Hi, we configured a Samba server for filesharing. Samba use kerberos and winbind to authenticate the user on DomainA. In DomainA we create a localgroup where we add users from the same domain. But also we add users from the DomainB who is trusted. Our problem is that users from DomainB can't get access to the sharing folders. The user get an logon popup from windows. If you type in your correct data the window comes again and again... P.S.: I don't know if it is a bug or only a incorrect config or maybe an active directory problem. Best regards Paul Samba 3.0.24 Suse SLE-10-i386 current stat: Samba Server for Filesharing use ADS for user authentification DomainA DomainB Trusted from DomainA Samba <> DomainA <> DomainB smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2007-07-05 [global] # domain settings workgroup = DOMAINA realm = DOMAINA.DOM.NET security = ads client use spnego = Yes password server = passwordserver.DOMAINA.DOM.NET server string = %h server dns proxy = no encrypt passwords = true invalid users = root socket options = TCP_NODELAY idmap uid = 100000-150000 idmap gid = 100000-150000 winbind separator = / winbind use default domain = Yes winbind cache time = 30 winbind enum users = No winbind enum groups = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = No # log.winbindd [2008/02/05 11:13:12, 6] param/loadparm.c:lp_file_list_changed(3048) lp_file_list_changed() file /etc/samba/shares.conf -> /etc/samba/shares.conf last mod_time: Mon Feb 4 21:53:19 2008 file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue Feb 5 11:12:17 2008 [2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user [DOMAINB]\[USER123] from workstation [COMPUTER123] [2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(75) attempting to make a user_info for USER123 (USER123) [2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(85) making strings for USER123's user_info struct [2008/02/05 11:13:12, 5] auth/auth_util.c:make_user_info(117) making blobs for USER123's user_info struct [2008/02/05 11:13:12, 10] auth/auth_util.c:make_user_info(135) made an encrypted user_info for USER123 (USER123) [2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [DOMAINB]\[USER123]@[COMPUTER123] with the new password interface [2008/02/05 11:13:12, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [DOMAINA]\[USER123]@[COMPUTER123] [2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(233) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(235) challenge is: [2008/02/05 11:13:12, 5] lib/util.c:dump_data(2225) [000] FA 5A F2 B5 11 F3 A4 A7 .Z...... [2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: guest had nothing to say [2008/02/05 11:13:12, 8] lib/util.c:is_myname(2043) is_myname("DOMAINA") returns 0 [2008/02/05 11:13:12, 6] auth/auth_sam.c:check_samstrict_security(414) check_samstrict_security: DOMAINA is not one of my local names (ROLE_DOMAIN_MEMBER) [2008/02/05 11:13:12, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: sam had nothing to say [2008/02/05 11:13:12, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/02/05 11:13:12, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/02/05 11:13:12, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/02/05 11:13:12, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2008/02/05 11:13:12, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2008/02/05 11:13:12, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/02/05 11:13:12, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [USER123] FAILED with error NT_STATUS_NO_SUCH_USER [2008/02/05 11:13:12, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [USER123] -> [USER123] FAILED with error NT_STATUS_NO_SUCH_USER
using "winbind use default domain" is a nogo option if you use trusted domains. It's a bad idea to use this parameter even in most other cases. Simple trust setups like this are known to work when the configuration is okay.