5245 – domain member WIN2003 AD - Trusted Domain

Bug 5245 - domain member WIN2003 AD - Trusted Domain

Summary: domain member WIN2003 AD - Trusted Domain

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	winbind (show other bugs)
Version:	3.0.28
Hardware:	Other Windows 2003

Importance:	P3 normal
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-02-06 11:05 UTC by hans
Modified:	2009-10-14 18:45 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description hans 2008-02-06 11:05:26 UTC

Hi,
we configured a Samba server for filesharing. Samba use kerberos and winbind to
authenticate the user on DomainA.

In DomainA we create a localgroup where we add users from the same domain. But
also we add users from the DomainB who is trusted.

Our problem is that users from DomainB can't get access to the sharing folders.
The user get an logon popup from windows. If you type in your correct data the
window comes again and again...

P.S.: I don't know if it is a bug or only a incorrect config or maybe an active
directory problem.

Best regards

Paul

Samba 3.0.24
Suse SLE-10-i386

current stat:
Samba Server for Filesharing use ADS for user authentification
DomainA 
DomainB Trusted from DomainA 

Samba <> DomainA <> DomainB


 smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-07-05
[global]
# domain settings
workgroup = DOMAINA
realm = DOMAINA.DOM.NET
security = ads
client use spnego = Yes
password server = passwordserver.DOMAINA.DOM.NET
server string = %h server
dns proxy = no
encrypt passwords = true
invalid users = root
socket options = TCP_NODELAY

idmap uid = 100000-150000
idmap gid = 100000-150000

winbind separator = /
winbind use default domain = Yes
winbind cache time = 30
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
winbind refresh tickets = Yes
winbind offline logon = No

# log.winbindd
[2008/02/05 11:13:12, 6] param/loadparm.c:lp_file_list_changed(3048)
  lp_file_list_changed()
  file /etc/samba/shares.conf -> /etc/samba/shares.conf  last mod_time: Mon Feb
 4 21:53:19 2008
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue Feb  5
11:12:17 2008
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info_map(161)
  make_user_info_map: Mapping user [DOMAINB]\[USER123] from workstation
[COMPUTER123]
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(75)
  attempting to make a user_info for USER123 (USER123)
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(85)
  making strings for USER123's user_info struct
[2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(117)
  making blobs for USER123's user_info struct
[2008/02/05 11:13:12, 10] auth/auth_util.c:make_user_info(135)
  made an encrypted user_info for USER123 (USER123)
[2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user
[DOMAINB]\[USER123]@[COMPUTER123] with the new password interface
[2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [DOMAINA]\[USER123]@[COMPUTER123]
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(233)
  check_ntlm_password: auth_context challenge created by NTLMSSP callback
(NTLM2)
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(235)
  challenge is:
[2008/02/05 11:13:12, 5] lib/util.c:dump_data(2225)
  [000] FA 5A F2 B5 11 F3 A4 A7                           .Z......
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: guest had nothing to say
[2008/02/05 11:13:12, 8] lib/util.c:is_myname(2043)
  is_myname("DOMAINA") returns 0
[2008/02/05 11:13:12, 6] auth/auth_sam.c:check_samstrict_security(414)
  check_samstrict_security: DOMAINA is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: sam had nothing to say
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/02/05 11:13:12, 3] smbd/uid.c:push_conn_ctx(353)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/02/05 11:13:12, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2008/02/05 11:13:12, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/02/05 11:13:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/02/05 11:13:12, 5] auth/auth.c:check_ntlm_password(273)
  check_ntlm_password: winbind authentication for user [USER123] FAILED with
error NT_STATUS_NO_SUCH_USER
[2008/02/05 11:13:12, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [USER123] -> [USER123] FAILED
with error NT_STATUS_NO_SUCH_USER

Comment 1 Björn Jacke 2009-10-14 18:45:05 UTC

using "winbind use default domain" is a nogo option if you use trusted domains. It's a bad idea to use this parameter even in most other cases. Simple trust setups like this are known to work when the configuration is okay.