Hi together, i am trying to implement a samba-server version 3.0.25c in a big corporate network with thousands of user. It is running under Solaris 5.10 on a SUN SPARC. We want to give special users some samba-shares for delivering files for a production system. The users are not existing as unix-user and must be authenticated through active directory. WinBindd is running, but we use a direct mapping with username map= .../cfg/smbusers.map The configuration looks like this: [global] ... security = SERVER encrypt passwords = Yes password server = localdomain1 foreigndomain1 localdomain2 localdomain3 username map = /.../cfg/smbusers.map log level = 5 syslog = 0 ... smb passwd file = /.../samba/smbpasswd auth methods = trustdomain winbind wins support = no wins server = localdomain1 localdomain2 winbind separator = + idmap uid = 100000-200000 idmap gid = 100000-200000 winbind enum users = yes winbind enum groups = no Most of the users are defined in the local domain GSA-NET and samba is working fine. This users are authenticated without any problem. [2008/03/26 15:54:19, 4] lib/substitute.c:(407) Home server: duff9129 [2008/03/26 15:54:19, 3] passdb/lookup_sid.c:(1133) store_gid_sid_cache: gid 100004 in cache -> S-1-5-21-1997962763-1364389140-1801674551-513 [2008/03/26 15:54:19, 3] auth/auth.c:(270) check_ntlm_password: winbind authentication for user [int4711] succeeded The PROBLEM are users that are coming from an other domain. This user FAIL. =========================================================================== [2008/03/26 16:00:36, 3] auth/auth.c:(221) check_ntlm_password: Checking password for unmapped user [EMEA-NET]\[xtract]@[DUFF0520] with the new password interface [2008/03/26 16:00:36, 3] auth/auth.c:(224) check_ntlm_password: mapped user is: [GSA-NET]\[xtract]@[DUFF0520] Why GSA-NET ? This is the wrong local domain ! [2008/03/26 16:00:36, 5] lib/util.c:(2263) [000] 7A 87 81 95 4E 13 9E EE z...N... [2008/03/26 16:00:36, 5] passdb/secrets.c:(473) secrets_fetch failed! Here the code / function in the source: /************************************************************************ Routine to get the trust account password for a domain. The user of this function must have locked the trust password file using the above secrets_lock_trust_account_password(). ************************************************************************/ if (!(pass = (struct machine_acct_pass *)secrets_fetch( trust_keystr(domain), &size))) { DEBUG(5, ("secrets_fetch failed!\n")); return False; } [2008/03/26 16:00:36, 0] auth/auth_domain.c:(415) check_trustdomain_security: could not fetch trust account password for domain GSA-WLB [2008/03/26 16:00:36, 5] auth/auth.c:(273) check_ntlm_password: trustdomain authentication for user [xtract] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO The strange thing is that this is a problem of a server migration. The old server is running samba version 2.2.7 and on this machine the users in the foreign domain are authenticated without no problem! As alternate way i will try security = ADS with kerberos, but this takes much time to implement. I think it would be a better way to use this approved way. The problem seems to be old, because i found this discussion with Andrew Bartlett: ---------------------------------------------------------------------------------- http://209.85.135.104/search?q=cache:jKKUFLzJ8_MJ:samba.sernet.de/irclog/2005/12/20051219-Mon.log+check_trustdomain_security&hl=de&ct=clnk&cd=8&gl=de Andrew Bartlett wrote: 12/19/05 0:13:00 <abartlet> it was 'winbind use default domain' that caused me to try some of that 12/19/05 0:13:31 <abartlet> of course, I added the pain that is 'winbind use default domain' (along with ab, I think...) 12/19/05 0:13:40 <vl> auth_util.c:738 is the culprit 12/19/05 0:14:54 <vl> I know that once I did print auth_util.c with a very small font... 12/19/05 0:15:05 <abartlet> :-) 12/19/05 0:18:01 <vl> Hmmmm. Has check_trustdomain_security ever been really used? 12/19/05 0:20:55 <abartlet> probably not, as winbindd handles that 12/19/05 0:22:34 <vl> I think I broke enough for today. auth_util must wait... 12/19/05 0:23:24 <abartlet> :-) I would be happy for any ideas or help to solve this problem. Sincerely Karsten
Found a configuration problem. Bug not existent. Sorry.