Bug 5364 - No samba authentification in multiple domains
Summary: No samba authentification in multiple domains
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.25a
Hardware: Sparc Windows XP
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-01 09:12 UTC by Karsten
Modified: 2008-04-01 09:49 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karsten 2008-04-01 09:12:44 UTC
Hi together,

i am trying to implement a samba-server version 3.0.25c in a big corporate network
with thousands of user.
It is running under Solaris 5.10 on a SUN SPARC.

We want to give special users some samba-shares for delivering files for a
production system.
The users are not existing as unix-user and must be authenticated through active
directory.
WinBindd is running, but we use a direct mapping with username map=
.../cfg/smbusers.map

The configuration looks like this:
[global]
        ...
        security = SERVER
        encrypt passwords = Yes
        password server = localdomain1 foreigndomain1 localdomain2 localdomain3
        username map = /.../cfg/smbusers.map
        log level = 5
        syslog = 0
        ...
        smb passwd file = /.../samba/smbpasswd
        auth methods = trustdomain winbind
        wins support = no
        wins server = localdomain1 localdomain2
        winbind separator = +
        idmap uid = 100000-200000
        idmap gid = 100000-200000
        winbind enum users = yes
        winbind enum groups = no


Most of the users are defined in the local domain GSA-NET and samba is working fine.
This users are authenticated without any problem.

[2008/03/26 15:54:19, 4] lib/substitute.c:(407)
  Home server: duff9129
[2008/03/26 15:54:19, 3] passdb/lookup_sid.c:(1133)
  store_gid_sid_cache: gid 100004 in cache ->
S-1-5-21-1997962763-1364389140-1801674551-513
[2008/03/26 15:54:19, 3] auth/auth.c:(270)
  check_ntlm_password: winbind authentication for user [int4711] succeeded


The PROBLEM are users that are coming from an other domain. This user FAIL.
===========================================================================

[2008/03/26 16:00:36, 3] auth/auth.c:(221)
  check_ntlm_password:  Checking password for unmapped user
[EMEA-NET]\[xtract]@[DUFF0520] with the new password interface
[2008/03/26 16:00:36, 3] auth/auth.c:(224)
  check_ntlm_password:  mapped user is: [GSA-NET]\[xtract]@[DUFF0520]

        Why GSA-NET ?
        This is the wrong local domain !

[2008/03/26 16:00:36, 5] lib/util.c:(2263)
  [000] 7A 87 81 95 4E 13 9E EE                           z...N...
[2008/03/26 16:00:36, 5] passdb/secrets.c:(473)
  secrets_fetch failed!

    Here the code / function in the source:

        /************************************************************************
         Routine to get the trust account password for a domain.
         The user of this function must have locked the trust password file using
         the above secrets_lock_trust_account_password().
        ************************************************************************/

          if (!(pass = (struct machine_acct_pass *)secrets_fetch(
                      trust_keystr(domain), &size))) {
                DEBUG(5, ("secrets_fetch failed!\n"));
                return False;
        }

[2008/03/26 16:00:36, 0] auth/auth_domain.c:(415)
  check_trustdomain_security: could not fetch trust account password for domain
GSA-WLB
[2008/03/26 16:00:36, 5] auth/auth.c:(273)
  check_ntlm_password: trustdomain authentication for user [xtract] FAILED with
error NT_STATUS_CANT_ACCESS_DOMAIN_INFO


The strange thing is that this is a problem of a server migration.
The old server is running samba version 2.2.7 and on this machine the users in the
foreign domain are authenticated without no problem!

As alternate way i will try security = ADS with kerberos, but this takes much time
to implement.
I think it would be a better way to use this approved way.

The problem seems to be old, because i found this discussion with Andrew Bartlett:
----------------------------------------------------------------------------------

http://209.85.135.104/search?q=cache:jKKUFLzJ8_MJ:samba.sernet.de/irclog/2005/12/20051219-Mon.log+check_trustdomain_security&hl=de&ct=clnk&cd=8&gl=de

Andrew Bartlett wrote:

12/19/05  0:13:00 <abartlet> it was 'winbind use default domain' that caused me to
try some of that
12/19/05  0:13:31 <abartlet> of course, I added the pain that is 'winbind use
default domain' (along with ab, I think...)
12/19/05  0:13:40 <vl> auth_util.c:738 is the culprit
12/19/05  0:14:54 <vl> I know that once I did print auth_util.c with a very small
font...
12/19/05  0:15:05 <abartlet> :-)
12/19/05  0:18:01 <vl> Hmmmm. Has check_trustdomain_security ever been really used?
12/19/05  0:20:55 <abartlet> probably not, as winbindd handles that
12/19/05  0:22:34 <vl> I think I broke enough for today. auth_util must wait...
12/19/05  0:23:24 <abartlet> :-)



I would be happy for any ideas or help to solve this problem.

Sincerely
Karsten
Comment 1 Karsten 2008-04-01 09:49:57 UTC
Found a configuration problem.
Bug not existent. Sorry.