exist or could not be contacted. > > I suspect I need to reboot the Windows 2008 PDC to make it locate the new > samba PDC. > > > > So why am I still using Samba 3.0.x? Because I am running Solaris and > Sun (now Oracle) seems to have lost interest in anything besides being a > server platform for oracle and has provided a production build of Samba > 3.4. > > > > > > -----Original Message----- > From: Gaiseric Vandal [mailto:gaiseric.vandal(a)gmail.com] > Sent: Friday, April 30, 2010 5:16 PM > To: Samba > Subject: Why do Interdomain trusts try to use kerberos > > I have setup a test PDC with samba 3.4.7 on a fedora core 12 linux > machine. I have setup two way interdomain trusts with a Windows 2008 > domain. The domain and forest functional levels are Windows 2003. > > Since the samba machine is not emulating an Active Domain Controller, > the Windows 2008 machine should think it is talking to an NT4 server. > And since NT4-based domains don't use kerberos, I would have expected > kerberos should not be a factor. > > On the Windows 2008 PDC I can grant samba users file access. > > > I setup up the samba domain to trust the windows domain. I started > the process on the windows PDC first. > > -------------------------------------------------------------------------- > ---------------------------------- > [samba_pdc]# net rpc trustdom establish win_domain > > Enter SMB_DOMAIN$'s password: > Could not connect to server WIN_PDC > Trust to domain WIN_DOMAIN established > [samba_pdc]# > > > -------------------------------------------------------------------------- > ---------------------------------- > > > Not sure if the "could not connect" error is a problem- I think I have > seen that even when trusts are OK. > > > -------------------------------------------------------------------------- > ---------------------------------- > [samba_pdc# net rpc trustdom list -U Administrator -S samba_pdc > > Enter Administrator's password: > Trusted domains list: > > WIN_DOMAIN S-1-5-21-...................... > > Trusting domains list: > > WIN_DOMAIN S-1-5-21-..................... > > none > [samba_pdc > -------------------------------------------------------------------------- > ---------------------------------- > > On the samba server, "wbinfo -u" and "wbinfo -g" do not return any > entries from the WIN_DOMAIN. Log files show issues with idmap and > kerberos. > > > > > # cat log.winbindd-idmap > > [2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init) > idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL > [2010/04/30 15:36:53, 0] winbindd/idmap.c:589(idmap_alloc_init) > ERROR: Initialization failed for alloc backend, deferred! > [2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) > idmap_alloc module ldap already registered! > [2010/04/30 15:36:53, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) > idmap_alloc module tdb already registered! > [2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap) > Idmap module passdb already registered! > [2010/04/30 15:36:53, 0] winbindd/idmap.c:149(smb_register_idmap) > Idmap module nss already registered! > [2010/04/30 15:36:53, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) > idmap uid missing > [2010/04/30 15:36:53, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) > Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete > configuration > > > ... > > > # cat log.wb-WIN_DOMAIN | more > ... > > > [2010/04/30 16:15:19, 0] libads/kerberos.c:333(ads_kinit_password) > kerberos_kinit_password RESEARCH(a)SSCI.COM failed: Cannot find KDC for > requested realm > [2010/04/30 16:15:19, 1] > winbindd/winbindd_ads.c:127(ads_cached_connection) > ads_connect for domain WIN_DOMAIN failed: Cannot find KDC for > requested realm > > > -------------------------------------------------------------------------- > ---------------------------------- > > > Any thoughts? Can I force samba to not try kerberos? Are the two sets > of errors even related? Or can I just add a krb5.conf entry for the > WIN_DOMAIN even if I am not using kerberos otherwise? > > Thanks > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: how to clear winbind cache Next: [Samba] samba 3.4.5 idmap alloc broken |